Quick Links
Email (In) Security
If you use Eudora, anyone can sit down at your computer and read your already downloaded messages.
Network
Messages travel in the clear over the network. Yale is a fairly open organization, it's not the NSA, or even Apple Computer. Unless YOU control the entire network and it is physically secure 24 hours a day, and, if it is connected to another network, it is protected by an impenetrable firewall, YOU can't be sure that even your internal transmissions are secure. Forget it once you hit the Internet.
Server
Administrators of the server have the ability to read your messages. Whether they do or not is a different issue. Archiving
Most organizations, including Yale, archive all email messages. Forgery
As many of you may know, forging email is quite simple. You can be bill.clinton@whitehouse.gov with very little effort. Traffic Analysis
Even if someone can't read your mail because it's encrpyted, they can still watch the packets travelling over the network from your computer. They can still tell to whom you are sending mail. What can you do?
Here's my public key, if you want to send encrypted mail to me. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzMTGm4AAAEEALwA5u0zrA+rxGvJzbzkSB5pDIRpMk8aFa4iGVJhwgDkwSDx ++mk70C+At+VSlmJveiwQ3u1DknVk5R6lpdzRBrOufK8Y12E0HrcglJbjrzvpcGJ T5bIrO15ipLFaBt9oLrmmfqG9VMHVLdr7bVOcJvIVy9cBx2xBp8TP+Aa2hTdAAUR tCNqb2huIGNvbGVtYW48am9obi5jb2xlbWFuQHlhbGUuZWR1PokAlQMFEDMTTbyf Ez/gGtoU3QEBICMD/jUrPTAmN7HAtnHJUgSze07A6PcoOdEZgpvyiWt/X8SDTi59 BLSlnEkuNd78Ldse6WciRMNdZ4j+vXAF8IMHKaK6rs1MBxbD3YHtFq3Z9QsEQ8OC eL2H90o27ZHJi20U7nhm8QDVEBSr2OOlfOafFUSeZJW8+DDh7bRxhD4GDTch =igDM -----END PGP PUBLIC KEY BLOCK----- john.coleman@yale.edu Revised 3/18/97
Security vulnerabilities in email.
Local machineIf you use Eudora, anyone can sit down at your computer and read your already downloaded messages.
Network
Messages travel in the clear over the network. Yale is a fairly open organization, it's not the NSA, or even Apple Computer. Unless YOU control the entire network and it is physically secure 24 hours a day, and, if it is connected to another network, it is protected by an impenetrable firewall, YOU can't be sure that even your internal transmissions are secure. Forget it once you hit the Internet.
Server
Administrators of the server have the ability to read your messages. Whether they do or not is a different issue. Archiving
Most organizations, including Yale, archive all email messages. Forgery
As many of you may know, forging email is quite simple. You can be bill.clinton@whitehouse.gov with very little effort. Traffic Analysis
Even if someone can't read your mail because it's encrpyted, they can still watch the packets travelling over the network from your computer. They can still tell to whom you are sending mail. What can you do?
-
Use common sense.
This is the easiest. Don't conduct business with email that might come back to haunt you. Don't discuss confidential matters, email your credit card number, conduct criminal activity, etc. -
Encrypt your email.
PGP (Pretty Good Privacy) is the most common form of encrpytion on the Internet. It uses "Public Key Cryptography." Each user generates a "Public Key" and a "Private Key." The public key is just that--public. You give it out, put it on public keyservers, include it in your signature. If I want to send you a message, I use your public key to encrpyt it. When you receive my message, you use your private key to decrpyt it. There is no way to determine the private key from the public. You can also use your private key to digitally "sign" a message with or without encrypting it. Your recipient can use your public key to verify that the message is authentic and not tampered with. It also provides non-repudiation, since only you have your private key. PGP is a fairly unfriendly program, so you'll want to use a PGP shell program for ease of use. There are also programs that work with Eudora to automatically decrpyt and encrypt your messages.
Here's my public key, if you want to send encrypted mail to me. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzMTGm4AAAEEALwA5u0zrA+rxGvJzbzkSB5pDIRpMk8aFa4iGVJhwgDkwSDx ++mk70C+At+VSlmJveiwQ3u1DknVk5R6lpdzRBrOufK8Y12E0HrcglJbjrzvpcGJ T5bIrO15ipLFaBt9oLrmmfqG9VMHVLdr7bVOcJvIVy9cBx2xBp8TP+Aa2hTdAAUR tCNqb2huIGNvbGVtYW48am9obi5jb2xlbWFuQHlhbGUuZWR1PokAlQMFEDMTTbyf Ez/gGtoU3QEBICMD/jUrPTAmN7HAtnHJUgSze07A6PcoOdEZgpvyiWt/X8SDTi59 BLSlnEkuNd78Ldse6WciRMNdZ4j+vXAF8IMHKaK6rs1MBxbD3YHtFq3Z9QsEQ8OC eL2H90o27ZHJi20U7nhm8QDVEBSr2OOlfOafFUSeZJW8+DDh7bRxhD4GDTch =igDM -----END PGP PUBLIC KEY BLOCK----- john.coleman@yale.edu Revised 3/18/97