Today on The Privacy Blog Lance mentions that recently over 100 government e-mail logins were posted online and specifically mentions how with Exchange or IMAP people’s lives are kept in their e-mail accounts.
Not only Exchange or IMAP, but also any webmail system. It was demonstrated at BlackHat this year that it’s trivially easy to hijack anybody’s webmail session (hotmail, gmail, yahoo, etc) just as long as they are on the same local network as the attacker. Not to mention that forging an e-mail identity is as easy as taking a nap.
So what can you do to protect yourself in this world of wildly insecure e-mail?
Demand SSL or TLS
First, demand SSL and/or TLS from your provider. Some web mail systems (such as Gmail) support SSL, others (HotMail, Yahoo, and pretty much everything else) don’t. Even if you’re using Exchange, IMAP, POP or SMTP you should be using SSL to protect your account from intruders. If your provider doesn’t at least offer secured services you should switch to something that does.
Use SSL or TLS
Most providers that offer secured services don’t turn it on by default. I have no idea why that is. When you go to Gmail, put https in front of it. If your ISP gave you your e-mail settings and you just put it into Outlook, Thunderbird or Mail try clicking the Use SSL option. It might just work. Notably, Mail on Mac OS X will attempt to enable SSL by default if your provider supports it. God only knows why Thunderberd still doesn’t. Come on people, this is 2007. (Incidentally, I just opened bug 394487 about this, please go vote for it.)
Use PGP, GPG or S/MIME
Securing just your account is not enough since anybody’s identity can be forged very convincingly in a matter of seconds. In order to protect your identity and provide a way for people to verifty that, yes, you sent this message, you should also be using a digital certificate of some type. Most mail clients have plugins for PGP or GPG (check Enigmail or GPGMail), and all thick mail clients support S/Mime. Unfortunately the only webmail service that I know of capable of verifying S/Mime certificates is Outlook Web Access (MS Exchange), and I don’t know any that support using them. That being the case you should only be using webmail services for reading mail, and only as a last resort. Gmail even lets you use a thick client if you want (which you do). You can get free S/MIME certificates from Thawte and $20 S/MIME certificates from Verisign.
Finally, Don’t be a fool
A lot of people I know tell me “I don’t have anything to hide, so I’m not worried about it”. You couldn’t be more foolish. A wise man once said “if you have nothing to hide, encrypt it”. You still lock your house don’t you? You still lock your car don’t you? Would you like someone rifling through your purse or wallet? What if they did it without your permission? Are you sure you’re not worried about it?
Maybe you can’t implement all of these. But you can implement some of them.