Encrypted E Mail

seligehgit

Hi guys,
I've got to send an e mail including some sensitive details?I want to encrypt the e mail,how do I go about it?Do I have to get a digital ID?This is a once off e mail.
Ta,
Selig

Mr.Crinklewood

http://www.hushmail.com/

Never used this myself though.

irishescorts

Hushmail's a good service.

A good product for encrypting email:

http://www.symantec.com/business/desktop-email

Bear in mind knowledge is everything. Ideally you need to understand the technology behind the scenes otherwise you're walking blind.

h57xiucj2z946q

www.gnupg.org

ishotjr2

As the guy said above http://www.gnupg.org/ is really good, if you send encrypted attachments then openssl is good also. But neither are user friendly.

Firefox has a bunch of plugins, so if you use webmail like gmail, yahoo etc... I would use one of these.

https://addons.mozilla.org/en-US/firefox/search/?q=encryption&cat=1%2C0

These are not of the strength of openssl or gnupg. But if convienience is important try the plugins.

Liameter

What I do is create a password-protected secure folder on my Mac, put the document(s) inside it, zip it, then drag it to my Dropbox "Public" folder and email the link to the recipient (with the password communicated separately via Skype or phone).

ishotjr2

The only point I would make is Skype IM, is sent in the clear so anyone capable of sniffing your mail can sniff the IM. Puritan point, but I have to keep reminding myself that when I use Skype IM.

To show what I mean use "tcpdump -A -s0 -ni eth0" and send some skype IM.

iMax

www.digiprove.com. Irish. Certified that it was sent. Encryption available.

Haven't used them in a chile, but found the service excellent for my needs when I did. (site is a little difficult to find around though).

Liameter

Yes but if I skype someone with "Jane's number is 0123486427" is anyone going to guess that that is the reversed password for an encrypted folder that I've uploaded to my Dropbox account? Will they in fact be able to find my Dropbox account?

ishotjr2

No, see your point. My point was only about Skype IM not being encrypted.

Liameter

And a very relevant point, too. (I tend to separate details and communicate them by at least 3 different methods. That's fairly safe even without encryption!)

An.Duine.Eile

As it is a once off eMail, you could

- Create a word doc with the message

- Save with a password orr Create a password protected zip file

Google instruction depending on version of word or zip

ishotjr2

Hi

I would say zip passwords are a moderate level of inconvienance. Really a public private key is needed.

http://zip-password-cracker.com/
http://oldhome.schmorp.de/marc/fcrackzip.html

Once you can hammer away at a cipher someone only needs the motivation and a computer built in the last 5 years.

But convieniece is a drawback of public/private.

Dude111

Mr.Crinklewood wrote:

http://www.hushmail.com/

I was going to recommend this..... I use this and its quite good

croo

ishotjr2 wrote: »

No, see your point. My point was only about Skype IM not being encrypted.

Is it not? I chat with a some people in Iran and they like to use skype because they believe (as I always did) it is encrypted!

According the Skype

Ever since Skype was launched, we have said it is, and will remain, secure. Your Skype-to-Skype calls, chats and other communications are end-to-end encryped.

http://blogs.skype.com/security/2005/10/skype_security_and_encryption.html

Peter91

You should look at TrulyMail. They have a way to send encrypted messages to someone who does not use their software. Normally, the problem with encrypted messages is that the recipient also must use the same software. TrulyMail solved that problem (http://trulymail.com/Videos/ShowVideo.aspx?v=80).

PeterHughes

Outlook supports encryption, all you need to do is generate the encryption keys. There are loads of free sites to do PGP key generation

https://www.igolder.com/pgp/generate-key

The person you are sending to has to create their own PGP Keys, one public and one private. They then give you the public one and you use it to encrypt the email in outlook.



There are others that cost a bit of money to setup like

http://www.post.trust.ie


Probably a bit overkill but just in case.

seligehgit

Many thanks guys for all the help,sent a zip file with a password.
Selig

h57xiucj2z946q

ishotjr2 wrote: »

Hi

I would say zip passwords are a moderate level of inconvienance. Really a public private key is needed.

http://zip-password-cracker.com/
http://oldhome.schmorp.de/marc/fcrackzip.html

Once you can hammer away at a cipher someone only needs the motivation and a computer built in the last 5 years.

But convieniece is a drawback of public/private.

http://superuser.com/questions/145167/is-zips-encryption-really-bad

The weakness of the old encryption was due to the weakness of the chosen encryption algorithm.

Nowadays one can use industry grade encryption via 'AES', which is used everywhere (and is under heavy attack but as it seems pretty hard to attack). As the site you cited stated: now the weakest spot is in the passphrase and the rules you mentioned especially address that problem.

Theses rules do not apply to the passphrase for the old encryption, since that old encryption was very weak in itself, no matter if you choose a good password or not.

The statement of "the problem is removed due ..." is not true, since the real solution to encrypt ZIP files securely is to choose a strong encryption algorithm AND a strong password. The strongest password is worth nothing if the encryption algorithm is weak.

Read also http://www.info-zip.org/FAQ.html#crypto and http://www.topbits.com/how-can-i-recover-a-zip-password.html

Peter91

PeterHughes wrote: »

Outlook supports encryption, all you need to do is generate the encryption keys. There are loads of free sites to do PGP key generation

The person you are sending to has to create their own PGP Keys, one public and one private. They then give you the public one and you use it to encrypt the email in outlook.

There are others that cost a bit of money to setup like

And this is the biggest reason more people don't use encryption today. If you understand these things they are easy, to you. If the recipient doesn't really understand the technology, then you cannot communicate with them securely.

That's also the reason I like the idea from TrulyMail... I don't need the recipient to understand anything or install anything or send me anything. I can control everything from my side.

PeterHughes

@Peter91
Agreed but as with most things the more effort you put in the more secure things are. Also the overhead of sending a mail to a new contact has its headaches.

I like the look of TrulyMail and will have to give it a go.

Cheers.

Dude111

Peter91 wrote:

You should look at TrulyMail. They have a way to send encrypted messages to someone who does not use their software.

Hushmail does the same

Peter91

Dude111 wrote: »

Hushmail does the same

Sadly, Hushmail has a backdoor (http://www.wired.com/threatlevel/2007/11/hushmail-to-war/) while TrulyMail does not.

Dude111

Yes but thats only if a court order is recieved! (Im sure Trulymail would comply with that also or risk being shut down)

Peter91

Dude111 wrote: »

Yes but thats only if a court order is recieved! (Im sure Trulymail would comply with that also or risk being shut down)

As I understand from them, all encryption (and decryption) happens on the client with public keys. They never have the private keys to decrypt so, even given a court order, I don't think they *could*. This was the point of them not having a backdoor. It seems to be a similar design to RIM's corporate service (where the keys are held by the customer, not by RIM).

Given the recent hacking incidents in the news, I don't really like backdoors. If the government can use a backdoor, what stops a hacker from using the same backdoor?

Peter91

bedlam wrote: »

This seems just like IronPort and Voltage's offerings

It's good to know there is competition out there. I hate monopolies.

bedlam wrote: »

27 seconds into the video you linked to above shows that to not be true.
"Encrypted package (decryption key stored on TrulyMail server)"

The other two option are "not encrypted" and "encrypted with a preshared password". The latter of these is the only way you can prevent TrulyMail from decrypting but you still have to securely get the preshared password to your recipient somehow...

Actually there are four ways to send messages with them:

1) TrulyMail to TrulyMail - Encrypted by public keys, private keys only on the client, encrypted message on their server

2) TrulyMail to email (encrypted package) - decryption key on their servers but the content goes through email servers (not theirs)

3) TrulyMail to email (encrypted web msg) - encrypted via AES and a passphrase must be opened in a browser, decryption in the browser, you need to get the passphrase to the recipient

4) TrulyMail to email (unencrypted) - just clear text

It's not magic, it's cryptography (well, except for the last one). I'm pretty sure they never have both the encrypted message and the means (the key) to decrypt the message.

Peter91

bedlam wrote: »

to use this option the recipient needs to also have the TrulyMail software which is Windows only, so is really less useful than GPG/PGP as it's a one OS solution.

True, but I find it easier to get my non-technical recipients to setup and configure TrulyMail rather than GPG.

bedlam wrote: »

So to use TrulyMail you have to either :
1) Use their software which limits recipients to Windows OS
2) find a way to securely get the web message password to the recipient and have the sender pay a fee.

That's right. Please let me know if you know a better (or free) way but like I said above, one of my main concerns is getting messages to others who refuse to be troubled with encryption software. It's not free but it's cheap and it works for me.

I do wish they would come out with versions for Linux and Mac. Someday, perhaps.

Dude111

Peter91 wrote:

As I understand from them, all encryption (and decryption) happens on the client with public keys. They never have the private keys to decrypt so, even given a court order, I don't think they *could*.

Hmmmm that would indeed be interesting then if a situation arose that they wanted to see whats being sent..... (The US Govt would tear them apart im sure,theres gotta be some clause or something)

Peter91

Dude111 wrote: »

The US Govt would tear them apart im sure,theres gotta be some clause or something

I've asked them and they've been quite clear that they've designed the system specifically to avoid being able to read anyone's messages.

Dude111

Wow that is impressive then if it is true!

schrodinger

bedlam wrote: »

Unlinke PGP/GPG which has been well scrutinised [...]

Now 'scuse me while I go back to sending encrypted email to my self seeing as no one else will

*ahem*