The upcoming hacker conferences, HOPE, Black Hat and DEFCON make this a good time to think about email security.
Rather than end to end security, which requires both the sender and recipient to use the same security software, my focus here is on securing normal ordinary boring email.
Hackers make for great headlines, but these techniques apply in any hostile environment. A case could be made that they apply on any shared network.
My involvement with hacker conferences has been at the 2600 HOPE conference in New York City. I will be speaking at next weeks conference on Securing a Home Router.
Each time I go, I try to up the security on my email.
Years back, my first take on this involved booting a Windows XP netbook computer off a USB flash drive to run a virgin copy of Linux. Not only is Linux more secure, the files on the internal hard drive were invisible to the Linux system.
The webmail system I used at the time was secured with SSL/TLS, and not just the login page (which Yahoo did for years) but every page. Still, booting and running Linux was slow (USB2 on an underpowered netbook).
Then I tried to double my encryption with a VPN. The first attempt failed miserably. My device was only configured for a PPTP VPN and, for whatever reason, it could never connect using the wireless network at the conference.
Next, I tried email from an Android 2.3 device using L2TP and L2TP/IPSec VPNs. Android support for VPNs at the time was pretty awful. Lots of emails were exchanged with my VPN provider who had gone to the trouble of creating dedicated servers to handle the quirks with Android. Still, I could never find a combination of their server and type of VPN that worked consistently.
This time I'm planning on using an Android 4.4 device pre-configured with five VPN connections, three using IPSec Xauth and two using L2TP/IPSec. Each VPN connection is configured to connect to a different server, each has been tested ahead of time and a couple servers are outside the U.S.
I mention the type of VPN because these two types are natively supported in Android 4.4, which means that VPN software from my VPN provider is not needed. Choosing a trustworthy VPN company is hard enough, but even an honest company may well produce faulty software.
SSL/TLS will still be my second line of defense, but not through webmail.
The email client on my Android device, K-9, is configured to read emails using secure POP3 and to send them using secure SMTP. If you are configuring K-9, the security option in both directions is "SSL/TLS (always)".
This is an important point, and one easily overlooked. The communication between your wireless device and your email provider should always be encrypted.
As of March of this year, Google announced that they have implemented this across the board. Non-Gmail users should check the settings on their email software and look for POPS, IMAPS and SMTPS rather than POP, IMAP or SMTP. If your email provider does not support this type of security, take that as a hint to change providers.
This encryption is only part of the story. Messages you send, for example, still have to travel from servers run by your email provider to servers run by the recipients email provider and then, finally, to the recipient. POPS, IMAPS and SMTPS only deal with one third of the journey.
Last month, Google reported on the use of encryption in the middle part of the journey. That is, they reported on the encryption of messages sent between Gmail and other email providers. Here too, if your email provider is not supporting encryption, take it as a word to the wise. Sadly, Google only reports on the email providers with the most traffic, so yours may not be listed.
If you use email from your ISP, note that 100% of the messages Gmail sent to comcast.net were encrypted, while none sent to verizon.net were.
Keep in mind, this encryption only applies to messages in transit. So even though Comcast is excellent in this regard, they can still read email that resides on their servers. So too, Google can, and does, read Gmail messages sitting on their servers.
Getting back to hostile environments, shoulder surfing is another issue. If you enter any password at a conference, someone, or something, may be looking over your shoulder. Email client software, which normally saves the password, protects from this. For webmail, you can either have the browser save the password or use a password manager such as LastPass.
My fourth line of defense involves the email password. Before the conference, I'm changing it to something really long. After the conference I'll change it back.
Consider too, the network used to get online. As a rule, 3G/4G/LTE networks are likely to be more secure than Wi-Fi provided at a conference. So, rather than stepping outside for a cigarette, some of us may step outside to avoid the conference Wi-Fi network. A VPN should run just fine over either type of network.
Finally, anyone who cares at all about security on a portable wireless device (smartphone, tablet, laptop) should keep their Wi-Fi disabled when it's not being used. If toggling Wi-Fi off and on seems like too much trouble, see my blog about Comcast XFINITY WiFi and a recent piece by the EFF about Android phones leaking the name of previous Wi-Fi networks you have connected to.