Email Security and the Fundamentals You Can’t Afford to Ignore

Samuel Isaac
Aug 8, 2017 · 8 min read

They can be mundane or deeply personal but regardless of what is inside, email allows us to send messages in a convenient, inexpensive, and fairly reliable way. It is a service that has inextricably embedded itself into the heart of business, government, and other essential sectors. “Research indicates that up to 75 percent of intellectual property is sitting in email data stores.”1 (Kaspersky Lab — Best Practices Mail and Web, 2013) Yet, despite the vital importance of this service most email users remain vulnerable to attack. Email has served as a gateway for a variety of data breaches in sectors ranging from entertainment, to business, to politics and beyond. The fallout from these attacks can be devastating and wide reaching. Email security breaches can affect confidentiality if an attacker steals your information, they can affect the integrity of a system if they can alter information or the system functionality. It can also affect the availability of a system by preventing legitimate users from accessing it. Despite serious consequences and intense media scrutiny on email related stories, nothing has increased awareness on the basics of email security.

“Email as we use it today makes no guarantees about message integrity, authenticity, or confidentiality. Users must explicitly encrypt and sign messages to protect themselves against message tampering, forgery, or eavesdropping. However, few do, leaving the majority of users open to such attacks.” 2 (“Security by Any Other Name”, Foster, Larson, Masich, Snoeren, Savage, Levchenko, pg. 1, 2015) Email is a best effort delivery service, which means that there are no assurances that email is ever safely delivered without compromise. The route that an email travels has many vulnerabilities and the components involved in email architecture can be outdated. For example, Simple Mail Transfer Protocol is the standard for moving email across the internet. It was developed in the 1980’s and there have only been two updates to this standard, with the latest update being made in 2008. While other protocols like Internet Message Access Protocol (IMAP) or Post Office Protocol (POP) are used for client applications, SMTP is still used between mail servers. SMTP stands as an example of old architecture where lack of updates can lead to vulnerabilities in security. In addition to this, there are many other threats to email security. Here are a few to get familiar with:

Compromised User: “This is the most common type of compromise. Even if you use the world’s most secure electronic communication system, advanced encryption does you no good if there is a keylogger on your computer recording your keystrokes.” 4 (ProtonMail Threat Model,
https://protonmail.com/blog/protonmail-threat-model/ )

Man-in-the-Middle (MITM) Attacks: “An attacker can impersonate each side of a connection to the other. If an attacker can gain control of any hop along the message path and either TLS (transport layer security) is not used on that hop, or TLS is used without server certificate verification, the attacker will be able to impersonate the receiver and gain access to the message.” 5 (“Security by Any Other Name”, Foster, Larson, Masich, Snoeren, Savage, Levchenko, pg. 3, 2015)

Unauthorized backdoor: “If an attacker somehow gained access to servers without anyone noticing, possibly by exploiting bugs in software. Such an attacker could conceivably change the software and allow them to get unencrypted data.” 6 (ProtonMail Threat Model, https://protonmail.com/blog/protonmail-threat-model/ )

Distributed Denial of Service (DDoS): “Denial of service attacks can bring your mail (and web) servers, along with network infrastructure, to a complete halt by flooding them with spam (unsolicited bulk email), sending more requests than it’s able to handle.” 7 (pg. 4, Kaspersky Lab — Best Practices Mail and Web, 2013)

In addition to the threat of DDoS, spam poses another persistent threat to email servers. “A number of recent estimates suggest that spam email may account for 90% or more of all email sent.” 8 (pg. 219 Computer Security, Principles and Practice 3rd Edition, William Stallings and Lawrie Brown) Some spam is just selling advertisements and may be harmless but spam also acts as a carrier for malware. Kaspersky reports that spam can cause multiple threats, “Even if they’re not successful at stealing data or compromising your network, spammers can cripple bandwidth.” 9 (pg. 3, Kaspersky Lab — Best Practices Mail and Web, 2013)

Securing the digital route that an email travels can appear overwhelming, however, we do not need to play a passive role and wait for providers to upgrade protocols. Email encryption and digital signatures are methods for protecting the contents of email communications. “The most powerful and common approach to countering the threats to network security is encryption. With end-to-end encryption, the encryption process is carried out at the two end systems. The data, in encrypted form, are then transmitted unaltered across the network to the destination terminal or host.” 10 (pg. 660, 661 Computer Security, Principles and Practice 3rd Edition, William Stallings and Lawrie Brown) This kind of protection helps to defend against Man-in-the-Middle (MITM) attacks. An attacker will attempt to gains access to a hop along the message path trying to impersonate the message receiver. If they receive the message they will not be able to decipher it because it will be in encrypted format.

Unfortunately, the use of end-to-end encryption by the general email user community has not been adopted with great enthusiasm. “Few users sign or encrypt email today, despite ready software support for PGP and S/MIME. The majority of email users continue to send email in the clear, with no safeguards against eavesdropping, tampering, or forgery. Despite rising public concern about mass surveillance, universal end-to-end email security still remains elusive.” 11 (“Security by Any Other Name”, Foster, Larson, Masich, Snoeren, Savage, Levchenko, pg. 1, 2015)

Fortunately, there are a few different options for anyone looking for encryption tools. ProtonMail (https://protonmail.com/) is an email service provider which uses end-to-end encryption so that your message travels safely to your intended receiver in encrypted format. To fix the problem of email users have their data sitting unencrypted on servers, ProtonMail stores your messages in encrypted format. This defends against unauthorized backdoor attacks. Even if someone did find a way into their servers they would not be able to decipher any of your messages. You can watch a video of the founder Andy Yen talk about the development of ProtonMail and the issues they are trying to help solve.

Outside of using a service like ProtonMail a user could look at security tools like S/MIME or PGP. Secure/Multipurpose Internet Mail Extension (S/MIME) provides a way to sign and encrypt email. An S/MIME certificate can be obtained from a certificate authority and then imported and configured to work with your email client. There are two ways to obtain your certificates, either from a public certificate authority or you can choose a service such as ProtonMail, that have their own inhouse certificate authority. The latter would obviously limit your research to find a reputable CA and work to configure the certificate. The next decision you would have to make is whether you would want to use a web based email service or a desktop email client like Mozilla’s Thunderbird. Implementing S/MIME with a desktop client like Thunderbird is a fairly painless task, but setting up S/MIME to run with a web based email provider like Yahoo or Gmail could be difficult or not possible. If you need to have web based email, again ProtonMail may be an easier choice. In addition to S/MIME there is Pretty Good Privacy (PGP). This is another option for signing and encrypting emails, with paid and free versions available. Either option will allow you to sign and encrypt messages but it is important to research the reputation, operation, and maintenance of all software before installing it on your system.

Some email service providers are working to improve their security. They have increased the use of email security tools such as TLS (Transport Layer Security) a cryptographic security protocol, SPF (Sender Policy Framework) an email validation system, and DKIM (DomainKeys Identified Mail) a specification for signing messages. If you are at work using email, then hopefully a firewall has been setup by your IT department. Firewalls, “Define a single choke point that attempts to keep unauthorized users out of the protected network, prohibit potentially vulnerable services from entering or leaving the network, and provide protection from various kinds of IP spoofing and routing attacks.” 12 (pg. 307 Computer Security, Principles and Practice 3rd Edition, William Stallings and Lawrie Brown)

It should be noted that none of the security tool mentioned in this article are infallible. For example, the protection that firewalls provide can be worked around. “Firewalls cannot protect against attacks that bypass the firewall, or protect against internal threats, such as a disgruntled employee, and it cannot protect against an improperly secured wireless LAN” 13 (pg. 307 Computer Security, Principles and Practice 3rd Edition, William Stallings and Lawrie Brown) While TLS can help to protect email, the ability for a sophisticated attacker to impersonate any host can prevent tools such as TLS or SPF from defending against an attack.

Despite any limitations, it is still important to setup some combination of security tools or any intrusion prevention system (IPS) whenever possible. These tools may not prevent all attackers from gaining entry, but there is absolutely no need to make it easy for them. They do not protect against all scenarios that exist but they might just protect against all the scenarios that you will ever face. Maybe the only attackers you will face will be stopped by these methods and you will be glad you set them up. It is better to have obstacles in place rather than leaving an unguarded path for attackers to march through. You may feel that these tools are too complicated, and it is important to make sure that you feel comfortable with your system, but shortcuts to increase usability should not come at a cost to security.

Securing email communication is an important task on both a personal and professional level. The security goals of confidentiality, integrity, and availability are achievable in a number of different ways. There are open source solutions that make computer security possible for people of all experience levels. The way to spread the adoption of these tools and techniques is training and education to help demystify the whole process. Users have ways to be proactive about their security and do not have to solely rely on providers to ensure the protection of their email. In the same way that attackers have become more sophisticated, our knowledge of email security should become more sophisticated as well. Any successful security plan will have to include more education on threats to security and the tools to protect against them. Hopefully this article has provided readers with a sense of where to begin with improving their own email security. It doesn’t have to be intimidating and with the adoption of a few tools any user can greatly increase their chances of being safe.

Bibliography
2, 5, 11 “Security by Any Other Name: On the Effectiveness of Provider Based Email Security”, Ian Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, and Kirill Levchenko, Proceedings of the ACM Conference on Computer and Communications Security, Denver, Colorado, October 2015. http://cseweb.ucsd.edu/~snoeren/papers/smtpsec-ccs15.pdf )

4, 6 ProtonMail Threat Model, https://protonmail.com/blog/protonmail-threat-model/

1, 7, 9 Kaspersky Lab — Best Practices Mail and Web, 2013 http://media.kaspersky.com/en/business-security/kaspersky-web-mail-server-best-practice-guide.pdf

8, 10, 12, 13 Computer Security, Principles and Practice 3rd Edition, William Stallings and Lawrie Brown, Pearson Education Inc., 2015, 2012, 2008.

Special Thanks: Professor Raquel Hill, Professor of Computer Science and Informatics, Indiana University. Her course on Security for Networked Systems provided me with the foundation to understand this topic and begin writing about it.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade