Online security

[Stephen M]

Anyone else had a look at this: https://librem.one/#mce_1

It is a paid for webmail and chat, plus other stuff but not expensive and looks quite decent. I am thinking of giving it a go.

 

[debiruman665]

Not helpful comment but just my opinion.

I honestly feel like email is a failed experiment (just like chatrooms) that are more utilised by bots and not humans and needs to be replaced.

 

[ubuysa]

Not helpful comment but just my opinion.

I honestly feel like email is a failed experiment (just like chatrooms) that are more utilised by bots and not humans and needs to be replaced.

I think if you look in the business world you'll find that email is the primary written communication mechanism. If it's an experiment then it's a long running one, the very first email was sent in 1971. That it's endured this long is a testament to its usefulness and success.

Messaging and chatting may well be 'the thing' amongst the young, and they certainly have a role in business too, but email is still an essential tool that is used by millions.

 

[SpyderTracks]

I think if you look in the business world you'll find that email is the primary written communication mechanism. If it's an experiment then it's a long running one, the very first email was sent in 1971. That IRS endured this long is a testament to its usefulness and success.

Messaging and chatting may well be 'the thing' amongst the young, and they certainly have a role in business too, but email is still an essential tool that is used by millions.

Encrypted email as standard has to be an important next move. I’m amazed how many services are still to adopt basic encryption methods.

 

[ubuysa]

Anyone else had a look at this: https://librem.one/#mce_1

It is a paid for webmail and chat, plus other stuff but not expensive and looks quite decent. I am thinking of giving it a go.

I don't know anything about Librem but you might want to read this https://www.forbes.com/sites/jasone...are-trackers-in-librem-one-chat/#66b115515feb.

I wonder why you'd pay for services that can be had for free elsewhere?

 

[ubuysa]

Encrypted email as standard has to be an important next move. I’m amazed how many services are still to adopt basic encryption methods.

Yes but. Business has been using typewritten letters for aeons and they're not encrypted either....

 

[SpyderTracks]

Yes but. Business has been using typewritten letters for aeons and they're not encrypted either....

Well, you could argue the mail service was the encryption.

 

[ubuysa]

Well, you could argue the mail service was the encryption.

No, the mail service was the IP network, it just delivered the mail. Anyone on the route (or even at the destination) could open the envelope and read the letter - because it was in plain text.

No only that, but as a sailor I'm well used to using marine VHF radio when at sea. VHF radio isn't just not encrypted, it's broadcast - everyone can hear every conversation (within range of your radio). Of course, people are careful what they say on VHF radio, but its complete lack of privacy doesn't render it useless. It's still a massively important safety and communication tool at sea and is used daily by (probably) millions of private and commercial sailors.

Just because a communication, of any type, is not encrypted doesn't make it useless. As ever, it's up to the end user to choose the most appropriate communication method for the information they wish to send. Email is fast (compared to the older snail mail), convenient, and easy to use. That's why it's still around.

 

[debiruman665]

Let's take my company as an example.

We have thousands of customers and we don't host their inboxes, local storage only. This means our mail server is a relay. Authentication is turned off because there is no central organisation of accounts because of the variety of different systems each of our clients use, be it Office 365 or any of its competitors, or just simply Outlook.

Mail is a nightmare to troubleshoot and would literally kill our customer service team so we've opted to have the least security also.

I can literally spoof an email from the CEO to anyone and it will appear exactly as though it came from their real account.

There's no real verification on emails, that's the problem, there are a lot of bandaids but not all are applied and as the level of complexity of the system grows then its a pain to manage.

 

[ubuysa]

There's no real verification on emails, that's the problem

I get your point, but (again) that's nothing new. When you get a letter purporting to be from your bank signed by 'the manager' how can you ever know it's genuine?

We've all been dealing with the idea of unsecured and unverified communications for ever, so this isn't a new problem. The problem I think is that people expect too much of email, it's really just an electronic letter and, in my experience at least, is quite rightly treated that way in most businesses.

There are other forms of electronic communication that are secure and, where appropriate, they should be used.

What it comes down to I think is that there are now (as there have been in the past) several different ways of communicating and we should all select the one most suited (and most cost effective) to our needs.

 

[debiruman665]

I get your point, but (again) that's nothing new. When you get a letter purporting to be from your bank signed by 'the manager' how can you ever know it's genuine?

Off the top of my head with no regard to how this has to be implemented, but if I were to go back in time and change the course of emails I'd do the following.

Emails exist only in the sentbox of the sender, when you send the mail to someone it is an invitation to view the message on the senders email server, access can be encrypted and managed by sending keys for access to each individual recipient.

--now sender authenticity is much clearer
--emails can be edited after the fact
--sensitive emails sent by accident can be revoked if acted upon quickly
--mail servers suddenly become more efficient by a massive factor
--looking at email storage holistically across the whole network of users, data duplication is massively reduced.

There are some workarounds to these such as caching all emails to see previously edited versions and accidental ones meant for someone else but I think the pros outweigh the cons

 

[Rakk]

Emails exist only in the sentbox of the sender, when you send the mail to someone it is an invitation to view the message on the senders email server, access can be encrypted and managed by sending keys for access to each individual recipient.

And when the sender needs to clear space in their mailbox you lose your record of it as well - unless you remember to make a copy of everything that you get 'sent'- which would just be annoying to have to do - would also probably meaning linking mail chains together would be trickier.
Or when they decide they shouldn't have said or agreed to something (and you didn't manage to copy it quick enough) and delete it then you have no evidence of them doing saying/agreed to whatever it was.
Basically once it is sent it should be in your custody - just like a letter - to read, to keep, to file somewhere to never be seen again, or to be deleted, but that's your choice as the recipient.

Obviously that's just my random thoughts on it

 

[Oussebon]

I think there are services like Protonmail that offer encrypted emails along the lines of the above, where you can send an encrypted message as a link which can no longer be viewed after 30 days.

It can send 'normal' emails too ofc. Encrypted at your end, but stored in whatever manner the recipient's emails do.

And there are systems like Egress Switch which are used by increasing numbers of local authority care departments, people like the PHSO, etc.

Our CRM 'spoofs' our 'CEO's' email. The CEO's actual email is one from an Office 365 server, our CRM is provided by a different company and entirely separate (don't ask).

But you can probably see a difference in the headers where this happens. At least I assume there's a difference somewhere because emails from our CEO's email sent via the CRM occasionally get flagged as spam with the email address being blocked, while they get through fine if sent from the actual account. Though maybe that's just a poor implementation?

Emails and anything to do with networks are all twisted dark magic I have no real knowledge of, other than as the one in the small office that get turned to when X doesn't work properly and people forget the companies have their own, real tech support people! :/

 

[Tony1044]

Depends what you mean by encryption and security.

Most email systems require that a client connect via TLS now. Connections between mail systems will normally only accept TLS as well so you get encryption during transport. The databases that hold the mails may or may not be encrypted at rest - most places don't because of performance issues and potentially making backup/recovery more complex.

If you mean sending encrypted emails, as others have pointed out there is Protonmail, PGP and others.

If you're talking about spoofing etc, then there's DKIM, SPF and other tricks such as reverse DNS lookups on mail filters and the send and receive connectors built into, e.g. Microsoft Exchange (whcih Outlook.com and Exchange Online use) don't generally allow non-authenticated access and more and more require TLS again.

I co-designed NATO's email solution for Microsoft when they moved away from a legacy X400 based system to SMTP about 10 years ago.

 

[Stephen M]

Some interesting responses, even if mostly nothing to do with the OP. Thanks Ubuysa, although I have been following the development of the Librem phone and it was their attempts to negate the trackers in the original software that made me consider this, still not decided and wont for a while.

As to email in general, it is very useful and most faults are down to the way it is used, saying it is no good is a bit like blaming Rutherford, Bohr et al for Hiroshima, I very much doubt they had that in mind.

I use things like Tor quite a bit and because I keep in touch with a few of the students from my TEFL days and encryption is vital for them as having certain beliefs, non-beliefs or political views can be life-threatening in some countries, so anything to keep prying eyes off is worth considering.