ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Keeping e-mail secure: No easy chore

Network World Fusion

March 1, 2000
Web posted at: 8:33 a.m. EST (1333 GMT)

(IDG) -- Considering the sensitivity of information sent via e-mail, securing that correspondence is naturally a high-level concern.

Let's say you're an e-mail administrator, and you show up at work and get the fateful call. Your CEO had a nightmare about e-mail being used in an antitrust case, or documents being hijacked by a competitor. As a result, the firm's head of IT mandates that you secure all internal and external e-mail.

  Security firm warns of e-mail Web-jacking
  Secure mail: Whom do you trust?
  Read an e-mail, lose your privacy
  The perils of privacy
  Reviews & in-depth info at
  Year 2000 World
  Questions about computers? Let's editors help you
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

Unencrypted messages can be hijacked in transit and read or altered. If the mail is not digitally signed, you can't be sure where it came from.

There are many options for securing e-mail, all with a few strengths and probably more weaknesses.

Let's take care of the easy decisions. Secure/Multipurpose Internet Mail Extensions (S/MIME) should be the message encryption and digital signature format because it's the accepted standard and is built into leading e-mail clients such as Microsoft Outlook 98/2000 and Lotus Notes R5. Yet a standard such as S/MIME only takes you so far. Each vendor has implemented its own interpretation of S/MIME, which makes interoperability problematic. This drawback is exacerbated by the emergence of S/MIME Version 3 in the newest e-mail clients, which again could create interoperability issues.

The path of least resistance is to get an e-mail security gateway, which is analogous to a firewall for e-mail. Every message going in or out passes through the gateway, allowing security policies to be enforced (where and when messages can be sent), virus checking to be performed, and messages to be signed and encrypted. One drawback of the gateway approach is that it doesn't provide user-based security. For example, the gateway encrypts outbound messages so recipients can verify they came from your company, but recipients can't prove from whom they came.

Client-based methods use your private key to sign messages (proving it came from you), which is a more granular level of security, but they have weaknesses as well. First, they need to be configured on each desktop, which includes issuing a digital certificate to each user (for encryption and digital signature), and ensuring that a proper security profile is configured within the e-mail client. This requires a fair amount of user training and help desk assistance. Of course, if the profile is wrong - for example, specifying the wrong certificate or turning off encryption - the messages are not secure. And there is no way for an administrator to centrally control the profiles.

There are also a number of Web-based secure mail services that keep all messages within their environment at all times to ensure security. You use a secure site on the Internet to compose a message. Once you hit "Send," the site encrypts and stores the message on its site, and sends the recipient an e-mail notification that a secure message is waiting. The recipient links to the site, provides a shared secret for authentication, and accesses the message via Secure Sockets Layer. Unfortunately, this method does not work with existing enterprise e-mail systems.

The stickiest issue is building a directory of digital certificates. This directory holds the certificates needed to encrypt messages to a recipient. Internally, building the directory may not be a big deal because all certificates for a company can be published in a central Lightweight Directory Access Protocol server, but externally this causes many problems. You will need to establish an agreement with a recipient's organization to ensure access to the right digital certificates. This process, however, creates more user training issues and adds complexity to e-mail communications.

Although there is technology available for secure e-mail, widespread deployment is still problematic. However, as more companies and regular e-mail users see the need to secure their messages, the use of digital certificates will one day become a transparent part of your everyday activities.

Protect against Trojan Horses
January 17, 2000
Two glitches hit Microsoft Internet services as New Year rolls over
January 3, 2000
NSI makes free e-mail security blunder
September 20, 1999
Internet privacy issues focus of Paris summit
September 16, 1999
Status of Hotmail privacy unclear
August 30, 1999

E-mail security products to launch at RSA show
(Network World)
Secure mail: Whom do you trust?
(Network World)
Security firm warns of e-mail Web-jacking
Does more security mean less privacy?
(PC World)
Why everyone should sign digital documents
(Network World)
E-mail: the good, the bad and the bloated
(PC World)
Read an e-mail, lose your privacy
The perils of privacy
(Network World)


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.