Paul McFedries' Web Home


Copyright Judd Winick A Brief E-Mail Primer

A Note About E-mail Security

Return to Ramblings Index Return to E-Mail Primer Start Page Return to 'E-Mail Pros and Cons' Go to 'Message Anatomy'

Table of Contents

The Privacy Problem
The Authenticity Problem
Is This Mere Paranoia?
If you made a list of the various tenets that constitute the Internet ethos, one of them would be that information should be free and easily accessible to all. This admirably egalitarian view is one of the reasons the Internet has been so successful. The composition of the Net's building blocks (the software that allows the various networks to communicate with each other and exchange data) is public knowledge, so it's relatively easy to write software that performs functions over the Net. In turn, the "information is free" ethic leads many of these software developers to make their creations free to all and sundry. So after you're wired, you can easily put together a suite of Internet applications, and your total cost would be precisely nothing.

The downside to all this openness (you knew there had to be a downside) is that it also makes it easy for the malicious and the malevolent to get into all kinds of mischief. By studying the published standards for how the Internet works, crackers (as hackers who've succumbed to the dark side of the Force are called) can apply their knowledge of programming and computer systems to compromise these systems and bypass the normal Internet operating procedures.

In the e-mail world, this situation leads to two major security issues: privacy and authenticity.

The Privacy Problem

Remember all the fuss a while back when some cellular snoop managed to listen in on a phone conversation between Princess Diana and "Squidgy," her alleged (and bizarrely nicknamed) lover? The problem with cellular phones, of course, is that their transmissions are just microwave radio signals that travel willy-nilly through the air just like any other radio signal. With a simple receiver, anyone can tour through the appropriate frequencies, intercept these transmissions, and listen in on what were supposed to be private conversations.

Internet e-mail suffers from a similar problem. When you send a message, it doesn't travel directly to the recipient; instead, it must first pass through a number of other systems (as described in the How Does the Internet E-Mail System Work? section). Recall the analogy I used earlier in which I likened a message traveling through the Net to driving from one city neighborhood to another along a system of roads and highways. Well, on the Net, these roads and highways often have "checkpoints" that messages must pass through in their journey. These checkpoints are just computers on some other network, and at each stop there's always the possibility that someone with enough know-how could intercept your message, read it, and then send it on its way. Neither you nor your recipient would ever be the wiser. In this sense, using Internet e-mail is no different from sending snail-mail messages on the back of a postcard.

NOTE: PACKET SNIFFING
All Internet communication—whether it's files, World Wide Web pages, or e-mail—is divided into small chunks called packets. These packets are sent individually and reassembled when they reach their destination. For this reason, the Net's electronic eavesdroppers are called packet sniffers.

The Authenticity Problem

You might recall a famous story from the '70s in which the sportscaster Howard Cosell was doing a Monday Night Football broadcast and received what he thought was a call from the boxer Muhammad Ali. At the time, Ali was in Zaire preparing to fight George Foreman, so this was a real coup for Cosell. In fact, he even did a brief interview with Ali right on the air to a nationwide TV audience. Much to Cosell's chagrin (not to mention his embarrassment), the call turned out to be a hoax (the caller was actually somewhere in the Midwest, I think).

This brings us to the second e-mail security problem: authentication. When you receive a message, the header's From line tells you the e-mail address of the person who sent the missive. Or does it? The Internet e-mail system is such an open book that it's ridiculously easy to forge other people's e-mail addresses! Now, obviously, if you get a message from president@whitehouse.gov or billg@microsoft.com, you can pretty well guess you're dealing with a forgery (depending on the social circles you run in). But if you get flamed by a total stranger, or if someone you know inexplicably asks for your credit card number, there's no way to tell whether the message is on the up-and-up.

Is This Mere Paranoia?

Well, perhaps we should keep some perspective here. Tens of millions of e-mail messages are sent every day, so what, really, are the chances of someone picking out your message to spy on? Besides, only criminals and other undesirables really need to keep their communications private, right?

Wrong! I mean, you "hide" most of your paper mail inside an envelope, don't you? Does that make you a criminal? Of course not. And what if your e-mail dispatches include sensitive material such as payroll data, credit-card or Social Security numbers, financial info, research results, or trade secrets? You'll probably want to protect these decidedly noncriminal messages, so you have every right to be at least a little paranoid. And you can forget that "safety in numbers" argument. Someone looking for your e-mail messages wouldn't have to sift through the millions of dispatches that are posted daily. It's possible to scan mail messages passing through a site and do "keyword searches" to intercept those that contain particular words, phrases, names, or even e-mail addresses.

As for e-forgeries, it's true that they're still quite rare, if only because the necessary know-how is well beyond the skills of most Netizens. But, still, they do happen. A couple of years ago, some prankster forged a Microsoft press release stating that the company had bought the Vatican! The very idea sounds preposterous, but Microsoft actually had to put out its own press release to confirm that the other was a fake!

In the end, it comes down to a matter of principle. With more and more people jumping on the Net bandwagon every day, with the possibility that all correspondence will be done via e-mail getting closer and closer to reality, and with the prospect of Net financial transactions looming large, e-mail security will have to become as much of a "right" as the privacy we enjoy in our own homes.

Return to Ramblings Index Return to E-Mail Primer Start Page Return to 'E-Mail Pros and Cons' Go to 'Message Anatomy'

The artwork displayed throughout this primer is Copyright © Judd Winick.

Copyright © 1995-2008 Paul McFedries and Logophilia Limited