Email Security - Are There Other Options?

Read the other day about a group of "Hackers" complaining about people encrypting all their email, most of which was useless to these hackers and they were tired of working so hard for nothing

I would like to start protecting my email (privacy issues only) and it got me thinking that the worst thing one could do is secure the occassional one as that would "stand out". Better off "all" or "none".

So after several hours of researching this area of security, it seems somewhat ignored as far as options available. Everything seems to revolve around these "Public/Private Keys". Now i don't know about you but most of my contacts are not computer/security savvy and telling them they need keys and need this software, etc - i'm gonna get a "WTF"

What i am looking for is a program that can encrypt email (text and attachments), send it and once it is received in my contact's inbox, somehow decrypt it without the contact having to jump through any hoops.(no forwarding of keys or passwords first)

Maybe the program could somehow be small enough to sit in the email and automatically decrypt for the contact once the contact clicked on a "decrypt email now" tab. The program would only decrypt for a certain address.

Any help/thoughts on this matter would be welcome.

Thanks

 

Such a system exists. It is called MailVault. It internally generates the keys and manages them between users. The user when logged in gets access to his key and enters a password to decrypt the message. The message otherwise sits in plaintext. The plaintext when the user sends it is automatically encrypted to the recipient. The only issue is the sender and recipient have to be in the same system, otherwise it can't find the right key to encrypt and decrypt with. Another problem is that if you expose your key and password to the foreign system, that is enough information for the foreign system to intercept your messages. However, the threat model isn't the internal observer (mail system) who could be evil anyway, but the external observer (hacker) who is definitely evil.

XeroBank will be releasing a similar solution where all messages a stored encrypted and transmitted encrypted, and anyone can use it for free.

 

Still haven't found what i am seeking and looks like the least intrusive on the contact's part would be a forwarded password first.

Encrypted with a "password" of course

And i'm in the 30% group here - http://press.gmx.com/2008-09-02_pressReleaseUS.html

Unbelievable

 

You might look at ZSentry products. Basic versions via the web are free.
https://zsentry.com

Consider attachments if it's one person you want to regularly communicate with.
fSekrit is a TINY little .exe that you use like a text file. A typical encrypted (AES-256) email-length note takes about 50kb. Just attach it to a regular email. If you're familiar with LockNote, it's just like it, but LockNote with the exact same email length would be about 350kb.

You can get fSekrit at http://www.donationcoder.com/Software/Other/fSekrit

Oh, change the extension to some weird extension from .exe as some email filters won't let an .exe through. Your regular recipient would know to change it to .exe and enter password. Really, to me, this is an easy way to pass along encrypted text without all the hassles.

Or, I've mentioned drop.io before. You can create password protected one-time (or multiple, your choice) "drops" with text, photos, videos, whatever you want. Free up to 100mb. Just give the recipient the drop URL (and give them the password in another way). This is casual security, but drop.io is just an incredible service in every way. In fact, some publication just recently named it one of the best "under the radar" (not well enough known) web applications.
http://drop.io

 

Their website wasn't clear about this - do both parties (sender & receiver) have to use this service for it to work like they say?

 

Whats the ETA on this ? This sounds great.

Will it be like this?

Sender -- encrypted email --> server --> encrypted?/unencrypted? -->Recr

 

Ok - after more reading i got the answer - NO!

It is more secure if they do but it still works. It's still not quite what i was looking for but i don't think that's available yet. And this is definitely less intrusive on the receiving party then keys and/or software installation. Really feel this is the way to do it for everyday emailing (Receiving end has a simplified option). Tested this out on myself and i am impressed to say the least.

This page is a good read - https://zsentry.com/how_zmail.htm

Has many options like self destruct date / to view your sent email require "no action or registration or login / detailed receipt sent upon request.

All in all - it's a keeper and thank you LockBox

 

OP, just use GPG and use it's file encryption (pre-shared key) method. Give the key to your contact through some secure medium (person to person or over a secure phone line). Then simply encrypt a text file with the message in it and attach that file to an e-mail. Your contact will already have the key and can just type it in. Decrypting should be as simple as right clicking and entering the password.

GnuPG is the FOSS version of the proprietary PGP. There is a Windows version now, and you can get it here. Or, if you prefer, you can just use PGP.

 

If you really want to be sure about the encryption and you don't trust a third party (generally, you shouldn't trust a third party when it comes to encryption ), I'd suggest teaching your contacts how to use PGP/GPG and public keys. It is not that hard, and they might actually learn something useful (just a thought...)

 

Will it be soon? <img>

 

I understand and agree with what your saying but my goal was to create/increase email security/privacy without asking more from the receiver. Some of my contacts are set in their ways, others like my stepbrother just started with computers and i don't want to overwhelm him anymore at this point.

I'm not sending secret/important documents which is why i'm not pushing for the "public/private keys" method. I just want a more secure way of sending 100% of my email that doesn't require receiver interaction beyond a click.

 

Steve

Could you provide any more info/update us on this upcoming email security solution.

Thanks

 

Anyone using Comodo Secure Email - http://www.comodo.com/home/internet-security/secure-email.php


Installed it and am trying with my hotmail account through Thunderbird 3 but doesn't connect and server times out

It has a web reader service for those receipitants that don't want to install the software and aquire certificates.

 

This is done by default on HOTMAIL SSL POP accounts or Gmail (and it is free). If the person that communicate with you use the same service or a service provider that support SSL SMTP. All traffic travels encrypted from you to the recipient of the e-mail.

Fax

 

Here is an email client that encrypts email. very secure and there is a free version. worth a look, I use it.
bigc

https://www.hushmail.com

What is Hushmail?

Hushmail is the most secure web-based free email service in the world. Since 1999, millions of people and thousands of businesses have trusted Hushmail to safeguard their secrets.

Hushmail looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes.
Key features see more features…
Easy-to-use web-based email
Standards-compliant encryption
Works on iPhone and BlackBerry
Optional Outlook integration

 

SteveTX:

I've gone to MailVault's site but there's I don't see a registration process nor any information about the program. Is the site, http://mailvault.com/?

Thanks.

 

Thanks bigc

Hushmail was the first one i looked at but after searching more about it, decided to steer clear of it.

 

Hushmail also does not support Outlook unless you pay
While for hotmail or gmail its fully free

 

Fax, With Hotmail/Gmail all you're doing is protecting the emails from public view via SSL. The emails themselves are not encrypted on the server. In other words, they can be read, retrieved by LEA, etc. It's my impression the OP wants a solution that provides full email encryption.

 

uuuhm, I thought the issue was ensuring no one can read the message between the two (sender and the receiver). Lock out law enforcement officials to your e-mails its another story indeed Not sure you can prevent access to data anyway

Fax

 

FYI -- If you haven’t tried it yet, the use of a Class 1 Digital ID (see here) with Outlook is nearly transparent for encrypting emails and attachments. Many people have and know Outlook; and acquiring, installing and exchanging Digital IDs with Outlook doesn't require much effort.

On a general note, if you wish to ensure that the transmission of the contents of your email are encrypted entirely from the sender to the receiver, a password or a Digital ID must be exchanged between the parties, to the best of my knowledge. Logically, I don’t see how it could be otherwise.

 

Yes that is correct but as expected, i am receiving resistance from my contacts (all so far) to go the extra steps for ultimate email protection. Which is why i am trying to do the best i can from my end with hopefully a non-bothersome interaction at their end.

So without the most secure option (full exchange of keys public/private), i have found 2 - "Zmail" & "Comodo Secure Email" that give the receiving end a choice of reading the email without installing the software and applying for keys. But this is not as secure as the install option. Just hope they are not as deceptive as Hushmail has been.

 

The way you want, you only need encrypt the e-mail over TLS/SSL, using a secure connection to read or write. In this case, only the recipient can read your messages, the problem however is that the server can also access your messages. So you need to keep a watch their data privacy policy (of the provider). About unpaid services that provide SSL connection (POP3 using 995 port), I like Gmail, Lavabit and MyMail.

Now, if your concern is encryption end-to-end (so the server can not read) there is no other way than the recipient to decrypt the message. In this case, I recommend GnuPG and nothing else.

 

I like Secure Message

It is free for nominal encryption and 12.95 usd for higher/stronger.
" Fully functional and free to use with encryption strength Nominal (480bit)."

description and download

http://www.softpedia.com/get/Security/Encrypting/Secure-Message.shtml

screenshots

http://www.softpedia.com/progScreenshots/Secure-Message-Screenshot-39629.html

It needs both users to have it but it's not large or bloatish

Encrypted output is pure text in 70 character lines

 

Could you share your thoughts on "MyMail"? Just tried to create a free account but the homepage just reloads. Not for the paid accounts - page loads fine