News
Introduction
Everyone who uses e-mail sometimes thinks about how well the transmitted information is protected from prying eyes. Indeed, a message to be transferred travels a long way between different computers and mobile devices before it reaches a recipient; the intentions of the owners of these devices are unknown. Besides, each device in the chain can run malware that stores transmitted messages. Another problem is the fact that you can not always rely on a mail recipient who may not use the information received in the way it is meant to be used.
Directors of information services recently faced an urgent problem: the staff of companies uses their own or corporate mobile devices for the working purposes. This phenomenon is called BYOD (bring your own device). If such device is lost or stolen, it can seriously injure the reputation of the company and its partners.
E-mail security systems that may be used on ordinary computers and mobile devices are designed to solve the problems described above.
E-mail Protection Methods
E-mail protection is mainly aimed at:
- Protecting e-mails from interception, reading, and counterfeiting on their way to a mail recipient.
- Protecting e-mails from further distribution by a malicious mail recipient.
Protecting E-mails from Interception
Classical cryptographic techniques are used to achieve this goal. Encryption technologies are applied to secure messages from interception, and digital signature technologies provide protection against counterfeiting.
A mail client plug-in that provides automatic encrypting and digital signing is usually used to implement the protection. If a web-interface is used to access a mailbox, encryption and digital signing is provided by a mail server or a script on the user side which is more reliable. A dedicated web-site may be used to provide an initial key exchange.
Since cryptographic technologies are well developed, the level of protection against interception or counterfeiting can potentially be very high and sufficient to solve almost any problem. However, there may be the following vulnerabilities:
- Using knowingly weak cryptographic algorithms. This limitation may be imposed by law to make it possible for secret services to crack a cryptographic algorithm when necessary.
- Mistakes in implementation of cryptographic algorithms and protocols.
- Embeddings in cryptographic algorithms implemented by a malicious developer of an e-mail security system that enable overcoming a protection.
- Malware enabling intercepting a decrypted message or keys installed directly on a sender's or receiver's computer.
It is obvious that the vulnerabilities are of external nature or determined by an implementation and may be potentially debugged.
Protecting E-mails from Distribution by a Malicious Mail Recipient
The following condition should be fulfilled in order to achieve this goal: "A mail recipient can read a message but can do nothing else with it". A proprietary message viewer (special viewer, special browser, etc.) is used for it.
This approach makes it impossible to use external standard features to display content of e-mail messages and, as a result, causes problems with the support of a large number of hardware and software platforms and a large number of document formats sent by e-mail.
The ideal level of protection can not be achieved unlike the previous case; a recipient can always at least make a screenshot of information shown on a computer monitor and generate a document of the photos. However, while complete security of information is not provided, systems for the e-mail protection from undesired distribution cope with the task of limiting the information leakage well enough. Effectiveness of information leakage control depends on the resistance of a protection system to automatic methods of reading information from a message such as:
- Cracking a secure message viewer to take an unprotected document from it automatically.
- Making screenshots of a document and automatically regenerating the document on their basis.
Comparison Table of Security Systems
The following table includes some of the existing e-mail security systems and their main features. All systems protect messages from interception by means of encryption, and a part of systems provides protection from an unauthorized distribution. As a rule, the protection of messages from unauthorized distribution is inversely related to the support of mobile devices. The reason is that client applications are to be developed for the protection from the unauthorized distribution, and it is difficult to create them for a great number of different mobile platforms.
# |
Name (in alphabetic order) and developer's web-site |
Is it suitable for mobile devices |
Protection from distribution |
Description |
|---|---|---|---|---|
1 |
CopySafeMail |
No |
Available |
A user works with e-mail via a web-interface. A special web-browser with additional security features (screenshot saving warfare, optional disabling of copy & paste feature, printing, etc.). At present only a browser for Windows is available. One may send messages or check for new ones using a common browser. The system also enables users to notify that a message has been read, delete a message after first reading, link a secure browser to a certain computer, set an expiration date for a message. |
2 |
EgressSwitch |
Suitable for сiOS, |
Partial |
Encrypted email service. It enables automatic setting of limitations depending on the content of the message. |
3 |
Email Encryption |
Yes (operates via Web) |
No |
Its features are almost the same as those of SecuredE-mail. |
4 |
Evizone |
No |
Available |
The system is similar to CopySafeMail. Messages are sent and read via a special client application. Windows and MacOS are supported. |
5 |
JumbleMe |
Yes (operates via Web) |
Partial |
The service that enables encrypting a part of a message by embedding special tags in a message body. Encryption is done automatically on the server. The web-site of the system or an Outlook plug-in is used to decrypt an encrypted fragment. A limited number of previews, lifetime, disabled printing, and disabled forwarding may be set for a message. |
6 |
PDFPostman |
Yes (operates via programs for PDF and ZIP) |
None |
A set of plug-ins for Outlook which enable converting a message to a PDF file or ZIP archive with a password before sending. Then a file is sent as an attachment, and may be unpacked using any PDF viewer or ZIP archive program. Embedded features of PDF and ZIP are applied for encryption. |
7 |
SecuredE-mail |
Yes (operates via Web) |
None |
The system for exchanging with secured messages. It consists of a plug-in for an e-mail client or a specialized viewer. When a message is sent, it is encrypted and transmitted as an attachment for an ordinary message with instructions on how to read it. If a receiver has the plug-in, a secured message is transparently decrypted. |
8 |
S-Mail |
Partially (it needs java support) |
None |
The system that enables exchanging with encrypted e-mail messages. Messages are encrypted and decrypted directly in a browser by means of the Java applet. Standard e-mail clients may also be used (at that encryption is done by a local proxy server). |
9 |
StarForce E-mail |
No (At present the development for Android is carried out) |
Available |
The system for an e-mail protection from unauthorized distribution that uses a special viewer for secure messages. After opening, a message is linked to a computer on which it was opened and can not be read on some other computer. There are features to collect and analyse information on secure message usage (first opening). |
Conclusions
A key point for effective application of a e-mail protection system is clear understanding of what, from what threats, for which reasons, and how reliably should e-mails be protected. If one has such understanding, selecting a system becomes a usual task of selecting from a set of product offered and is easily done.
