Monday, 17 December 2012

Is email secure?

In one word “No” email is not secure!

If it is used to transmit personal details, especially things like bank account details - even to a trusted friend or organisation - it is comparable to posting the same details on the side of a bus with a message saying "FREE MONEY HERE!"

The reason is that email is one of the earliest systems of the internet and invented in a time where most people using the systems could be trusted and therefore there is no security built into the underlying email system. 

It means that anybody on a network on which your email uses to reach its final destination can potentially read the contents of the message without too much difficulty.   

The important thing to realise about the internet is that it is not like a normal telephone system.  When you use a normal landline to phone someone, there is a physical connection (or circuit) between you and the person at the other end.  However, the internet couldn’t work like this (everything would grind to a halt if it did!)   The internet works on a packet switching method, whereby data is split into individual packets and each packet makes their own independent way across the internet.

This means that a large message can be split into multiple packets and they can travel along different routes to each other.  The reason is that it is possible to redirect packets of information when a route stops functioning or becomes too busy.  Something called TCP (Transport Control Protocol) receives the individual packets and reconstitutes them back into the complete message. The overall effect is that TCP provides the illusion of a direct connection, similar to that of a telephone connection. It is also known as a virtual circuit.

From a security perspective, this means that it is not possible to guarantee the route that something will take and therefore it is not possible to guarantee the security of the message.  In other words, if the email, part of the email, or any other data, should pass along a network of a corrupt company or organisation, it is possible for it to be inspected and recorded for future analysis.
The picture below is a screenshot of a freely available program called Wireshark. It  monitors anything that passes by the computer’s network connection, including email:

Simple Message Transfer Protocol or SMTP for short, is the communication language (protocol) that the internet email system uses to send emails from place to place and Wireshark is able to capture these information packets and display the contents.

The next picture shows that even the message contents of an email can be read

People often mistakenly believe that putting a private message into an attachment will protect the contents from prying eyes. Sadly this is not the case.

What can be confusing to understand is that attachments are “encoded” but this does not provide any security.  Anybody who knows the algorithm that was used to “encode” an attachment can use the same algorithm to “un-encode” and retrieve the original attachment.

Encryption is similar to encoding, except that the reversal process of the encrypted message requires some form of key and it is not possible to see the message without the key.

The reason for encoding attachments is that email was never originally designed to transmit attachments.  The original email systems only used 7 bits of an 8 bit byte – the 8th bit could be used as a form of error check, to ensure that the message had been received correctly.

7 bits in binary provides the range of 0 to 127 and therefore enough to represent everything needed for plain text emails.  The problem however, is that files sent as attachments use the full 8 bits.  If the email system tried sending an un-encoded jpg picture, the receiving email system would think there has been a transmission problem as the 8th bit of each byte is part of the data and would incorrectly signal a huge amount of errors.

The solution to the problem is to convert the binary attachment into a format whereby the 8th bit is still used as an error check.  The downside of the encoding systems is that they can increase the size of data being sent.

Therefore I advise NOT to send any sensitive or private information via email - especially anything sensitive like bank account or credit card details - It can be intercepted very easily whilst on route between email servers.

No comments:

Post a Comment