1

Figure 9-6: E-Mail Security

E-Mail Technology

E-Mail Clients and Mail Servers (Figure 9-7)

Mail server software: Sendmail on UNIX, Microsoft Exchange, and Lotus/IBM

Notes dominate on Windows servers

Microsoft Outlook Express is safer than full-featured Outlook because Outlook Express generally does not execute content

2

Figure 9-7: E-Mail Standards

Sending E-MailClient

Sender’sMail Server

Receiver’sMail Server

SMTPto Send POP or

IMAPto DownloadSMTP

to Send

Receiving E-MailClient

Message RFC 822 or 2822 bodyHTML body

3

Figure 9-6: E-Mail Security

E-Mail Technology SMTP to send messages from client to mail server

or from mail server to mail server

To download messages to client e-mail program from receiver’s mail server POP: Simple and popular; manage mail on client

PC IMAP: Can manage messages on mail server

4

Figure 9-6: E-Mail Security

E-Mail Technology E-mail bodies

RFC 822 / RFC 2822: Plain English text HTML bodies: Graphics, fonts, etc. HTML bodies might contain scripts, which might

execute automatically when user opens the message

Web-based e-mail needs only a browser on the client PC

5

Figure 9-8: Web-Based E-Mail

Client’sBrowser

WebserverProgram

HTTP Request Message

HTTP Response Message

WebpageContainingMessage

Client PCWebserver with

Web-Based E-Mail

Almost all client PCsnow have browsers.

No need to install new software

6

Figure 9-6: E-Mail Security

E-Mail Content Filtering Antivirus filtering and filtering for other executable

code Especially dangerous because of scripts in

HTML bodies

Spam: Unsolicited commercial e-mail

7

Figure 9-6: E-Mail Security

E-Mail Content Filtering

Volume is growing rapidly: Slowing and annoying users (porno and fraud)

Filtering for spam also rejects some legitimate messages

Sometimes employees attack spammers back; only hurts spoofed sender and the company could be sued

8

Figure 9-6: E-Mail Security

Inappropriate Content

Companies often filter for sexually or racially harassing messages

Could be sued for not doing so

9

Figure 9-6: E-Mail Security

E-Mail Retention

On hard disk and tape for some period of time

Benefit: Can find information

Drawback: Can be discovered in legal contests; could be embarrassing

Must retain some messages for legal purposes

10

Figure 9-6: E-Mail Security E-Mail Retention

Shredding on receiver’s computer to take messages back

Send key to decrypt

Make key useless after retention period so cannot retrieve anymore

Might be able to copy or print before retention limit date

Not good for contracts because receiver must be able to keep a copy

11

Figure 9-6: E-Mail Security E-Mail Retention

Message authentication to prevent spoofed sender addresses

Employee training

E-mail is not private; company has right to read

Your messages may be forwarded without permission

Never put anything in a message they would not want to see in court, printed in the newspapers, or read by their boss

Never forward messages without permission

12

Figure 9-6: E-Mail Security

E-Mail Encryption Not widely used because of lack of clear standards

PGP and S/MIME for end-to-end encryption How to get public keys of true parties?

PGP uses trust among circles of friends: If A trusts B, and B trusts C, A may trust C’s list of public keys

Dangerous: Misplaced trust can spread bogus key/name pairs widely

13

Figure 9-9: Cryptographic Protection for E-Mail

Mail Server

SendingE-MailClient

ReceivingE-MailClient

SMTP, POP, etc.Over TLS

SMTP, POP, etc.over TLS

S/MIME with PKIor

PGP with Circles of Trust

14

Figure 9-6: E-Mail Security

E-Mail Encryption Not widely used because of lack of clear standards

PGP and S/MIME for end-to-end encryption

How to get public keys of true parties?

S/MIME requires expensive and cumbersome PKI

15

Figure 9-6: E-Mail Security

E-Mail Encryption PGP and S/MIME for end-to-end encryption

Ease of use S/MIME usually built in if available at all PGP usually a cumbersome add-on to e-mail

TLS Between client and server