All the main Webmail providers (Gmail,Yahoo, Outlook.com) use SSL as the default connection mechanism.
But how does SSL (secure sockets layer) on email work? Does it make your email really secure? and should you use it ?
I recently got an email from my email provider about improvements to email security, and what I should do.
Here is an excerpt
The method being used to secure the email (SSL) is standard on the web for ecommerce transactions, and provides an encrypted connection between a client (Application on your PC) and the web server.
If you access your email using a web browser (webmail) then your login credentials, and email that you send or receive is encrypted.
This is done automatically by the main email providers (Gmail,Yahoo, Outlook.com) , and you don’t need to take any action.
When accessing your email you should notice the padlock icon to the left of the address bar. This indicates that the connection is encrypted.
However if you access your email using an email client like outlook then you will you need to reconfigure the client to use SSL.
Is SSL Enough?
Although it is a good start, it doesn’t mean that your email is totally secure.
This is because email that is sent through the email network is unencrypted, and is stored unencrypted.
The diagram below might make this a little clearer
The only way to completely secure your email is to encrypt the email itself, and not just the email connection.
However encrypting the email doesn’t protect your email login details. This has to be done by using SSL to encrypt the connection.
Encrypting email is a little more difficult to set up as it involves the exchange of encryption keys, and is generally only done in rare circumstances, and then only between selected users.
To completely secure your email you need to encrypt it, and then use SSL to encrypt the Internet connection.
Receiving Errors When Using SSL
If you use a virus checker to check your incoming email then you will probably get an error informing you that because of encryption the email cannot be virus checked, (screen shot below)
Should You Use it?
If you use Webmail with Gmail,Yahoo mail or Oultook.com then your email connection will be automatically encrypted.
Virus scanning isn’t a problem as the email is only encrypted on the connection and not in the mailbox.
None of the main providers provide email message encryption direct from the email client.
If you use an email client like outlook then you need to weigh the risks of not encrypting against virus infections.
Personally I currently only use SSL on email clients (outlook etc) if the provider forces me to do so.
Common Questions and Answers
Q- I’m using Windows live Mail to access my Yahoo mailbox using IMAP4 is my email encrypted.
A- Yes Yahoo mail enforce SSL but you will need to configure your email client to use SSL See accessing Yahoo Mail Using WLM and IMAP4
Q- I’m using Windows live Mail to access my Gmail mailbox using IMAP4 is my email encrypted
A- Yes Gmail settings enforce encryption of IMAP4 and SMTP. See accessing Gmail Using WLM and IMAP4
Resources and further Reading:
- Good overview of SSL
- Reading a sealed letter – making anti-virus measures and encryption work together
- Understanding Email Encryption
- Email Security Basics