14 Sep 2007

On iPhone, Secure E-mail, and other things

Author: q | Filed under: SBS, Uncategorized

I”ve mentioned the iPhone in previous posts and how I don”t think it”s really ready for prime time in the business community. Again, don”t get me wrong, I think it”s an amazing device, but for the folks that I consult with on a regular basis,it”s just not going to be “all that” for them as a business communication tool. I do have a couple of clients running the iPhone, and one of them even tried to return it because it wasn”t really doing what he wanted (I should also note that he purchased his iPhone prior to consulting with me about it).

Still, there are ways to get some level of e-mail communication set up with a Small Business Server or other Exchange server, but it requires some configuration changes on the back end of the mail server, and I”ve put up a couple of posts about doing just that (one for SBS Standard, one for SBS Premium with ISA 2004 to be precise). 

I really should have put together something like this a long time ago, because as much as I like IMAP, it has the same core problem that POP3 e-mail does – the entire transaction is done over the Internet in clear text. No only are your username and password clearly visible to anyone who happens to be sniffing your network transaction,but all your e-mail contents are transmitted in the clear as well. By setting up IMAP communications over SSL,the entire transaction is encrypted, thereby protecting your account credentials. Unfortunately, the body of the message, unless it was an internal to internal communication, has already been sent in clear text across the internet when it was sent to you in the first place.

And I guess that”s really my core point here – e-mail is NOT a secure communication medium. If you have confidential information you need to transmit to someone else, sending that information via e-mail is not going to get it there securely. Sure you can take steps to secure e-mail communications. You can read and compose your e-mail using Outlook Web Access over SSL (note that not all Outlook Web Access servers communicate via SSL). You can set up your remote e-mail client to use IMAP over SSL, or Outlook over SSL, if your back end mail server supports it. You can get an e-mail certificate that can be used to encrypt individual e-mail messages. But these are all extra steps an will not guarantee secure communications every time. If you mail server does not support IMAP over SSL, Outlook Web Access over SSL, Outlook over SSL, or another secure communications interface (how many web-based mail services actually have you both log in and compose/read e-mail over a secure web interface) then at least one portion of your e-mail communications will be sent across the wire in clear text. If you have an e-mail certificate, but the person you want to send to does not, you will not be able to encrypt an e-mail message to that person.

Yes, there are ways to secure e-mail. It will take some effort. Last year, I had reason to have secure communications with a local vendor that I worked with. My side was secure (Outlook over SSL, Outlook Web Access over SSL, etc.) and we both had e-mail certificates so that I could encrypt messages to him, and he to me. I feel fairly certain that those encrypted messages we exchanged were as secure as reasonably possible. But one he received and decrypted the message, Ihave no idea if or how it stayed secure afterward.

So if you”ve been thinking that e-mail is a nice, convenient, and SECURE way to communicate with business or other associates, please clear this myth from your mind. If you haven”t had to jump through a few hoops to set up secure e-mail, you don”t have it.

This sounds like a good topic for a radio show. I”ll probably work that in for next week”s eOnCall episode. 

Leave a Reply