Pelican Parts Forums - View Single Post

id10t · 03-01-2020, 07:38 AM

Quote:

Originally Posted by sc_rufctr

2. [Less likely] They are sending non encrypted email and someone intercepted their messages. (Most of the email being sent today is still not encrypted)

Half true, since there are 2 ways of sending encrypted messages, kinda.

The first, using the SSL wrappers around the SMTP protocol, most mail systems do. This prevents a man-in-the-middle from reading the messages, just like the HTTPS protocol. HOWEVER... any mail server the message passes through (ie, each MX record it transports through before destination) would be a de-encryption point and could in theory read the contents. If you use gmail it will let you know in the interface if a message you received was not sent using esmtp (ie, unencrypted over the wire)

The second way, you are correct - no one really does it. That is to use public/private key encryption (PGP or GPG). When you send a message, you sign it with your private key. This gives the message a unique finger print, and the recipient can use your public key to verify the signature. Nothing is encrypted, just protected against modification. I've used this to electronically agree to loan rates, etc. to lock in before I could get to a bank to sign in ink. You can also use the recipients public key to encrypt the message, and only their private key can decrypt it. This actually secures the message from anyone but the recipient from reading the contents OTHER than message header/routing information (to, from, what mail server sent, date/time, etc)

Unfortunately, none of the big providers or ISPs with webmail interfaces support PGP/GPG. Nothing needs doing on the server end, but the *client* software has to support it. Some desktop clients have plugins/extensions that will allow it, but then the problem becomes exchanging keys and there is no really good way to have a centralized public repo/address book/key record.

If you run a business that works closely with other businesses and need secure communications I'd recommend kicking your IT department and telling them to research how to best/easily integrate this into your mail system.