Try to imagine the Internet without the email. It doesn’t work, does it? The two just go hand in hand and are almost inseparable.
You probably have at least one email account if not more.
The email was and still is crucial for communication over the Internet. However, in recent years we’ve seen more and more problems when it comes to email.
One problem is that email is not very private.
That leaves emails vulnerable to hacking, spam, phishing and other forms of malicious attacks.
“But that would never happen to me, I’m careful!”
I’m sure you are. But so were hundreds of businesses that have been a victim of an email data breach.
In fact, according to Symantec 2019 Internet Security Threat Report, 1 in 323 smaller organizations (up to 250 employees) are targets of a malicious email.
The bottom line is this, email is not as private as you think it is. That’s why you need to find a way to secure your communication over it and make it private.
That means you need to encrypt your emails.
What is Email Encryption?
You’ve probably heard someone mentioning “encryption” at least once or twice. A website might say that that they’re using this or that kind of encryption, for instance.
That’s all nice, but what does it really mean?
There’s not a single encryption definition, but the easiest way to think about it is that encryption is a way to transform information into a secret code that hides its real meaning.
As you might have guessed, this is especially important in email communication.
Let’s say that you need to send information over to someone. You don’t know if someone is eavesdropping on your conversation. You could be revealing classified information about your company, customers, family or yourself.
This is where encryption comes in. Essentially, email encryption means disguising the content of your email message as a way to prevent anyone but the intended recipient from reading it.
Most Common Email Encryption Methods
Now that we’ve covered, the encryption definition and what it is, let’s talk about how does encryption work.
There are two main email encryption approaches. End-to-end encryption and transport-layer encryption.
Both PGP and S/MIME are end-to-end encryption methods.
This means the email is encrypted at its source (the sender), unreadable in transit (even to Gmail or other service providers) and then decrypted at the other end (the recipient).
On the other end, we have transport-layer encryption, which includes SSL, TLS and STARTTLS.
PGP includes two types of encryption, PGP/MIME and PGP Inline.
So how does encryption work with these two?
PGP/MIME or Pretty Good Privacy Multipurpose Internet Mail Extensions (that’s a mouthful) is a decentralized encryption method that encrypts and signs the email message (along with any attachments) as a whole.
This type of encryption provides a good deal of control and flexibility over what gets encrypted. The issue is that since the entire message is encrypted together, you’ll need to download it whole (with attachments) in order to read the body.
PGP Inline, on the other hand, encrypts everything individually. In other words, the email body and any attachments will be separately encrypted and digitally signed.
There are advantages and disadvantages to this approach.
The biggest advantage is that the recipient doesn’t have to use a client that supports PGP. Instead, they can copy or download the message body or attachment and then use a 3rd party tool to decrypt it.
The problem, however, is that, since everything is encrypted separately, PGP Inline can leak information about the attachment.
Another email encryption method is S/MIME or Secure/Multipurpose Internet Mail Extensions. S/MIME is based on asymmetric cryptography and a pair of keys (public and private).
These two keys are mathematically related and one won’t work without the other.
That means you’ll need a public key to encrypt the message. However, you can only decrypt it with a private key, which only the intended recipient will have access to.
Since this encryption method is built into most OSX devices, it requires a centralized authority to pick the encryption algorithms, whereas PGP is more decentralized.
Transport-layer email encryption includes SSL, TLS and STARTTLS.
- SSL and TLS
Both SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are application-layer protocols that allow the communication channel between two computers (sender and recipient) to be encrypted.
How does encryption work with SSL and TLS?
In essence, to send and receive emails, email client uses TCP or Transmission Control Protocol. This allows it to initiate a “handshake” with the server.
During the “handshake”, the email client informs the email server what version of SSL or TLS (they are interchangeable, the only difference is in the version you are using), what cipher suites and compression methods the server should use.
Once they’ve “shaken hands” and the server will verify the client’s identity by sending it a certificate, telling the client that it is trusted by the user’s software (for example Microsoft).
This assures the email client that it is sending messages to who it should and not someone posing as the real recipient allowing the two to exchange the key with which all sent and received emails are encrypted.
Since TLS and SSL are application layer protocols, this means that both the sender and the recipient have to know they are used to encrypt emails.
STARTTLS, on the other hand, tells the server that a client would like to make an insecure connection secure.
Why is Email Encryption Such a Big Deal?
So why are we telling you all of this about email encryption? Why is it important to know stuff like how encryption works, to understand the different encryption methods and so on?
Millions of dollars are lost every year due to unsecured email communication. Email breaches can have a significant negative impact on your organization. This includes not only financial loss, but reputation loss as well.
For instance, this year over 2 billion customer personal records from an email marketing service Verification.io were exposed in what is likely the largest email data leak in history.
Verification.io is one of the largest email verification platforms out there and if anyone should know how to keep emails secure, it’s them. However, they were still a victim of a data breach which exposed their customers’ personal information, which hackers and scammers could then use for illegal purposes, like identity theft.
If email data leaks can happen to companies like Verification.io, it can happen to you as well, so it’s better not to risk it and make sure your emails are properly encrypted.