How Secure Is Email?
Category: primersA 2 Minute Read
05 May 2017
Not very, but to understand why we need to unpack the various points at which email could be intercepted.
Imagine sending someone an email. First, the email needs to travel from your computer to your email provider (Gmail, for example). Whether it could be intercepted here by your ISP or a hacker on public WiFi depends on whether your email provider enables encryption. If you’re using email in the browser itself, check for the green padlock in the URL bar. If it’s there, it’s encrypted. If you’re using IMAP/POP3, look in the settings of your mail client (Thunderbird, for example) and see whether it is set up using SSL/TLS, STARTTLS, or None. If it’s the latter, it’s not encrypted.
Once the email arrives at your email provider, it gets saved to their servers. Unless you’re using Protonmail or Tutanota, which are specially designed to protect against this, your email provider can read all your email. Typically, we trust our email providers, but all it takes is a rogue employee, a hack, or a court order to have your emails exposed to potentially unwelcome parties.
Now, the email is sent from your email provider to the email provider of the recipient, at which point the first and second areas of risk (whether the email is encrypted in transit and whether the email provider is trusted and secure) repeat themselves. This is a hard problem to solve when it comes to email security; no matter how secure your own email practices are, the person you’re communicating with can still violate your privacy with more lax security practices.
An additional privacy problem with email worth mentioning is that by default, your IP address (location) is stamped into every email you send. While most email providers will remove this, not all do, so make sure that your provider does if you are concerned about this.
Improving Email Security
Without going into too much detail, there are several ways that you can boost your email security. First of all, turn on two factor authentication, which will make your account vastly more difficult to hack.
Second, try out PGP encryption. Although it is a bit difficult to use, PGP will encrypt all your emails end-to-end, meaning that you don’t need to trust your email provider at all. Do note that who you’re emailing and when, along with the subject line, are not protected by PGP. Moreover, the person you’re communicating with will also need to use PGP, making this option less feasible for many.
Last, if you want to go hardcore and not only gain end-to-end encryption but also significantly obfuscate all the metadata (who you’re talking to, from where, and when), then check out my tutorial on I2P and I2P-Bote. Like PGP, it requires that the person you’re communicating with also use I2P-Bote, but this trade-off is made a bit easier to handle given the significant anonymity and security it provides.