When we send and receive emails we can adopt some precautions to start a more secure correspondence with our contacts.
First of all we have to know well the main fields of a standard email because also this knowledge makes us able to choose the better privacy solution in sending messages.
As you know, the “To” field is reserved to the receivers of the email, the people who you want to start a conversation with.
But there’s not only this field reserved to the recipients, also Cc and Bcc are useful fields.
Cc stands for Carbon copy and you can use this field to add recipients that will not participate to the conversation, they just receive the mail.
Bcc is the field reserved to the Blind carbon copy. Functionally is the same of Cc but there is an important difference: with Cc the addresses of the recipients in this field will be added to the mail and visible to everyone, on the contrary addresses written in the Bcc field won’t be visible to the mail receivers. As an example you can use the Bcc field instead of Cc when you send a mail to a contact with the date and hour of a conference and send in Bcc the same address to your Project Lead. without sharing his address with the contact. I also use the Bcc field to send a copy of the emails to my second address for some reason without revealing my second email to the recipients.
The last standard field is the Reply-To; this field is used to indicate the reply address. If you desire that recipients should reply to a specific address this is the field you are looking for, simply put the email address you want and recipients will reply to this address.
A correct use of the fields described before (especially Bcc) would translate in a smart privacy hardening of your conversation.
While with these precautions are useful to share and reveal to recipients only the addresses we want, to harden an email on the privacy side we have no choice than use cryptography.
Encrypting emails is the only way to protect the privacy of communications, because also today there are examples of emails that runs through the net in clear text form. And if you haven’t your private email server (maybe encrypted) but you use, for example, GMail: you have to know that only communications between the client and the Google servers are encrypted but the emails are stored in clear form.
Analyzing the email text to promote targeted advertisement is the business chosen by BigG and many others and thanks to it you have your free almost infinite space to store your data. So for some communications the only way to maintain a full privacy profile is to encrypt the text with the PGP protocol, using implementations like gpg or gpg4win if you are on Windows. Email clients like Mozilla Thunderbird or ClawsMail (shipped with full pgp4win suite) are preconfigured to make the use of cryptography simple. Just check documentation.
An important thing is that encryption doesn’t work if is used only by one side. That’s elementary, so your company or yourself have to promote and evangelize the use of cryptography, organizing courses and key signing party, also with partner corporations, to be sure that you are starting (in the working environment or in the private daily life) a good and private email communication channel.
Now we talk about security. Basically one of the easiest security enhancements in the use of emails is disabling HTML rendering and composing. Check how to set up your client to use full plain-text mode and you’ll be aware of many HTML exploit techniques like pixels, hidden frames ecc… that can reveal to a spammer that you are actively use the email, track your behavior and also plan a tailored attack on you.
HTML is not the main threat and sometime is useful but when you have to send and receive only text there is no reason to use it! You have to use bold? Just use “text like this” or «like this» maintaining plain text format and ask your contacts to do the same, so you haven’t to switch to plain text every time you have to read a suspected email and then get back to HTML for your trusted contacts.
Next advice is: do not open emails hardly suspected of spam or emails coming from some bank, lottery, miraculous money prices and so on . When you receive a mail from a bank that is similar to your bank, do not open it! Go to your bank or your bank web page instead and ask if you have communications pending.
Email of spam contains often visible addresses that are different from the redirection addresses when you click on it and you’ll be redirected to a pirate website with the same aspect of the original one of your bank. Sometimes the link appears to be correct but with a deep analysis you’ll find that some characters are different but displayed similar.
Something like http://www.bank.com and http://www.bӓnk.com seems similar but in fact the second link will drive you to another website. Sometimes the characters are not distinguishable like this example and this is always a good reason to not click on links on emails not sent by our contacts because they are untrusted.
Same precautions must be taken with attachments. Attached files are the main vectors of malware infections via email. Opening an attachment from an untrusted sender is a risk, even if it’s not an exe files.
Microsoft put a security advisor days ago, where describes a vulnerability of Microsoft Word triggered by a maliciously formatted rtf document.
Before they released a patch to correct the bug, they advice Microsoft Exchange users to disable HTML parsing and automatic file preview, preventing an accidental opening of the file by MS Word, causing the infection of the system. (http://technet.microsoft.com/en-us/security/advisory/2953095)
So, if you need a particular suspected attachment, check it with your antivirus and maybe download it and open it in a safe environment.
These are just a bunch of ideas to keep in mind, to have a more secure use of the electronic mail. Use none or all of this practices as you need. Next I’ll talk more about emails, secure authentication and communication with the server using SSL/TLS protocols and maybe writing down some tutorial to apply in practice what I’ve written here.