The Basics of Email and Web Security

PreviousTable of ContentsNext
An Overview of Communications SecurityIT Infrastructure Security

Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99

For all its speed and convenience email is not without a few potential security problems. First and foremost is the fact that it is often transmitted over the public internet rendering confidential information susceptible to interception. Anyone who has used an email account for more than a few days will also be painfully aware of the problems posed by the massive volumes of spam that inundate email in boxes throughout the world. The broad use and accessibility of Instant messaging also brings with it security threats and challenges.

A comprehensive security strategy also needs to take into consideration the risks associated with users using web browsers to access and provide information over the World Wide Web.

Each of these areas will be discussed in this chapter of Security+ Essentials together possible steps that can be taken to ensure a more secure IT environment.

Email Security

One of the biggest problems with email is that the messages are transmitted over the public internet. This means that it is theoretically possible for malicious parties to intercept email message transmissions and thereby gain access to what may be confidential information or data. The best way to avoid this is to use encryption to protect sensitive data when it is transmitted over the internet. Two such solutions are S/MIME and PGP.

Pretty Good Privacy (PGP)

PGP is based on the Pretty Good Privacy technology developed by Phillip Zimmerman in the early 1990's. The PGP program uses either RSA or Diffie-Hellman asymmetric encryption to encrypt messages before they are sent and to decrypt them on arrival at their destination.

In addition to encrypting email messages, PGP also attaches a digital signature to the messages which can be used by the recipient to verify that the message has not been modified in any way since it was transmitted.


Secure Multipurpose Internet Mail Extension (S/MIME)

The standard MIME protocol extends the Simple Mail Transfer Protocol (SMTP) to enable the inclusion of non-ASCII (i.e. non-plain text) attachments such as binary, photo and audio files in email messages.

The secure version of MIME, known as S/MIME, was developed by RSA Data Security and uses the X.509 certificate format to allow for the encrypted email transmission of data over public networks. S/MIME uses 40-bit RC2 and #DES based encryption and is supported by most modern email client applications.

Dealing with Spam Email

Whilst it is impossible to arrive at exact numbers, it is widely believed that spam email now accounts for as much as 40% of all traffic on the internet. The time employees spend deleting unwanted spam messages is believed to cost businesses in the United States alone in excess of $2 billion a year in terms of lost productivity.

Clearly spam email messages are a serious issue which must be addressed by system administrators and IT security employees. A number of solutions to the problem are available but none, unfortunately, provide 100% certainty of either eliminating all spam, or guaranteeing that legitimate messages will not be incorrectly categorized as spam.

One solution is to subscribe to email blacklists. These are services which maintain a registry of known spam senders which can be used to isolate spam messages. Unfortunately many spammers send email using the open relays of legitimate email servers thereby disguising their true identity and limiting the usefulness of email blacklists.

Another option is to install spam filtering software that blocks spam based on algorithms which scan messages for patterns and word sequences that are common to spam messages. Once again, this solution is only partially effective, resulting in some spam making it through filters and some valid messages being tagged as spam (so called false positives).

A common and effective way to eliminate the volume of spam on the internet is for system administrators to shut down mail relaying. Spammers often use programs which scan port 25 (the SMTP port) of systems connected to the internet looking for open relays. Having found an open relay they use this to send vast volumes of spam messages out. Such messages appear to originate from the system with the open relay (almost always a legitimate business with no connections to the spammer) thereby making it difficult to track down the spammer and minimizing the effectiveness of email blacklists.

Web Based Security (SSL and TLS)

Today just about any form of activity can be performed via web sites, from applying for a loan or credit card to purchasing items with those credit cards. A surprising amount of personal and confidential data is now transmitted from user's browsers to web sites all over the world. Within a short time of all data being transmitted in plain text using HTTP on TCP port 80 it became clear that more secure ways of interacting over the internet were needed.

Secure Sockets Layer (SSL) is a secure protocol developed by Netscape Communications for the encryption of data transmitted over the internet. The Internet Engineering Task Force (IETF) adopted SSL in 1996 and named it Transport Layer Security (TLS). TLS is equivalent to SSL 3.0 (although TLS and SSL are not interchangeable).

SSL/TLS use cryptography to ensure that data transmitted between a browser and a web site is secured through encryption. The strength of this technology is that it essentially invisible to the user. The only sign that SSL/TLS is being used will the fact that a web site address begins with https rather than http and the presence of a small padlock icon on the status bar of some web browsers.


Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99



PreviousTable of ContentsNext
An Overview of Communications SecurityIT Infrastructure Security