the security of sending emails

gib65

Member
Hello,

Our project manager has asked us to answer some security question for a few prospective clients. One ofthe questions is: If the client provides data via email, what security considerations should be made?

Consider the 'data' to be an attachment.

The main question on my mind is: is it possible for third parties to 'spy' on emails in transit? So if I send an email with an attachment, under what conditions would it be possible for a third party to see that email, and the attachment, and can they copy the attachment for themselves?

Are there any other security issues to be considered when sending emails with attachments?
 

beers

Moderator
Staff member
Provide nothing that you couldn't stand to be leaked to any third party.

Email is largely based around SMTP which has traditionally been a completely clear-text protocol, so any party along the chain could read all contents. Modern systems use encryption between peering points but it relies completely on the end server configuration, there's no way for you to guarantee that the message remains encrypted end to end, and it does get encapsulated/decapsulated at multiple points.

Therefore, don't send anything sensitive via email. There are a few 'secure email' platforms that will have you log into a HTTPS portal to retrieve your messages, those have advantages as you are directly connecting with the server in an encrypted fashion.
 

Agent Smith

Well-Known Member
To answer the client question about sending data in the form of an attachment and its inherit risks, I'd say you want to look at a sandboxing or a virtual environment. There are several programs to achieve this. One is Sandboxie, which I use for my browser. The others are Shadow Defender and Anti-executable. Then there's Rollback Rx which takes system restore to a higher level.

About the transmission of the data. I would use an archive like a simple zip file and password protect it with a password that's at least 16 characters long. I use 7 Zip myself and encrypt the data with a self-extracting encrypted SFX archive. That's also how I back things up to the "cloud." Even though there's Boxcryptor. Now I suppose you're asking yourself: how do I exchange the password? You could do it before hand person to person, over Telegram or on the phone I suppose. Depending on the nature of said data. Or you could deploy PGP in your E-mails and send the password that way. Or you could use this E-mail service. https://protonmail.com/
 

_Kyle_

Well-Known Member
To answer the client question about sending data in the form of an attachment and its inherit risks, I'd say you want to look at a sandboxing or a virtual environment. There are several programs to achieve this. One is Sandboxie, which I use for my browser. The others are Shadow Defender and Anti-executable. Then there's Rollback Rx which takes system restore to a higher level.

About the transmission of the data. I would use an archive like a simple zip file and password protect it with a password that's at least 16 characters long. I use 7 Zip myself and encrypt the data with a self-extracting encrypted SFX archive. That's also how I back things up to the "cloud." Even though there's Boxcryptor. Now I suppose you're asking yourself: how do I exchange the password? You could do it before hand person to person, over Telegram or on the phone I suppose. Depending on the nature of said data. Or you could deploy PGP in your E-mails and send the password that way. Or you could use this E-mail service. https://protonmail.com/
I have used protonmail before, it's pretty straightforward, just like any other email.
 

gib65

Member
Thanks everyone for the education.

When it comes to p2p encryption, does it also encrypt the attachments as well or does that depend on the mail server?
 
Top