Rob Behnke
November 9th, 2021
Email is the most common form of communication between businesses and their customers and users. From marketing campaigns and technical support, all the way down to confidential file sharing and 2FA procedures, email in one way or another will impact how effectively you do business.
And yet, for decades, the default was to send email across the internet unencrypted – but this approach has serious drawbacks as any unauthorized party can intercept an unencrypted email and access its contents. Today, most email service providers offer some level of email encryption. However, not all email providers are 100% on the same page about what encryption and the level of encryption to provide their users. Additionally, there is no one size fits all solution to email encryption and your overall information security.
This is why it’s so important to understand what specific email services provide you in terms of encryption and how to approach your strategy for information security. Properly encrypting your emails drastically reduces the chance of your sensitive information ending up in the wrong hands – so as part of our InfoSec series, we’ll take an in-depth look at encrypted email and how to protect your sensitive organizational data.
Estimates highlight that between 279 and 347 billion emails are sent every single day, and that well over 40% of those emails are business related. This amount of confidential business information exchanged between servers and devices represents a significant opportunity for cybercrime and having a significant amount of confidential information leaked.
Encrypting your email is the only way to ensure that your confidential information is protected when sending it to others. However, most users either do not send encrypted emails, or do not understand how encryption functions.
Essentially, email encryption is the masking or scrambling of message content, until the intended recipient receives that message. You should always consider encryption for any information you send that’s not intended for public use – but as a general rule of thumb and for greater peace of mind, always encrypt messages that have specific intended recipients.
Today, there are a number of email encryption protocols used by email service providers. Here’s a list of protocols you’re likely to come across in your search for a secure email solution:
SSL/TLS: Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are application layer protocols and are also the most common protocols used for network traffic encryption. These protocols, which are often used interchangeably, provide a way to encrypt the communication between two computers over the Internet. SSL/TLS encrypts emails between an email client and the server but does not provide end-to-end encryption.
S/MIME: Secure/Multipurpose Internet Mail Extensions uses a public key and a private key to help protect emails from unwanted access by allowing you to digitally sign your emails. As a result, the receiving user knows the emails are from you and not an attacker.
PGP/OpenPGP: Created by Phil Zimmermann, PGP is the most widely used email encryption protocol. The protocol is used for encrypting both files and emails, and it also allows two users who have never met to send encrypted messages to each other without exchanging private keys.
One of the big challenges for email users is figuring out which email encryption to use. As you can see, there are a number of different protocols so which solution you use depends on what your most important needs are for email security.
Additionally, some users are not as concerned as others when it comes to the searchability of emails within your inbox and some users prefer their inbox to not be able to read the contents of their email content.
So, in this next section, we’ll take a closer look at who exactly can see your emails, as well as what end-to-end encryption is and how it works.
When most people search their email inbox, they may not consider that the email service itself is able to read your emails. For instance, services such as Yahoo and Google have all your emails in plaintext version, and their servers can scan your emails for specific content. This is why Google is able to serve you ads based on your email content, for instance. For many users, this level of access is concerning from a security and privacy standpoint, because beyond entities being able to access your email content, you could be further at risk if any email providers’ servers are compromised – given that those emails are inherently exposed on the server.
So how do you address these kinds of security and privacy concerns for your emails? One of the most widely viewed solutions to use is called end-to-end encryption or E2EE.
Even when you use email encryption to send and receive email, there is the possibility that your email content can still be snooped after it’s delivered to a device like your computer or mobile phone. This can happen if a device is infected with malware, for example. In another scenario, if your email provider’s servers are ever hacked, there’s a possibility that your emails could be accessed at that point, even though the email was sent over the internet encrypted.
End-to-end encryption helps to solve this problem by ensuring that an email is encrypted from the time it leaves the sending device all the way until the user on the receiving device decides to open it. This means that even if an email service or a device itself is compromised, the email content could remain safe because it will be encrypted right up until the user wants to decrypt and read it.
The way end-to-end encryption works is by using a set of encryption keys to secure the email before it’s sent out and a private key to decrypt the email once it arrives at the destination device. The private key used to decrypt the message is only known to the user or device decrypting the email.
One thing to note is that end-to-end encryption only works if the email users you are messaging also use E2EE. So even if you are using end-to-end encryption on your side while sending an email message, if the user on the receiving end is not using E2EE, then that email can still be read by the mail provider. That said, if end-to-end encryption is critical to your operations, then be sure to discuss this with the users and entities you exchange info with and ensure they are using E2EE as well.
Although no email protocol can claim to be completely unhackable, end-to-end encryption is important if you want to help ensure that your emails are not accessed by unauthorized parties or your mail service provider. Even the National Security Association (NSA) and Microsoft have had their email servers hacked, so using E2EE helps to add an additional layer of information security for your messages in the case that your mail provider is ever compromised.
There are a plethora of email providers available that provide encrypted email services. Each has a focus on specific features that may benefit your information security goals, so below we’ll have a look at some popular encrypted email service providers.
ProtonMail has become really popular in recent years for its usability, free option, easy to share name, and focus on security. One major feature of ProtonMail is that it provides end-to-end encryption as a standard feature, which many major free mail providers do not offer. They also have open source cryptographic libraries that are audited often for safety, giving you the ability to create “self-destructing” emails that delete after a set time, and allowing you options to communicate safely with those who do not use email encryption.
Tutanota is an open source encrypted email service that includes individual and business tiers. They offer features like a secure calendar, and a secure contact form called Secure Connect that allows you to share a form to collect information from users similar to Google Forms. Tutanota is also GDPR compliant and offers a handy mobile app. One of the things that sets Tutanota apart from other encrypted email providers is that they do not use the PGP encryption protocol – citing its inability to prevent quantum computing attacks among other things.
Hushmail doesn’t have a free tier, but it does have some very useful features for business such as the ability to create secure contact forms, in case you don’t want to give out an email address to be contacted. Hushmail also gives you the ability to create alias emails – which are especially useful if you want to ensure your actual email address doesn’t get abused or sold anywhere on the dark web.
Countermail has been around for over a decade and supports PGP encryption, keeps no logs on user information, and also removes IP addresses from emails. Countermail also supports crypto payments if you want to stay anonymous and you can also choose to use your own domain name.
Regular email, like Gmail, is unfortunately not very secure, but many of these services are either free or have really convenient features and mobile apps. That said, if you prefer to use services like Gmail or Outlook, but still want secure features like PGP, there’s still a way you can accomplish this without losing the functionality of your favorite services.
For example, FlowCrypt is an extension for Chrome, Firefox, Brave and Android that integrates with Gmail and gives you the ability to send end-to-end encrypted email. Similarly, Outlook has a number of encryption add-ins, or you can choose to use a number of Microsoft 365 plans to access email encryption.
Email security is a business challenge that is ever evolving and has no perfect solution. Additionally, progress toward making emails less hackable is ongoing and you’ll need to make informed decisions in order to protect your valuable information and users at any given time. So if you want to take your email security to the next level and ensure your information is always as secure as possible no matter what new threats surface, be sure to reach out to our cybersecurity experts at halborn@protonmail.com.