Even in this day and age, after decades of having the Internet, we are still surprisingly sending and receiving most of our e-mails and information insecurely through the World Wide Web. We’re still using most of the founding protocols and technologies that transfer data in what we call clear-text.
When in clear-text, your passwords and the data content can be captured on the local network you’re connected to, which is an even bigger problem when connected to a public Wi-Fi hotspot or Internet port. Additionally, the data could be captured and read by hackers or eavesdroppers during stops at servers when it’s moving through the Web.
Our main Web browsing protocol (HTTP) is insecure; that’s why we use HTTPS (with SSL encryption) for banking and other sensitive sites. The popular e-mail protocols (POP3, IMAP, and SMTP) also carry the login and message details in clear-text. Even protocols like MySQL and Telnet that can help store and administrate very sensitive data are unencrypted.
In this tutorial, we’ll see how we can protect our data and privacy. So the next time, for example, you must send your social security number in an e-mail or you must transfer sensitive documents, you won’t have to worry.
Encrypting your e-mail communications
There are two main concerns when speaking about e-mail security–the security of the link between the e-mail server and e-mail client, or whether or not it’s encrypted; and the security of the e-mail message content and any attachments, or whether or not it’s encrypted during transmission and storage. These two concerns apply to each the sender and recipient(s).
To address the first concern, you can use a Web-based client or e-mail service where you can login through a Web browser. Just make sure you’re logging on through an HTTPS address. You should see a padlock in the lower right side of your browser or next to the address bar on top. If you must use an e-mail client program (such as Outlook or Thunderbird), try to use SSL encryption, which your e-mail provider must support.
To address the second concern, you could encrypt your e-mail messages. The traditional method is to use PGP encryption with digital certificates. This means you’d signup with a service (such as Thawte, Comodo or Ascertia) to get a private and public encryption key. You’d send people your public key so they could send you encrypted messages that you’d decrypt with your private key. Remember, you can’t send people encrypted messages unless they signup and send you their public key.
An alternative method to address the second, or message encryption, issue you might find easier is to use an online secure messaging service. Of course, this depends on how well you trust the service provider. Send, for example, lets you quickly send and receive secure messages and attachments without creating a new e-mail address. If you’d like a new e-mail provider, consider those that offer security features, such as Hushmail.
Though these online services also require action on the part of someone else, it’s usually more user-friendly than traditional PGP encryption. In other words, you’ll likely have more success in getting others to take a moment of their time so you can peace of mind when sending/receiving sensitive messages.
Encrypting your file transfers
Most e-mail providers only support relatively small attachments. To transfer larger documents and files, many people still use the unencrypted File Transfer Protocol (FTP). This means the login credentials and files are sent and received in clear-text, open for local and remote eavesdroppers to capture.
However, you can couple FTP with SSL/TLS encryption to make a secure tunnel to upload and download files from a server or computer. This is also known as FTPS (FTP with SSL). The catch is that the server must be configured with SSL/TLS support, whereas most aren’t. Double-check with your FTP provider for support information.
Another option is to set up your own FTP server that supports this SSL/TLS encryption, such as the free and open source FilleZilla Server. It even offers help with configuring the server and client. It only takes minutes to install, configure, and start serving.
If you want to open up remote access to the server over the Internet, there are two things you must do: open port 990 on your PC and router firewall and create a virtual server (port forwarding) entry specifying the PCs local IP and port 990. To support unencrypted connections as well, create additional entries with port 21.
Just remember, you’ll need to keep your computer on and awake. Additionally, you’ll probably want to get a host name if your Internet connection uses a dynamic changing IP address. No IP and FreeDNS are dynamic DNS services you might consider.
If you don’t want to host FTP access yourself, consider third-party providers or file transfer services, such as Hosting 4 Less or ShareFile. You might even be able to use free online storage providers, such as Microsoft’s SkyDrive or Box.net.
See it for yourself
We discussed that many of the protocols we use today are unencrypted and aren’t secure for working with sensitive information. However, this might not get the point across as efficiently as actually seeing what an eavesdropper or hacker can see.
So if you’re curious, start by downloading a reassembler, such as the EffeTech HTTP Sniffer. Start capturing, browse the Web, and see how easy it is for someone to eavesdrop on unencrypted communications. You might also want to experiment with password sniffers, such as SniffPass.
Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books for brands like For Dummies and Cisco Press.
