Email Security
What Issues Does Email Usage Have?
The delivery of e-mails is a lot like ordinary postal delivery of postcards. Everyone with some professional knowledge is able to
- peek at the postcard, thus read it,
- write on the postcard, thus manipulate it, and
- send a postcard under a false name, thus forge it.
The reason for being able to read or manipulate e-mails is that plain e-mails are neither encrypted nor signed. This means that everyone, who can access parts of the delivery route, can tamper with them. Almost every e-mail provider uses transport encryption nowadays, which is good, but it only secures the transport from or up to the server of the e-mail provider!
As with ordinary postal delivery the address of the sender is not verified upon delivery, which enables forgery. Usually the address is verified before sending an e-mail. For example the WWU mail server "secmail.uni-muenster.de" only accepts e-mail addresses which match the user's account. But it is not possible to guarantee (globally) that all e-mails from uni-muenster.de or wwu.de are sent through this mail server to verify them.