Microsoft Outlook S/MIME Encryption
Microsoft Outlook has a native encryption feature. Microsoft Outlook uses S/MIME to send secure emails.
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of emails. To make it work, all you need is an email address, S/MIME certificate and a recipient who has S/MIME set up and configured as well.
While these requirements look reasonable, the process of exchanging S/MIME encrypted email is not necessarily what you call user-friendly.
Unfortunately, it is not the only shortcoming of S/MIME encryption.
S/MIME is known to be vulnerable to a number of attacks:
- message takeover attack (a third party can intercept your message, modify it, and add their own signature);
- it uses the same encryption key every time (if the key is compromised, all encrypted messages can be read);
- it works only if the intended recipient uses the same encryption standard;
- the message has to reach the server before it can actually be encrypted;
- the server is doing all the decryption.
A breach could take place, while the data is in transit to or from the server.
But you can use encryption only after keys have been exchanged. And that requires both the sender and the recipient to have S/MIME configured.
Moreover, if the recipient loses the certificate and stored keys, all emails that were sent and received, the recipient can’t no longer view.
This lengthy list of concerning issues makes S/MIME standard a less desirable encryption solution.
How Good is Pretty Good Privacy?
Pretty Good Privacy (PGP) is a software that encrypts your messages before you send them.
PGP works using public key cryptography. Both the sender and the recipient use their own key pair of private and public keys.
The public key is used to encrypt email. The private key is used to decrypt email.
If you want to use PGP to send an encrypted message, they have also use PGP, and, similarly to S/MIME, also have to exchange keys first.
But this encryption standard has its own weaknesses:
- Does not protect against interception and man-in-the-middle type attacks;
- Digital signatures can be compromised to manipulate email integrity verification;
- Credentials, private key and password could be extracted if physical device is compromised.
While being arguably a superior alternative to S/MIME, PGP cannot be considered a solution reliable enough to ensure complete communication security.
SSL / TLS Disadvantages
Secure Sockets Layer is an encryption where two computers initiate an encrypted communication channel.
When connecting to a server with SSL, browser first requests an authentication certificate.
Once the certificate is verified, computers negotiate an encryption method and then your browser sends an encryption/decryption key to the server.
Now, all communications during the session will be encrypted using the agreed-upon technique.
But every unencrypted email you send is potential target for attacker: it takes only one unsecure server to gain access to your email.
Some providers use SSL/TLS to encrypt email. But it has drawbacks and aren’t completely safe:
- if a recipient doesn’t support SSL/TLS, an email will be sent unencrypted;
- emails have to be decrypted and re-encrypted every time they pass between servers.
Unfortunately, neither this solution is without flaw.