Everyone who uses e-mail sometimes wonders how well the transmitted information is protected from prying eyes. Indeed, a message to be transferred travels a long way between different computers and mobile devices before it reaches a recipient; the intentions of these devices’ owners are unknown. Besides, each device in the chain can run malware that stores transmitted messages. Another problem is that a mail recipient may not always use the information received in the way it is meant to be used.
Directors of information services have faced an urgent problem in situations where company employees have the option of using their own mobile devices for work purposes. This policy is called BYOD (“bring your own device”). If such a device is lost or stolen, the company and its partners could find their reputations at risk.
E-mail security systems that may be used on ordinary computers and mobile devices are designed to solve these problems.
E-mail Protection Methods
E-mail protection is aimed mainly at:
- Protecting e-mails from being intercepted, read, or counterfeited on their way to a recipient.
- Protecting e-mails from further distribution by a malicious recipient.
Protecting E-mails from Interception
Classical cryptographic techniques are used to secure messages from interception, and digital signature technologies provide protection against counterfeiting.
A mail client plug-in that provides automatic encryption and digital signing is usually used to implement the protection. If a Web interface is used to access a mailbox, encryption and digital signing is provided by a mail server or a script on the user side, which is more reliable. A dedicated website may be used to provide an initial key exchange.
Since cryptographic technologies are well developed, the level of protection against interception or counterfeiting can potentially be very high. However, the following vulnerabilities may arise:
- Weak cryptographic algorithms may be required by law to make it possible for government services to crack the algorithm when necessary.
- Mistakes may be made in implementing cryptographic algorithms and protocols.
- A malicious developer of an e-mail security system may embed features that make it possible to overcome protective features.
- Malware can make it possible to intercept a decrypted message or install keys directly on a sender’s or receiver’s computer.
Protecting E-mails from Distribution by a Malicious Mail Recipient
A proprietary message viewer may be used to ensure that a mail recipient can read a message but cannot do anything else with it.
These systems cannot provide complete security; a recipient can make a screenshot of information shown on a computer monitor and generate a document from the photos. Another disadvantage is that a proprietary viewer or browser can conflict with many hardware and software platforms and document formats. However, systems for protecting e-mail from undesired distribution cope with the task of limiting information leakage well enough. Their effectiveness depends on how well they defend against automatic methods of extracting information from a message, such as:
- Cracking a secure message viewer to take an unprotected document from it automatically.
- Making screenshots of a document and using them to automatically regenerate it.
Comparison Table of Security Systems
The following table includes some of the existing e-mail security systems and their main features. All systems protect messages from interception by means of encryption, and some systems also provide protection from unauthorized distribution. As a rule, the greater the degree of protection from unauthorized distribution, the fewer types of mobile devices are supported. The reason is that this type of protection relies on client applications that are difficult to create for a large number of different mobile platforms.
Name (in alphabetic order) and developer’s website
Is it suitable for mobile devices?
Protection from distribution
A user reads e-mail via a Web interface with additional security features (disabling of screenshot saving, optional disabling of copy & paste or print functions, etc.). At present only a browser for Windows is available. One may send messages or check for new ones using a standard browser. The system also enables users to notify that a message has been read, delete a message after reading, link a secure browser to a certain computer, and set an expiration date for a message.
Suitable for iOS, Blackberry; Android is planned
Encrypted e-mail service. It enables automatic setting of limitations depending on the content of the message.
Yes (operates via Web)
Its features are almost the same as those of SecuredE-mail.
The system is similar to CopySafeMail. Messages are sent and read via a special client application. Windows and MacOS are supported.
Yes (operates via Web)
The service makes it possible to encrypt part of a message by embedding special tags in a message body. Encryption is done automatically on the server. The system’s website or an Outlook plug-in is used to decrypt an encrypted fragment. Printing and forwarding can be disabled, and a message may be set so that it cannot be retrieved after a certain period or can only be previewed a limited number of times.
Yes (operates via programs for PDF and ZIP)
A set of plug-ins for Outlook make it possible to convert a message to a PDF file or ZIP archive with a password before sending. Then the file is sent as an attachment and may be unpacked using any PDF viewer or ZIP archive program. Embedded features of PDF and ZIP are applied for encryption.
Yes (operates via Web)
The system consists of a plug-in for an e-mail client or a specialized viewer. When a message is sent, it is encrypted and transmitted as an attachment to an ordinary message with instructions on how to read it. If a recipient has the plug-in, a secured message is transparently decrypted.
Partially (it needs Java support)
Messages are encrypted and decrypted directly in a browser by means of the Java applet. Standard e-mail clients may also be used (in which case encryption is done by a local proxy server).
No (At present the development for Android is carried out)
Protection special viewer is used to protect messages from unauthorized distribution Messages are linked to the computer on which they were opened and cannot be read on another computer.
If one understands which kinds of e-mail need to be protected, which threats they need to be protected from and why, and how strong the protection needs to be, choosing an e-mail protection system becomes a straightforward task.