Tuesday

Secure Encryption of Emails, Web Browsing and Pretty Much everything

If you're interested in keeping your stuff private, you will have no alternative but to consider some sort of secure encryption.  There are ways to hide your identity, mask your IP address and delete your history safely but if you sit at your PC or Mac sending everything out in clear text well it's a exercise in futility.

So what would we need to Securely Encrypt?

Well pretty much anything that you would like to keep private, remember everything we do online passes through loads of other devices, routers and servers before it reaches it's intended recipient.  Of course most of these devices are perfectly safe but there are lots of stages where your data can be viewed.   The one point which always concerns me is your ISP, pretty much everything you do online goes through this point, and worse it is all logged and kept for years.   Each and every one of us has a long history of our online activity stored in the logs of our ISP.

The problem is that so much of what we do online is in clear asciii text, which means it is instantly readable with anyone who has access to your data.  So as well as your ISP, we have anyone using that same network, or listeing in on that Wifi connection,  or logging on that router that your data passes through.

Here we can see a little test I ran on an open Wifi connection,  I sent an email from a PC and then logged the data on  my laptop using a free tool called Wireshark.   Here's a quick screenshot of the email I was sending, I used Thunderbird to send the email but Outlook does exactly the same, as it's being transmitted using the same protocol - SMTP.



 Here's what I could see in Wireshark when the email was sent.


Hope you can see the image properly (double click image if you can't), I haven't formatted it for easy reading, it's just the raw text that my laptop could see when an email was sent from my email client on the same network.   You can see all the content is readable, because it is sent in clear text.  I didn't need to do anything clever to view this data and could have done the same with web browsing, chat or a thousand other things people do online.  Most online activities are not encrypted, they are in clear text just like this, which is one reason why I warn people about using unknown proxies on the internet !

Can you imagine what sort of data you could pick up sitting in a cafe with Wireshark running sniffing everything that passed through their free Wifi.  Remember I'm illustrating the dangers with email but web browsing, chat would be exactly the same in most circumstances.

So taking email encryption as our example, lets see what this data looks like if we encrypt our connection.   Now there are many, many ways of encrypting your email ranging from the excellent Ironport from Cisco, PGP, or the aptly named hushmail  they all have their strengths and weaknesses but most ensure that your email message is encrypted for at least the majority of it's journey.   I'm going to use Identity Cloaker to encrypt my email client as I want to use my normal email client - Thunderbird.

Now Identity Cloaker is normally used to mask your IP address and encrypt your web browsing, although the  application will also encrypt all web mail accessed through the browser.  It won't however protect any other protocols such as SMTP in its standard mode,  however it has the functionality to use a VPN between any of the servers in the network.   This stands for a Virtual Private Network and creates an encrypted tunnel which all your data is transferred through, completely protecting not only your browsing but anything you  do online.


So I just need to logon to the appropriate server and connect via VPN, in this example I am connecting to one of the USA East Coast Servers.

In reality the location is not important in this instance, however if you wanted to access content restricted to a specific country like Hulu, you would need to pick a server in that country.


When the VPN is connected you're protected, you have a secure network tunnel between your client and the Identity Cloaker VPN server you selected.  Let's see now what our packet traces looks from a standard email client transmitting a message,

In this example you can see that Wireshark couldn't even determine the protocol, all the data is encrypted and cannot be read or intercepted.   Instead of plain text emails and lists of your web browsing sitting in your ISP logs, then they will just see unreadable cipher text.

Now of course you have to be careful with any sorts of encryption technology, emails can be especially tricky as even if you use something like a VPN like I did, anything beyond the tunnel is transmitted in the clear and of course emails will still sit unencrypted on the recipients hard drive.  One really good option for an organisation to secure emails between two or more points is to implement TLS (Transport Layer Security) on Microsoft Exchange.  Enable the TLS protocol on each server and you can ensure that all emails are encrypted as they are distributed, and best of all it's completely free.   It's not too difficult to set up and I am often surprised how many organisations  ignore this option.

The sad truth is if you want any sort of privacy online then you simply have no choice but to implement some form of secure encryption to protect yourself.   There are of course many different ways of achieving this, I chose Identity Cloaker because you can do so much with it - you can read a short review of the program here - Identity Cloaker Review

1 comments:

Junk said...

A good email encryption option is Voltage SecureMail.

Voltage SecureMail allows you to send encrypted email to anyone.

Voltage SecureMail has Outlook plug-ins or you can use a web interface for sending encrypted email. Messages are completely controlled by the sender and recipient in their sent folder and inbox. No messages are stored on the service so you don't run into those Hush and Zix problems with messages expiring.

Recipients don't need any special software to decrypt and read their messages, just a browser. And recipients don't need to pay to read their email. In fact, they even get free support from Voltage. It's much easier to use than PGP, S/MIME or other older solutions...and just as secure...which is probably why Voltage can afford to provide free support to their customers and recipients...unlike other solutions.

It can also help address state privacy regulations in Massachusetts and Nevada as well as the more general HIPAA, SOX, PCI requirements, etc.

There is a free trial at: www.voltage.com/vsn