Email Is Among the Least Secured Channels of Communication!

Email vulnerabilities—sketch by Mohammad Tauheed

[I sketched that stupid thing. It is ok to steal, just mention where you stole it from]

Email is an archaic technology that has not been improved much ever since the protocols were created back in the early days of the Internet. Email is among the most frequently used least secured mode of digital communications today.

In general, emails are not encrypted. All emails are stored as open plain text in the server. Anyone (including your web administrator, internet service provider, web-hosting provider, server admins—depending on where it is hosted, and protocol/port it was transferred with) can read and also EDIT all your emails, without even having to know your password. This includes about 99% of emails we use, including Gmail, Yahoo, Hotmail and specially your office/university/work emails. Typically your work emails are hosted on servers with even weaker infrastructure and security, and they are managed by “semi-professional IT guys;”—yes, they can read and edit all your official emails, and they don’t have to know your password.

Any private communication that is not end-to-end (E2E) encrypted, falls into the shaky territory of trusting the guys who are running the servers. Email protocols—by the way they were originally designed—do not have E2E. Oftentimes, they do not even have a basic TLS (Transfer Layer Security—an encryption protocol that keeps your emails undecipherable “on the way” to and from the servers). No matter what, emails are readable and editable by the person(s) who has access to the server.

I always wonder, how and why emails are often held as authentic legal documents, whereas it is a completely unreliable technology with shabby security and authenticity. By the time a court subpoena an email, it can be already edited without leaving a trace.

Another big issue with email is its authentic ‘origin’—if the email actually came from where it claims to be coming from. There are very limited ways to verify that. You can literally send emails posing as anyone to anyone. A simple PHP mailer script will let you send emails to your friends as if the email is going from [email protected], and you offer them a billion dollar since you have too much money to keep. Over the time there have been some improvements in this front about verifying the origin of an email before it gets delivered to your inbox, however, they are not foolproof, and not universally enforced. These techniques include DKIM (DomainKeys Identified Mail—a method of using a public signature key for a domain to verify if the email is originating form that domain name, it does not authenticate an email at personal level though,) and SPF (Sender Policy Framework), if you are curious, search and explore more about these technology.

Given that, if you ever receive any email from a “friend” (generally someone using a friend’s email) asking for money or offering you money, asking for some password or OTP code or luring you into downloading and opening an unsolicited attachment, always verify it by an alternative mode of communication other than email, i.e: call them up to check. If they may have “lost their phone,” tell them to call you from a phone booth, before you take any action. “Any action” includes downloading/clicking/opening any attachment “they” send.

There is one not-so-easy way to encrypt your emails end to end, using PGP encryption. You can install OpenPGP package on your computer and email client to encrypt your existing email addresses. There are also some webmail services that has built-in PGP encryption like Protonmail or Tutanota, although they come with some inherent limitations, like the E2E works only if both parties—the sender and the receiver of an email have PGP enabled emails. If you would like to learn more about their encryption techniques comparing Protonmail vs Tutanota—check out this post. Both of these services also offer hosting your custom domain emails, i.e: you can move your business entire email to their encrypted servers.

The bottomline is, if you are communicating anything private or sensitive, do not use email to begin with. Use one of the end-to-end encrypted messaging services instead.


Meanwhile, if you want to learn more about the basics of the overall digital security and privacy for everyday use, sign up for the weeklong Digital Security and Privacy—101 course that I teach almost every other months.