After 40 years, email is finally getting changed — a bit!

After 40 years, email is finally getting changed — a bit!

The killer app that has just never changed

Introduction

Most people have their embarrassing stories of email, where they replied to a distribution list incorrectly or where they including the wrong recipient. In a post-GDPR era, email just has too many risks to continue as it is.

It is the application that made the Internet, but increasingly it can be seen as the child that hasn’t grown up.

So, in 1982, after the classics of IP and TCP, came Simple Mail Transfer Protocol (SMTP) with RFC 821 and then, in 1992, we saw the standardisation of POP-3 (https://tools.ietf.org/html/rfc1725), and two years later with IMAP 4 (http://tools.ietf.org/html/rfc1731).

Since then little has really changed, with tunnelling being developed with SMTPs, IMAPs, and POP3s, and where the transmission of the email is protected. Once the email is out of the tunnel, it is unprotected and can be read by anyone with administrator access. Today, too, we still receive spam emails from users pretending to be someone else, and where our emails are open to those with administrative access to our email. Very little in email can be trusted, as it can be easily modified and read by those who were not meant to access it.

Email grows up — a bit

In a GDPR era, email just carries too many risks to continue on as it is. If you’re an academic, and you have marks that you want to your colleague, then you might click the wrong recipient and your marks go to an external contact, they then forwards this to the press.

Now Microsoft and Google acknowledge the problems, and have started to roll-out new features which, at least, improve the security of email:

• Outlook adds new security features and which defines how secure the email should be and adds a feature that stops the recipient from forwarding or copying the message. Along with this they have added a feature that stores encrypted email, and encrypts attachments.
• Google has added a feature that deletes an email after a given time limit.

Within Microsoft’s new features is end-to-end encryption, and, on their OneDrive infrastructure, file recovery from ransomware attacks. With a great improvement with security, they have also added password protected links:

One of the most powerful features of the Microsoft update is the prevention of forwarding and copying emails, and where attachments are encrypted. For end-to-end encryption, there’s a bit of smoke and mirrors here, and where it is not properly encrypted email, such as PGP, but protects the transit of the email (as some providers still do not encrypt their email transit). Microsoft does add encryption features for the message, and where the recipient will receive an email to a trusted Office 365 page, and with a one-time passcode to read the email. Along with this the system can detect when there are sensitive details in the email, such as credit card details, and automatically encrypt it.

Conclusions

These features are all excellent, but we must ask: Why haven’t we had these before?

Overall it is a small step forward, but it is the way that email should be setup. With PGP we see properly signed emails that are encrypted, and where we do not have to use a specific platform. The features added here are all specific to their creator, and lock organisations into vendors.

My advice … start using WhatsApp or Telegram for your sensitive communications, and stop using email for anything that you would worry about being leaked. Like it or not, Word, PowerPoint and Excel have little in the way of proper control of their documents, and this is likely to be the greatest weaknesses.

Here is some background on PGP: link.