Is It Possible To Have Email Security Without OpenPGP/S-MIME?
To receive email, it requires that a system is configured to reach the mail server and manually ask it for the delivery of stored emails (Post Office Protocol). However, since around 1998, push-type email that notifies recipients in real time when email reaches the server starts to appear, it became standard across the board from powerful workstations to smartphones. Push-type e-mail can deliver information quickly at any timing of the sender, and it can also lead from a mail approach to a pull-type media such as a website. However, due to the high push power, depending on the frequency of transmission and the time of day, it becomes an inconvenience for the receiver, which will result to spam attacks if not regulated by either the email policies set up by the user or the email administrator.
Email already reached the level of commoditization, where it is now a daily communication tool used for communication between workplaces and individuals. Although SMS and online messaging services provide strong competition and much more convenient to use, e-mail is still useful for announcing products and services to many people. For advertisers and corporate users with high work collaboration needs, it is easier to retrieve the contents of sentences and attached files for collaboration from email than other forms of media. As emails continue to be used without changing to another thing, countermeasures against spam mail continue to be an important issue, and it can be said that the security of files sent and received among organizations such as enterprises is still being debated.
Security concerning email domain name and sending server called sending domain authentication. Spam emails and impersonating mails may be sent by falsifying the correct sender’s domain name. By the use of a fraudulent domain name, the possibility that the recipient will open will be increased, or the restriction of the mailing list restricting the sender will be stuck with it. It is unfortunate that only a minority of users take advantage of email authentication and encryption system for sending and receiving email. It is called OpenPGP and S/MIME, it is, however, being ignored by many due to the inconvenience of pre-sharing the public key between the sender and receiver of the mail.
PGP/MIME is an application of OpenPGP/MIME (Multipurpose Internet Mail Extensions) which is an extension of mail, and it is confirmed in the mechanism and usage of OpenPGP whether the key belongs to the person. Basically, it is called “Web of Trust” that provides email security so that the recipient can check the likelihood of the key through the verification degree of the user’s key and the signature on the key. Since the user himself generates the key and checks the key of the person to exchange, the result of the check is certain for the user who has mastered the usage. Exact confirmation of the identification through a public-private key system is a good system prevent Spam emails as well. In the case of S/MIME, the certificate authority confirms the certainty of the partner’s key, not by the user himself. S/MIME that uses a certificate authority is suitable for many users when using a certain confirmed key.
Until the majority embrace PGP/S-MIME, the minimum email security mechanism that system administrators can implement is the installation of an anti-spam system. Such action requires the company to spend money in order to acquire an effective defense for the malicious emails that may enter the system. But for the meantime, please follow the tips below for safer email handling
- Disable HTML-based email, stick with text-based only email display. HTML-based email can run scripts, provides clickable links (which may point to a malicious site).
- Always update to the latest version of the email client. The newer version comes with the latest patches for the discovered vulnerability.
- Never believe claims you read in an email message. Try contacting the actual sender through other means and verify if the suspicious email came from him.
- Check your email provider if they provide a default anti-spam and anti-phishing features.