Once your information gets to server it stops being protected and anyone can get to it, at least judging from fact that hackers target web sites first because that’s where they can guarantee to find large quantities of names, addresses, credit card numbers and so on. (Actually, SSL places such a heavy load on computers that they now have other machines doing just SSL encryption so your data is potentially exposed even before it has a chance to get to web server, but that’s not point.)

So there’s problem. SSL provides strong protection, but not actually to data, just link. You might say it was a condom that protects pipe.

We are familiar with paper world and it has some benefits. You can usually see if someone has already opened your mail. The Post Office can often cope with wrong addressing and still get it to right place. You believe that delivery service is going to behave in way that you expect and you know that a proof of delivery from them is accepted by authorities.

E-mail is rather different. There is no way of telling who reads mail unless you take actual steps to make it impossible. The e-mail Post Office can’t cope with any address errors whatsoever. It has no idea if any of addresses on mail are correct and can’t tell if they have been altered. There is no plain envelope to stop people reading contents and it is possible for hackers, government agencies and almost anyone else to read mail. Proof of delivery is worth paper it is printed on.

An impossible dream?

No. E-mail can be made secure, but you have to take a few things into account.

The first thing to understand is that you can’t do much about addresses, or subject line. Nothing about these can be made secure. Don’t ever believe them when you read them.

Different systems may allow you to secure message text of e-mail, but you have to be very certain what that security is, when it is added, when it is removed, and how you would prove it had been secured afterwards. These are fundamental to you if you are going to rely on security mechanisms later as proof that something happened.

The second thing to understand is that you can never (with current systems) send anything secret to someone you don’t know. It’s not possible. You have to have a ‘public key’ of theirs before it can be done. You can’t, with conventional systems, send information to ‘anyone’ in a particular group, function or business. You have to send to specific individuals.

The third thing to understand is that protection that you apply to an e-mail has to be something that recipient can deal with. E-mail systems don’t currently relate keys used for information protection to recipients of e-mail, and don’t know what algorithms recipient is likely to have. This is because there are far too many unnecessary choices forced onto users of these systems and services (or set by administrators who are making choices based upon their own prejudices rather than looking at usability). If you use something recipient can’t process you are wasting your time. But you can’t afford time needed to sort this kind of problem out.

Problem solving strategies

Most of difficulties identified can be avoided by ignoring e-mail systems completely and concentrating instead on information to be sent. This could be anything – a Word document, a text file, some HTML, a graphic or even a video. Whatever you do should not alter its content, and it should not be possible to remove your security before information is securely in computer of recipient.

This means that your protection software is going to have to protect file in such a way that an attacker cannot remove protection without you being able to detect it. (That’s not same as pretending a fake document is real. Since much of information you get is not protected, today you make value judgments on what is ‘right’ based upon your own feelings, or you ‘phone sender and ask them to confirm what they actually sent. So removing protection and making subtle changes to documents that you might then believe is perfectly feasible.)

The recipient is then in a position where their first step is to check authenticity of file they have received. That avoids any possibility of misunderstanding what is protected and what is not. The file is thing that is protected, and not other parts of e-mail that may, or may not be correct.

Once recipient has checked that file is authentic they can go ahead and use a copy of it that has had protection removed. This is an essential step, because they must not be able to alter, or add to, file that they received and still have it claim that it was ever authentic (unless, of course, you have some system that maintains a copy of each different thing in file, protected by each person that has altered or added to it).

This approach may not seem as ‘elegant’ as having everything automated, but it is a lot more secure, and prevents any mistakes or misunderstandings about who has signed what, and therefore what can be relied upon.