The private testing has started!

Blog A basic introduction to email encryption

Please, mind this article is being drafted or rewritten and may contain imperfections. It has not been yet reviewed for final publication.

Try to imagine the Internet without email. It doesn't work. The two complement each other, almost inseparable. The email was and is critical to communication on the Internet. In recent years, however, we've seen more and more problems with email.

The problem is that email is not very private.

This makes email vulnerable to hacking, spam, phishing, and other malicious attacks.

I believe you are lucky. But so did the hundreds of businesses that fell victim to email data breaches.

In fact, according to the Symantec 2019 Internet Security Threat Report, 1 in 323 small organizations (up to 250 employees) is malicious email The goal.

Best of all, email isn't as private as you might think. This is why you need to find a way to protect your communications and keep them private.

This means you need to encrypt your email.

What is email encryption?

You've probably heard someone mention "encryption" at least once or twice. For example, a website might say they are using one encryption or another. This is great, but what does it really mean?

There is no single definition of encryption, but the easiest way to think about it is that encryption is a way of converting information into a password that hides its true meaning.

As you might have guessed, this is especially important in email communications.

Say you need to send information to someone. You don't know if someone else is eavesdropping on your conversation. You may reveal confidential information about your business, clients, family, or yourself.

This is where encryption comes in. Essentially, email encryption means disguising the content of your email to prevent it from being read by anyone other than the intended recipient.

Most common email encryption methods

Now that we've covered the definition of encryption and what it is, let's talk about how encryption works.

There are two main email encryption methods end-to-end encryption and transport layer encryption.

PGP and S/MIME are end-to-end encryption methods.

It means that email is encrypted at its source (sender), unreadable in transit (even for Gmail and other service providers), and then decrypted at the other end (recipient).

On the other hand, we have transport layer encryption (including SSL, TLS and STARTTLS).

PGP

PGP has two types of encryption, PGP/MIME and PGP Inline.

How does encryption work with both?

PGP/MIME (the Pretty Good Privacy Multipurpose Internet Mail Extensions) is a decentralized encryption method that encrypts and signs the entire email message (and any attachments).

This type of encryption provides great control and flexibility for encrypting content. The problem is that since the whole message is encrypted together, you need to download it all (with attachments) in order to read the body.

On the other hand, PGP Inline encrypts everything individually. In other words, the email body and attachments will be encrypted and digitally signed separately.

This approach has advantages and disadvantages.

The biggest advantage is that recipients don't have to use a PGP-enabled client. Instead, they can download or copy the message or attachments and decrypt them using 3rd party tools.

The problem is that since everything is encrypted individually, PGP Inline can leak information about attachments.

S/MIME

S/MIME (Secure/Multipurpose Internet Mail Extensions) is based on asymmetric encryption and a pair of keys (public and private keys).

The two keys are mathematically related; one would not work without the other.

This means you need a public key to encrypt messages. But you can only decrypt it with a private key that only the intended recipient can access.

This method is built into most OSX devices. It requires the centralized authority to choose encryption algorithms, while PGP is more decentralized.

Transport-layer email encryption including SSL, TLS, and STARTTLS.

SSL and TLS

Both SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are application-layer protocols. They allow the communication channel between two computers (sender and receiver) to be encrypted.

How does encryption work with SSL and TLS?

Essentially, to send and receive an email, email clients use TCP or Transmission Control Protocol. This allows it to initiate a "handshake" with the server.

During the "handshake", the email client informs the email server of the version of SSL or TLS (they are interchangeable, the only difference being which version you use), what cypher suite and compression method the server should use.

Once they "handshake", the server will verify the client's identity by sending the client a certificate, telling the client that it is trusted by user software (such as Microsoft).

This ensures that the email client sends the message to who it is supposed to be sent and not someone posing as the real recipient, allowing the two to exchange keys under which all emails sent and received are encrypted.

STARTTLS

Since TLS and SSL are application-layer protocols, this means that both senders and recipients must know that they are used to encrypt email.

STARTTLS, on the other hand, tells the server that the client wants to secure insecure connections.

Why is email encryption so important?

So why are we telling you all about email encryption? Why is it important to understand how encryption works, understand different encryption methods, etc.?

Millions of dollars are lost every year due to insecure email communications. Email compromise can have a significant negative impact on your organization. This includes not only financial loss but also reputational damage. For example, over 2 billion individual customer messages from email marketing services Verifications.io were exposed, making it the most significant email data breach in history.

Verifications.io is one of the largest email verification platforms out there, and if anyone should know how to keep their emails safe, it's them. However, they are still victims of a data breach that exposed customers' personal information, which hackers and scammers can use for illicit purposes, such as identity theft.

If an email data breach could happen to a company like Verifications.io, it could happen to you too, so it's best not to risk it and make sure your emails are adequately encrypted.

Ready to join Liverado? Start your free 14-day trial today.