How to get a secure email?

[stock_post]

There are different ideas on this one.
Can some one elaborate for new bees to start here!

[tristanperry]

You can go with a reputable e-mail company (a paid one)

I personally just host my e-mails on my server though. Then I can have whatever@domain.ext as required. Plus it's my server (i.e. a leased dedi) hence I know it's 'secure' (as secure as can be, that is).

I've never fully understood why some people go with free hosting accounts from 'the big guys'. Especially since Google have zero customer service and Microsoft's products aren't exactly the best quality (in efficiency terms, etc) nor the most secure.

*Shrugs*

Each to their own I know

[stock_post]

If you trust your hosting company this is a good option.
what if they are bad.. (only if)

2) if a guy who can hack gmail or msn - those guys can hack your server as well correct?

[tristanperry]

Quote:

Originally Posted by stock_post

If you trust your hosting company this is a good option.
what if they are bad.. (only if)

2) if a guy who can hack gmail or msn - those guys can hack your server as well correct?

If you don't trust a hosting company then you shouldn't really be with them

And your concern is valid. Nothing (not even bank or government systems) is fully secure - i.e. 100% security doesn't exist. Paid e-mail hosts aren't 100% secure either.

However my servers are secure as possible and hence I'm happy to host my e-mail on them

Plus hackers would be more likely to go after GMail or MSN than a server that may only store a couple of e-mail addresses.

You raise a good point though; nothing is fully secure.

[raoul]

it all depends on what you are trying to protect, and from who and to who you will send and receive mails.

Using large (mostly free) email adresses like gmail or hotmail, you will be very vounerable to any bugs. To be clear, their server self will be good protected, but bugs in their HTML/PHP are NEVER all eliminated. With hotmail and gmail in my opinion counts that its used so massively worldwide, once a bug is discoverd it will spread like a fire over the globe. Vounerabilleties are also faster discoverd in such big deployed systems.

Security is all about "what and who" you want to protect, wich risks you like to eliminate.

2 people emailing together secret info can be VERY good protected. You can use your own email and encrypt the messages before sending it, with for example a RSA1024 key, then there is NO WAY a hacker can decrypt your message to the other in the next 5 to 10 years. Now I know some guys will say some people can hack a RSA 1024 key, sure, email me, and I can make you more rich than decrypting some emails.

On the other hand, if your planning a terrorist attack, communication with "the leader" over email signing RSA1024 keys, its most likely that someone as NSA can decrypt your message, so its very imortant to know to who you are protecting against.

I think the biggest thread in security are not the regular hackers, thinking on smart ways to beat a system. Biggest thread are the guys that do social engineering. Getting closer to you, chatting to you, socializing with you. The more info + trust someone gains, the esier it is to the needed information.

Some close "online friend" you know for years sends you a domain tool, to easy sort domains (or whatever, if he done good social engineering, he KNOWS your diffuculties, problems) inside the tool is a hidden trojan, with a keylogger inside....

how to protect against that? There are ways, but it will not be cheap

[checknme]

My thoughts on this are as follows:

Who to Trust
1) I trust the large providers more than self-managed solutions. I pay Google 50/year and get access to phone support and more space. Works well.

But Never Trust Too Much...
2) I don't trust them not to lose my email so I always sync it locally via imap.

The Weakest Link
3) Authentication is usually the weakest link. Keyloggers (etc.) can steal the passwords of unsuspecting victims of such attacks. To help mitigate this, use a two-factor authentication system. Right now I am experimenting with AOL mail. Yes - aol. They support this - https://vipmobile.verisign.com/learnmore.v along with the following providers: https://vipmobile.verisign.com/wheretouse.v. Each time I log in, I have to also enter the 6 digit code on my iphone (which changes every 30 seconds). I do the same for PayPal to make payments and Name.com to manage domains. Sorry to be so dumbed down with my answer - but it may help a noob out there who wants to mitigate risk.

[raoul]

Quote:

Originally Posted by checknme

3) Authentication is usually the weakest link. Keyloggers (etc.) can steal the passwords of unsuspecting victims of such attacks. To help mitigate this, use a two-factor authentication system. Right now I am experimenting with AOL mail. Yes - aol. They support this - https://vipmobile.verisign.com/learnmore.v along with the following providers: https://vipmobile.verisign.com/wheretouse.v. Each time I log in, I have to also enter the 6 digit code on my iphone (which changes every 30 seconds). I do the same for PayPal to make payments and Name.com to manage domains. Sorry to be so dumbed down with my answer - but it may help a noob out there who wants to mitigate risk.

yes nice solution. I also think multi authentication will become the next standard.

In this digital millenium, people simply cannot momorize any good passwords/usernames anymore. So in general they take the simple ones.

but this will not solve his "encryption" question

[TheWatcher]

I'm using Google Apps for my email personal or
business. For business, I pay $50/year/user to extra space.

The security is top of the line, service includes antispam and antivirus.

I help some business partner to get their own google apps. No bad feedback so far. Email accessible anywhere, great for iPhone.

I can assist you if you like. Send email to em @king.net.

Regards,
Em

[checknme]

Quote:

Originally Posted by raoul

but this will not solve his "encryption" question

As in using an encryption key?

[TheWatcher]

Quote:

Originally Posted by checknme

As in using an encryption key?

If you want to use encryption, then buy commercial grade digital certificate to encrypt your message. Verisign, Baltimore Trust, PGP and other PKI company.

Why you need encryption anyway? Do you really need to encrypt your message?
Ask yourself, do you really need to encrypt your message? Do you think your recipient use encryption, if not it's useless.

[checknme]

Quote:

Originally Posted by TheWatcher

If you want to use encryption, then buy commercial grade digital certificate to encrypt your message. Verisign, Baltimore Trust, PGP and other PKI company.

Why you need encryption anyway? Do you really need to encrypt your message?
Ask yourself, do you really need to encrypt your message? Do you think your recipient use encryption, if not it's useless.

I agree 100%. That's why I did not even mention it in my initial response.

[DomainsInc]

Quote:

Originally Posted by tristanperry

You can go with a reputable e-mail company (a paid one)

I personally just host my e-mails on my server though. Then I can have whatever@domain.ext as required. Plus it's my server (i.e. a leased dedi) hence I know it's 'secure' (as secure as can be, that is).

I've never fully understood why some people go with free hosting accounts from 'the big guys'. Especially since Google have zero customer service and Microsoft's products aren't exactly the best quality (in efficiency terms, etc) nor the most secure.

*Shrugs*

Each to their own I know

What do you do about spam? I have an account on one of my domains but it gets spammed to hell. I installed spam assassin and it stops most of the spam but also blocks the majority of legit emails. Running your domain email through a free service would be just as unsecure I would imagine. Not sure what the best way to go is...

[TheWatcher]

Simple answer.. Get your Google apps.

If you manage an enterprise email, adding MessageLabs services will help secure your email. I implemented this approach for years.

[draggar]

Quote:

Originally Posted by DomainsInc

What do you do about spam? I have an account on one of my domains but it gets spammed to hell. I installed spam assassin and it stops most of the spam but also blocks the majority of legit emails. Running your domain email through a free service would be just as unsecure I would imagine. Not sure what the best way to go is...

If you're worried about spam with your WhoIs / registrar contact this is what I did:

My gmail is my WhoIs contact but I have a different email address I use for a registrar's contact (password resets, updates etc..).

Moniker and GoDaddy allow this (1&1 does NOT and I haven't tried other registrars). You assign your private email when you set up the account (or change it to that) and when you register a domain (during checkout with GD, afterwards with Moniker) you change it to the gmail (or anyone with a good spam filter).

[tristanperry]

Quote:

Originally Posted by DomainsInc

What do you do about spam? I have an account on one of my domains but it gets spammed to hell. I installed spam assassin and it stops most of the spam but also blocks the majority of legit emails. Running your domain email through a free service would be just as unsecure I would imagine. Not sure what the best way to go is...

I've never had much to be honest.

But I check my e-mail through e-mail software on my computer, hence you can get software to block it on your end (and then you can configure it as needed)

SpamFighter (albeit for Windows) works pretty well.

[Doc Com]

I am currently looking at FuseMail and RackSpace.

I have heard nothing but very positive things about each of them.

Also, I have an email account with GoDaddy. I have had no issues with them whatsoever and have had zero downtime or security issues.

The RackSpace and FuseMail I am considering are for client accounts. But they have personal accounts available as well.

Quote:

Originally Posted by tristanperry

But I check my e-mail through e-mail software on my computer, hence you can get software to block it on your end (and then you can configure it as needed)

I use Thunderbird. Excellent almost to the point of being annoying due to all of their security controls.

[tristanperry]

Quote:

Originally Posted by Doc Com

I use Thunderbird. Excellent almost to the point of being annoying due to all of their security controls.

Thunderbird is a nice program

Yes, I use Evolution (on Ubuntu) and it has quite a good built-in anti-spam feature too.

[Doc Com]

Quote:

Originally Posted by tristanperry

Thunderbird is a nice program

Yes, I use Evolution (on Ubuntu) and it has quite a good built-in anti-spam feature too.

Is that Linux?

The point I thought was worth mentioning was even if you have an email account somewhere, it is nice to have another system like Thunderbird (or Evolution) as another layer of protection.

Outlook has been hacked and taken over so many times I am surprised if anyone still uses it.

So if email security is an issue, I am not sure there can be enough safeguards.

[tristanperry]

Quote:

Originally Posted by Doc Com

Is that Linux?

The point I thought was worth mentioning was even if you have an email account somewhere, it is nice to have another system like Thunderbird (or Evolution) as another layer of protection.

Outlook has been hacked and taken over so many times I am surprised if anyone still uses it.

So if email security is an issue, I am not sure there can be enough safeguards.

Yep, a Linux distro I used to use (and happily recommend) Windows, but Vista turned me off Windows for life. I know some people had good experiences with Vista, perhaps it just didn't like my computer ^^

I'd agree with that. The e-mail software on the client end should always be another layer of protecting.

And I agree with your views on Outlook/Windows Mail etc. Unfortunately quite a lot of people still use it for some odd reason.

[icen2345]

Personally, I think hushmail (www.hushmail.com) is the most secure email around. It has 4096 bit encryption (hushmail to hushmail) and, if you use java, it has also end-to-end encryption, meaning your password is encrypted on your computer before sending it to the server, so even hushmail.com doesn't know your password and cannot have access to your account!