Results 1 to 9 of 9
Thread: Email security & confirmation
-
12-13-2006, 05:33 PM #1WHT Addict
- Join Date
- Apr 2004
- Posts
- 121
Email security & confirmation
Hi,
We all know about ssl email to the SMTP server but what is going on after that?
Who determines which servers has the email to pass through and if they can read its source?
There are many commercial solutions who promice like:
http://www.windowsecurity.com/softwa...il-Encryption/
But what is actually the truth?
Here is a fictional email header:
Who can guarantee its truth?
Return-path: <sender@hotmail.com>
Envelope-to: xxx@domain.com
Delivery-date: Wed, 13 Dec 2006 21:05:51 +0200
Received: from account by host.magnum.com with local-bsmtp (Exim 4.52)
id 1GuZQG-0003cJ-LX
for xxx@domain.com; Wed, 13 Dec 2006 21:05:50 +0200
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on host.magnum.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,
MSGID_FROM_MTA_HEADER autolearn=ham version=3.1.7
Received: from [56.54.243.160] (port=17932 helo=bay0-omc2-s24.bay0.hotmail.com)
by host.magnum.com with esmtp (Exim 4.52)
id 1GuZQF-0003be-Im
for xxx@domain.com; Wed, 13 Dec 2006 21:05:44 +0200
Received: from hotmail.com ([65.55.137.92]) by bay0-omc2-s24.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Wed, 13 Dec 2006 11:05:41 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 13 Dec 2006 11:05:40 -0800
Message-ID: <BAY133-F125071504988BDD26ACEA3D60@phx.gbl>
Received: from 65.54.137.111 by by132fd.bay132.hotmail.msn.com with HTTP;
Wed, 13 Dec 2006 19:05:37 GMT
X-Originating-IP: [84.179.244.222]
X-Originating-Email: [sender@hotmail.com]
X-Senderender@hotmail.com
In-Reply-To: <012421c71ed0$dc4356e0$4101a8c0@user1>
From: "Mary" <sender@hotmail.com>
To: xxx@domain.com
Bcc:
Subject: RE: Hiring now!
Date: Wed, 13 Dec 2006 21:05:37 +0100
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 13 Dec 2006 18:05:40.0405 (UTC) FILETIME=[AE512850:01C71EF9]
Regards,
Rocco.
-
12-13-2006, 10:47 PM #2Aspiring Evangelist
- Join Date
- Mar 2005
- Location
- Sri Lanka\Colombo
- Posts
- 357
u cant really say, TLS for SMTP only for encrypt the communication between server to server or server to client. any one who's admin the server at any end can read your email. so at the end of the day you need to trust your email admin & receiving partye's email admin
so what you can do is simply use a email ssl to encrypt your emails. outlook and lot of email clients support this.
you can get this for FREE no need to pay.
http://www.instantssl.com/ssl-certif...rtificate.html
P.S. your header is not show any TLS communications
-
12-14-2006, 04:11 AM #3WHT Addict
- Join Date
- Sep 2006
- Posts
- 129
The only way to truely protect content in the email is to encrypt the content itself. One way to do this is to use GPG/PGP.
-
12-17-2006, 02:23 PM #4WHT Addict
- Join Date
- Apr 2004
- Posts
- 121
Some more questions:
1. Is there any acknowledged international or national certifying authority that verifies that an email has actually been sent or received and verify its content, or this job belongs to lawyers?
2. How can the host of the sender determine the route through which the email will pass to reach the recipient?
3. Can the whole route an email will follow, from server 2 server be encrypted?
4. Encryption: I would appreciate some links here: Is it the same with ssl? Is it all about the time it takes to decrypt the message?
Cheers
-
12-18-2006, 01:25 AM #5WHT Addict
- Join Date
- Sep 2006
- Posts
- 129
1. You need to look into digital signing. I am not too sure about this area when it comes to law.
2. It can't.
3. Only if all servers perform encryption. Since this is up to the servers to decide, you have no control over this. In other words, you can not assume that all routes your email will go through will be encrypted.
4. If you encrypt your email, then you won't need SSL. Encrypted email can only be decrypted by the recipient (who would know the password to decrypt it), therefore you can safely pass it through multiple servers.
-
12-23-2006, 04:11 AM #6WHT Addict
- Join Date
- Apr 2004
- Posts
- 121
Hi,
1. How is it decided the route an email will pass through?
2. Can a server identify which emails, that pass through it, are encrypted and which not?
3. Does encryption include attachments and if yes which MIMES?
Regards.
-
12-23-2006, 06:49 AM #7WHT Addict
- Join Date
- Sep 2006
- Posts
- 129
1. There is no fixed rule on the path mail takes from server to server. This depends on the setup of each server.
2. An email server's purpose is to deliver mail, not analyze the contents. So whether the email is encrypted or not, has no meaning for the server. However, if your email is encrypted, it means that no one can read the contents except for the person who knows the password.
3. You need to use S-MIME to encrypt attachments.,
-
12-23-2006, 11:39 AM #8Web Hosting Master
- Join Date
- Mar 2003
- Location
- Saint Paul, MN
- Posts
- 832
Email encryption is an incredibly complex topic with a lot of competing (and often, conflicting) strategies. For starters, you have to differentiate between encryption of the message content (PGP/GPG, for instance) and encryption of the connection over which it's carried (SSL or TLS); for the latter, you should understand the difference between the two, which are in practice quite significant, and which is better. A full understanding of just how email and encryption work will also help to understand what information can still be discerned from a GPG-encrypted message, or a TLS-encrypted transaction, (i.e. traffic analysis) and some of the ways to overcome those limitations (for example, pseudonymous remailers). A few points:
1. Is there any acknowledged international or national certifying authority that verifies that an email has actually been sent or received and verify its content, or this job belongs to lawyers?
Verification of content can be done thru the use of cryptographic signatures, as with PGP/GPG and similar software.
2. How can the host of the sender determine the route through which the email will pass to reach the recipient?
3. Can the whole route an email will follow, from server 2 server be encrypted?
2. Can a server identify which emails, that pass through it, are encrypted and which not?redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS
-
12-23-2006, 12:07 PM #9Aspiring Evangelist
- Join Date
- Mar 2005
- Location
- Sri Lanka\Colombo
- Posts
- 357
email travel from
your email client ----> your smtp server (sending server) ----->
receiver smtp server (reciving server) ----> receives email client
if all servers user TLS (SSL) even both email client, communication
between all points are encrypted (---> marked) how ever any one at any end
can read the email (server admins)
TLS communication will look like this (servers, email clients need to
support this)
--------
Received: from secure.XX.net ([216.XX.XX.XX]:56552)
by secure6.XX.net
with esmtps (TLSv1ES-CBC3-SHA:168) (Exim 4.52) id 1Gy8pD-0004Ho-1U for
support@XXX.com;
Sat, 23 Dec 2006 10:30:15 -0500
--------
(TLSv1ES-CBC3-SHA:168) mean the servers has used 168bit encryption
(SSL - TLS) same like web site that use SSL on payment gateways etc.
http://en.wikipedia.org/wiki/Secure_Sockets_Layer
this way only help is if any one is trying to read the communication
between servers or email clients, this dont mean a server admin cant
read your email, they can.
best way is to encrypt your email using email SSL certificate with in
your email client. so the email will be encrypted even if the servers
dont use TLS, or even if the server admin try to read your email try
cant.
only one with a correct key (certificate) can decrypt the email for
reading.
http://security.fnal.gov/pki/email_with_dig_sig.html