1
Figure 9-6: E-Mail Security
E-Mail Technology
E-Mail Clients and Mail Servers (Figure 9-7)
Mail server software: Sendmail on UNIX, Microsoft Exchange, and Lotus/IBM
Notes dominate on Windows servers
Microsoft Outlook Express is safer than full-featured Outlook because Outlook Express generally does not execute content
2
Figure 9-7: E-Mail Standards
Sending E-MailClient
Sender’sMail Server
Receiver’sMail Server
SMTPto Send POP or
IMAPto DownloadSMTP
to Send
Receiving E-MailClient
Message RFC 822 or 2822 bodyHTML body
3
Figure 9-6: E-Mail Security
E-Mail Technology SMTP to send messages from client to mail server
or from mail server to mail server
To download messages to client e-mail program from receiver’s mail server POP: Simple and popular; manage mail on client
PC IMAP: Can manage messages on mail server
4
Figure 9-6: E-Mail Security
E-Mail Technology E-mail bodies
RFC 822 / RFC 2822: Plain English text HTML bodies: Graphics, fonts, etc. HTML bodies might contain scripts, which might
execute automatically when user opens the message
Web-based e-mail needs only a browser on the client PC
5
Figure 9-8: Web-Based E-Mail
Client’sBrowser
WebserverProgram
HTTP Request Message
HTTP Response Message
WebpageContainingMessage
Client PCWebserver with
Web-Based E-Mail
Almost all client PCsnow have browsers.
No need to install new software
6
Figure 9-6: E-Mail Security
E-Mail Content Filtering Antivirus filtering and filtering for other executable
code Especially dangerous because of scripts in
HTML bodies
Spam: Unsolicited commercial e-mail
7
Figure 9-6: E-Mail Security
E-Mail Content Filtering
Volume is growing rapidly: Slowing and annoying users (porno and fraud)
Filtering for spam also rejects some legitimate messages
Sometimes employees attack spammers back; only hurts spoofed sender and the company could be sued
8
Figure 9-6: E-Mail Security
Inappropriate Content
Companies often filter for sexually or racially harassing messages
Could be sued for not doing so
9
Figure 9-6: E-Mail Security
E-Mail Retention
On hard disk and tape for some period of time
Benefit: Can find information
Drawback: Can be discovered in legal contests; could be embarrassing
Must retain some messages for legal purposes
10
Figure 9-6: E-Mail Security E-Mail Retention
Shredding on receiver’s computer to take messages back
Send key to decrypt
Make key useless after retention period so cannot retrieve anymore
Might be able to copy or print before retention limit date
Not good for contracts because receiver must be able to keep a copy
11
Figure 9-6: E-Mail Security E-Mail Retention
Message authentication to prevent spoofed sender addresses
Employee training
E-mail is not private; company has right to read
Your messages may be forwarded without permission
Never put anything in a message they would not want to see in court, printed in the newspapers, or read by their boss
Never forward messages without permission
12
Figure 9-6: E-Mail Security
E-Mail Encryption Not widely used because of lack of clear standards
PGP and S/MIME for end-to-end encryption How to get public keys of true parties?
PGP uses trust among circles of friends: If A trusts B, and B trusts C, A may trust C’s list of public keys
Dangerous: Misplaced trust can spread bogus key/name pairs widely
13
Figure 9-9: Cryptographic Protection for E-Mail
Mail Server
SendingE-MailClient
ReceivingE-MailClient
SMTP, POP, etc.Over TLS
SMTP, POP, etc.over TLS
S/MIME with PKIor
PGP with Circles of Trust
14
Figure 9-6: E-Mail Security
E-Mail Encryption Not widely used because of lack of clear standards
PGP and S/MIME for end-to-end encryption
How to get public keys of true parties?
S/MIME requires expensive and cumbersome PKI
15
Figure 9-6: E-Mail Security
E-Mail Encryption PGP and S/MIME for end-to-end encryption
Ease of use S/MIME usually built in if available at all PGP usually a cumbersome add-on to e-mail
TLS Between client and server