Cyber Security:
Cryptography in action
Transport-level encryption
Transport-level encryption encrypts the text of the message between your device and the server that receives the data.
One of the most common is StartTLS. StartTLS is a protocol command used to inform the email server that the email client wants to upgrade from an insecure connection to a secure one using TLS or SSL.
StartTLS is used with SMTP and IMAP, while POP3 uses the slightly different command for encryption, STLS.
However, your messages may not be encrypted while sitting on a mail server.
End-to-end
End-to-end encryption ensures that the message remains fully encrypted all the way from the sender to the recipient.
Many websites, such as those for internet banking and online shopping, routinely use encryption to ensure that the data sent to and from your computer is safe from eavesdroppers.
However, configuring the same technologies to protect activities such as email communication can be quite difficult because the tools involved are complicated to install and configure.
Most end-to-end encryption tools depend on a collection of cryptographic techniques, commonly called 'Pretty Good Privacy', PGP for short. PGP includes algorithms for symmetric and asymmetric cryptography.
In order to help software vendors develop systems that can easily exchange encrypted information, a standard called OpenPGP was developed and agreed on by the Internet Engineering Task Force (IETF).
It can be a problem for organisations and individuals to set up the software for encrypted emails on all the devices that they use. End-to-end encryption can be provided as a service.
FREE (at the time of writing) tools available for encrypting emails
GPG4Win– provides a set of standalone tools that can be used to encrypt and digitally sign emails, documents and other files. It provides some plug-ins to integrate these features into standard email softw
are, such as Microsoft Outlook and Mozilla Thunderbird.
GPGMail – this tool is designed to integrate with the Mail software provided by Apple. It can be used to both encrypt and digitally sign your email. It is easier to configure and use than the Windows tools, but is only useful if you use a computer running OSX.
Enigmail for Thunderbird – this is a plug-in for the Thunderbird email client software that works across all operating systems. However, it requires manual installation of the GNUPG software, an open source implementation of the OpenPGP standard.
Mailvelope – this is a browser plug-in that uses an implementation of the OpenPGP standard. It works with a variety of browsers and web-based email systems, such as Gmail or Yahoo Mail. However, there is a security problem with such web-based email systems. Although you may have encrypted the message from end to end, the details of the email address it is sent to, as well as who it is from, and the time the message was sent can be logged, and this metadata may compromise your security and that of the recipient.
Secure email services
A secure email service like Proton Mail or Tutanota can hide the metadata that links the sender to the recipient of the message.
In its most secure usage pattern, a user logs in to Proton Mail and leaves an email message for another Proton Mail user to log in and collect.
The metadata about the users is never revealed and the message is also securely encrypted from end to end.
When the Proton Mail user sends an email to an external email address the metadata of the sender remains secure.
Proton Mail sends an invitation to the recipient to view the encrypted message on the server.
The mail service of the recipient may record that a message was sent by the Proton Mail server. If the user of Proton Mail uses the free service to send encrypted email to an outside email address they will have to send a key to the encryption to the recipient by some other means for the recipient to log in, such as a text message or phone call. This may reveal a link between sender and recipient.
A paid for service with Proton Mail allows use of PGP, so that a message can be sent to an external address using the recipients public key.
No link need be created between the sender and recipient.
However, the subject line isn't encrypted.
