Rossander’s Security Reader

If you have your own datacenter and have a dedicated IT staff that runs your own email system, you can skip this week’s Tip. If you use webmail (such as Gmail, Hotmail or Yahoo mail) or if you use an email service (such as XO Communications or AppRiver), you are using hosted mail (that is, someone other than your own IT people has a copy of your email on their servers and manages your email for you) and you may need to think about how to keep your emails safe between your computer and the host.

Hosted mail can be a very useful service. It lets individuals and small companies buy top-quality email services without needing a full data center and 24 hour support staff. (Personal webmail accounts can also be useful for keeping personal and professional messages separate. See the 27 Jan 2007 Tip for more.)

However, hosted email adds a layer of complexity to your security arrangements. When your email system is completely in-house, you can trust your perimeter defenses to protect messages from one employee to another even if the message itself is not encrypted. When you use hosted email, the message is leaving your perimeter before it gets back to your co-worker. Since standard email is not encrypted, that message could be intercepted and read by basically anyone during that period while it’s outside your perimeter.

The same applies when emailing outsiders. More and more companies are implementing secure email in order to protect messages with confidential content. Many of those systems use Transport Layer Security (TLS) which scrambles the message while it’s moving from the sender’s email system to the recipient’s email server but does not protect the message between the recipient’s email server and his/her desktop. That leg is a responsibility of the recipient.

While it is dangerous to generalize from just a few examples, all the email services that I’ve talked to have some way to secure that last mile from their email server to your desktop. XO Communications, for example, has detailed instructions on their webpage explaining the settings and port numbers that you have to set up on each desktop in order to connect to them securely. AppRiver has instructions for how to use the capabilities built into MS Outlook to protect the connection.

Unfortunately, the connection for the users of webmail is harder to make secure. Gmail claims on their website that encryption is available but a number of requests for help on their discussion groups have gone unanswered. Yahoo has yet to return our request for information.

If you can set up that last mile securely, you need to do so. If you can’t, be very sure that you do not use email to send or receive any confidential information such as SSNs or Drivers License numbers.