When talking about email security, the most important thing that comes to the mind of most people is usually the “https” text in the address bar, and that is because people have been reminded time and again to make sure that the connection is “secure” by looking for https at the beginning of the website address. According to security experts, that is just a part of the way email security works, and there are numerous other things that have to be integrated into an email client to make it highly secure.
The connection to the server should be made on SSL/TLS security protocols, as they are the industry standard for a secure environment. To verify whether this is put into action, look for “https”, as we discussed above. These protocols provide security and integrity between two parties. Although both are secure enough, TLS is an upgrade over SSL, with more features.
Another way to build a secure channel to the server is using a VPN - Virtual Private Network. A VPN uses the latest security features like TLS, but need to be configured by the user. The difference is that of an application vs. operating system itself. VPN secures all the traffic at the system level so that only your VPN (not your ISP!) server knows where your connection goes. An application may be unaware that its traffic has been secured. There are plenty of VPN servers available out there, some of them are free, some will charge you $20-$100 per year. Since setting up a VPN needs extra work, TLS security, which has to be setup by a developer, is the choice of security for the most, as it does not need any work on the user’s part.
Encryption is of supreme importance when a message is sent over a public channel. When encryption is used over email, it is important to make sure that no proprietary algorithms are used, as they usually have loopholes that can be tapped into by the hackers. Standard and strong algorithms like AES and RSA have a public status, and have huge numbers of developers working to make them strong and crackers attempting to find a loophole, leading to an encryption method that is seemingly foolproof. Your own algorithm might seem ingenious, but without the humongous amount of data that supports the standard algorithms, you cannot trust the security of the same. Remember strong passwords and slow algorithms!
Encryption is also important when the emails are locally cached and stored on the user device. Securing the entire device is highly important. Laptops and mobile phones are stolen very often (one every minute in US, for example), and if your data is of some value to you, encryption is highly important to make sure that it is not stolen. A well-known public algorithm should do the job well. The recent FBI vs. Apple case shows the power of an encrypted device, which not even FBI can break into. Just having a screen lock does not work. A full encryption is needed.
Remember, an encryption with a simple 4-digit PIN can protect the device from your kids and other unintentionally invasive hands, but not from actual adversaries that can cause serious harm to you if they gain access to your data.
Even if all the above have been put into place, there have to be ways that can verify that the emails that you have received have actually come from the sender as he or she claims it to be. Phishing attacks easily take place when sender identity is not properly verified. So how do we make sure that the message that has arrived is sent by the sender in the way it is claimed, and it is the one which the sender has sent without any external tampering? Use of digital signature is important to make sure that the sender “signature” is verified at the receiver’s end. For an even better implementation of security features, secure hash (HMAC) can be used to sign the message, and the sender identity can be confirmed. This allows the email to maintain its integrity and be displayed exactly in the way that the sender has decided it to be.
With the above security features in place, the email system can work in a proper and secure way. The user and the email server can ensure a proper secure channel, and the server can work to ensure integrity and security of the email and the connection.