PopSyndicate.com

We’ve had email for well over a decade now.  Technically is been around in various forms since the ‘60s.  Why then is it one of the most flawed, insecure methods of communications on the net?  Our email systems are open bulk.  Pretty much anyone can dip in and read your letters.  By default all email clients, web services and instant message apps have no security checks in place.  Even more surprising, no one cares.

Emails are unverifiable.  Just because an email states that the message came from your friend doesn’t mean that he wrote it.  It could have just as easily been generated by a virus or someone phishing for personal information.  Without being able to examine the header data or even view the html source code on an email, verifying the authenticity of the email is impossible.  Most of the time, we can visually identify fake emails like spam or ebay notices.  For instance, none of my friends know any “Mr. Moses Odiaka of Nigeria” and other internet savvy royalty.

The rules for filtering spam are too ubiquitous and temporary to have any meaningful effect. Email security has been handled so poorly in efforts of preventing spam and fraud, the spammers themselves have been able to carve out a nice little niche making spam a cottage industry.  Actually, both sides have profited quite well from it.  Who has benefited more from the billions of spam emails send daily?  Symantec?  Yahoo?  Leo Kuvayev?  As long as spam continues to account for 90 billion emails sent per day, Symantec and other anti-spam software companies will continue to have products available to sell. Yahoo and Hotmail continue to sell ad time on the web apps and it doesn’t matter if you’re reading spam or not, that kind of traffic means for ad sales.  Leo Kuvayev is rated the top spammer in the world.  One spammer recently apprehended last May made a cool US$773k for his efforts.

Access isn’t any better a situation when it comes to security.  Poor password policies, clear text sign-in pages, and virus ridden computers leave inboxes exposed to email gathering and general privacy invasion.  We have keys on our mailboxes at home, and our bank statements come to us with secure envelopes.  Our postal letter carriers have earned reputations for having a short fuse, as it were, and are generally left alone.  Snail mail is not the secure iron clad fool-proof system, granted, but a letter sent via USPS is less likely to be stolen/read/intercepted/propagated to everyone in your address book than email.  Unfortunately for us, we rely almost solely on email, and to lesser extent, instant messaging for communication.  Regular mail is going the way of the teletype.

Tin foil hat time, folks.  Our government is actively using advanced surveillance originally intended for enemy observation on its own people.  The creepy marriage between NGA systems CIA efforts has resulted in the illegal wire-tapping of our phones and tracking our bank records.  And that’s just what they admitted to. What do think the odds are that the pentagon is reading lolcat forwarded email as well?  With the newly expanded FISA laws, all of our phone communication can be recorded.  The intent is to listen in on calls made to suspects overseas.  However, the burden of correctly identifying people as suspect is nil.  The government can listen in on anyone, whether or not, the conversation is international or domestic.  This kind of interception is not some big conspiracy; this is public knowledge and a matter of record. 

Note that having your conversations records and on file until the end of time isn’t anything to worry about, but when you need to email your doctor about medical concerns while traveling, or sharing personal information about your life, your emails open themselves up for scrutiny and you longer have freedom to communicate at all.  Take the case of Warshak v. USA, wherein the Stored Communications Act was used to allow the government to (repeatedly and secretly) seize and search email stored by a third party while investigating possible fraud.  While the ruling was in favor of Steven Warshak, the government clearly argues that the Forth Amendment doesn’t protect emails stored with an ISP.  More worrisome however, only when these types of illegal and warrantless searches are taken to court do we ever find out about them.

There are, however, options for those of us intent on holding on to privacy despite expanded FISA laws.  Like secure certificates use for ecommerce and banking sites, personal email certificate are available, legitimate, and an effective method for locking down email security and encryption.  “Signed” emails are just as verifiable as secure sites.  And those recipients who also use certified emails can utilize attached digital signatures, or public keys, to encrypt outgoing messages.  Instant message apps, like iChat and Pidgin (an AIM, Yahoo!, ICQ hybrid app) are both capable of enabling secure chats.

The drawback to using certificates is that email web services (Gmail, Yahoo!, Hotmail, etc.) don’t support them.  At best, the certificate appears as an attachment.  Mobile phones with email ability don’t fair any better.  The iPhone, for all its awesomeness, can’t handle digital signatures at all even though it’s built in to Apple Mail.  There is a Firefox extension for Gmail that allows you to send and receive signed and encrypted email, but requires manual modification of the browser’s config—exposing the browser to cross-site-scripting threats.  Trading one vulnerability for another isn’t the answer. 

All in all, not a good scenario for security.  Solutions for security exist but remain out of reach to the typical user.  But as long as attitudes about email security don’t extend beyond trusting ISPs to block spam, or keep our emails from the government, it isn’t much of a problem; is it.

Chris Williams writes a lot about this sort of stuff.  It’s called Nerd Alert!

0