Many Web Mail providers make a big deal of giving you the option of using HTTPS (Secure HTTP Web Access) instead of HTTP (Standard Web Access) to your email account. When you type HTTPS://mail.some-provider.com, if properly supported, you definitely engage an SSL (Secure Socket Layer) Certificate that fully encrypts every keystroke you type and every thing that you view. It is a secure connection between your computer and the web email provider.
The problem and major misunderstanding is that only thing “secure” is the connection between your computer and your email provider. Once you type an email message and press the SEND button, your message goes out in to the wild Internet in “clear text” just like the text on this web page. A message sent in clear text can be read at any point during its’ journey from your email provider to the recipients email provider. From a practical standpoint, even though your email message may pass through a number of Mail Servers on its’ way to the recipient, the likelihood that it will be intercepted is remote. Most email messages “travel time” from sender to recipient is a matter of seconds.
You may be thinking, “But I am sending from my Gmail account to another user on Gmail. Why is that message not secure?” Again, even though both the sender (you) and the recipient may have a secure HTTPS:// connection to Gmail, the message will be transported in “clear text” as it moves either between the various Gmail Servers and Mail Accounts.
The exposure to prying eyes is significantly reduced when sending to and from the SAME domain name such as email@example.com to firstname.lastname@example.org as the message never leaves the Internet Providers Network. However, remember the message is still in “clear text” and can be easily read by a System Administrator or anyone else who may have access to the message during its’ journey. Realize extremely large Internet Providers have many email servers in many locations and most have secure connections between their locations but some use the Public Internet instead.
There is an exception to the above: If you are using a Corporate Email Server such as Microsoft Exchange or Lotus Notes and are sending intra-company mail, that is mail that is to and from other users in your organization with the SAME domain name, i.e. email@example.com and firstname.lastname@example.org, then all mail will be 100% secure. This is because there is either a secure HTTPS:// (SSL) or TLS (Transport Layer Security) protocol engaged between your email client, Microsoft Outlook, and the Microsoft Exchange Mail Server and all email is stored in encrypted format in the Microsoft Exchange Mail Database. The same holds true for Lotus Notes. (Caveat: Although usually configured to be “secure” by default, in some cases, Microsoft Outlook or Outlook Web Access may have been configured to use a standard non-encrypted connection instead of a secure one. Check with your Corporate IT person to confirm.)
Keep in mind that both the Government and Criminals may have “sniffers” setup at various points on the Internet. This allows the snooper to view every single data packet, like the ones containing your email message, and read it.
With the trillions and trillions of data packets and email messages moving across the global Internet daily, the risk that your specific email message containing sensitive or confidential information will be intercepted is remote but the potential is very real.
Using a secure connection to your email provider is not enough. If you or your Company are the specific target of a Government Agency or Hacker, the only solution is to properly encrypt your message. Otherwise, the contents of that document or the photo attached might just make the cover of the New York Times.
[A future article will discuss options for encrypting email messages.]