Can anyone tell me why email is still considered insecure?

[G+_Ben Reese]

Can anyone tell me why email is still considered insecure? I was listening to Security Now and Steve mentioned how dangerously insecure email is.

 

I get that the messages may not be encrypted when sitting on the servers and you have to trust the host for that, but messages to other users of the same host never have to leave their network. The argument could be made that messages sent to other hosts are sent unencrypted, but that's not necessarily the case anymore either since most of the big names use TLS. Is the only concern trusting your (and and the recipient's) host?

[G+_Lucas Van Enger]

Email is sent as clear text and can be picked up using a packet sniffer like Wireshark, no decryption needed...

[G+_Simon Bolduc]

Some severs may support encryption, so mail sent between them is encrypted, but many do not. I believe gmail is encrypted, so sending to another gmail user may be fine, but sending to a domain that doesn't support encryption means that the message is sent in clear text. ?

 

Email is generally very insecure, as are many old protocols, FTP for example.

[G+_Travis Hershberger]

Your right in that the situation with email isn't as bad as it once was.  It's still not a nice situation on the security front tho.  Any time your sending SNMP (email), you can almost count on it being unencrypted at some point.

[G+_Ben Reese]

Lucas Van Enger - I don't think that's always true and probably isn't very often anymore. Practically every email client in use now uses a secure connection to the server and the servers usually communicate securely to each other.

[G+_Ben Reese]

Simon Bolduc I'm sure it's true that many mail services do not support tls, but those services shouldn't be used lol. Google has a list of mail servers and the frequency of connections performed over TLS.

 

Email and FTP are insecure for different reasons, but have been made more secure using similar methods. Email servers can form a SSH/TLS connection first then transmit the messages across that tunnel. SFTP I think build an SSH connection first then transmits across that. Plain FTP can be extremely dangerous as it can have login credentials but transmits those unencrypted as well. That takes insecure messaging to a whole new level if those same credentials are used for another purpose.

[G+_Ben Reese]

Travis Hershberger I should hope the message is being decrypted... The goal is usually for it to be read by a human ?

Other than that, I don't think most of the message I send are ever decrypted by anyone but my server choice and the recipients server choice.

 

The real danger that I see is that it's tedious to check whether the recipients server supports TLS or not. It's definitely not impossible though.

[G+_Ben Reese]

My point is that although email now seldom insecure, it gets treated like it's always insecure. And that's certainly safer than treating it like it's always secure, there are rules that we can follow and be fairly certain that there won't be any issues. Ultimately it would be better to secure the messages from client to client, but everything online is leaps and bounds more secure than the 10 year old reference models that we all used in school.