title graphics
product barDeutsch

Encrypted E-Mail Communication


We prefer encrypted communication via e-mail. You should, too. Here are some reasons.
  If you're a customer of us and you gave us an NDA to sign it might be important for you to not to get e.g. our results of a pen test or of a not-yet-released piece of soft- or hardware passed via an electronic postcard. But actually this is what an e-mail is. Every hop from its source to its destination can read this postcard on the fly/wire in cleartext.
   This picture lacks however some important pieces: Normally postcards are not routed through not trusted paths, to name the worst examples: competitors network and countries known having a large hunger for high technology information. Also, for postcards it's much harder to automatically process the content and see whether this might be interesting as opposed to digital information. Furthermore, postcards normally are unique and won't get copied: At the destination your provider is able to access your e-mail. He is given more of a chance to read it, if you don't pull your e-mail soon after receiving it. He might even have the e-mail in his backup, maybe for eternity. Another point: Your snail-mailbox is hopefully somehow locked by a key, but in the case of an e-mail you implicitly trust the security of your provider: There were lots of cases in which big ISPs suffered from severe security problems: e.g. Hotmail, Yahoo, German T-System/Telekom (so called T-Hack) and also T-mobile. Unless the real postcard the sender could have sent a (B)Cc to his ISP address or have an fcc e.g. on his unencrypted laptop partion which could get stolen. And I am assuming you retrieve your e-mail not without encrypted protocols (i.e. pops/imaps), so that your password cannot be sniffed?

I am stopping here, you got the point I guess. E-mail encryption solves those problems. It's not for hackers only, there are easy to use GUIs available. There are two standards for secure e-mail communication: S/MIME and OpenPGP. I prefer the latter one. A complete set of binaries for Windows is Gpg4win, it includes GpgOL which is a plugin for Outlook. If you are using Mozilla's Thunderbird – even better – install the extension enigmail additionally. Follow the download links, start the installation and send me the public part of your key. Keep the private key at a safe place and secure it with a passphrase. This way I can sent you an e-mail which only you can decipher. If you want to send me an encrypted e-mail, import my key in your so-called keyring.
  MAC user? I am not one, but here's a good HOWTO. Also for Unix users there are a variety of HOWTOS available. Just follow them and in the end pass the public key to me. It basically means: install the program which does the low level key handling (normally GnuPG), generate your keypair, set up your preferred Mail User Agent (MUA) like Thunderbird+Enigmail.

Don't want to worry about this install'n'stuff? Ok, then we do symmetric encryption, i.e. we agree on a shared secret – a reasonably good passsword – and exchange that over a second channel, i.e. not e-mail. Depending on which operating system you are using I can recommend several tools which do at least AES-256 enryption and thus should be ok nowadays.