Sending Secure E-Mail?

scottalanmiller

@Pete-S said in Sending Secure E-Mail?:

Writing this I think the best way to use this for ordinary business use is to only send encrypted email when you are sending something sensitive, like passwords or stuff like that.

For sure, it makes way too many things way too much of a pain.

JasGot

Our customer doesn't want the city's bank account and routing info transported through e-mail. He was willing to do it if we could come up with a way that would guarantee it could not be read in transit.

He understands the sysadmins at each end can read it, and he understands that he has no control over what happens after it arrives at the recipient.

He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.

The problem with this type of system is that a) we don't know if the employee at the state can visit any of these sites. b) we don't know if the employee at the state is willing to put forth the effort.

As for the PGP idea, we don't even know if the state employee is using an actual e-mail client.

So for know the customer really only has two options to alleviate his concerns: 1) continue sending by usps and wait a month or more for action, or 2) send an encrypted file as an attachment and HOPE the receiving mail server allows it, and HOPE the recipient will call and ask for the password.

With the possibility of little or no cooperation at the receiving end, the customer is basically SOL.

Dashrender

@JasGot said in Sending Secure E-Mail?:

Our customer doesn't want the city's bank account and routing info transported through e-mail. He was willing to do it if we could come up with a way that would guarantee it could not be read in transit.

I do believe there is another option, now that you have changed the rules to the bolded above. TLS, TLS gives you this. And this is something you can confirm beforehand.

JaredBusch

@Dashrender said in Sending Secure E-Mail?:

@JasGot said in Sending Secure E-Mail?:

Our customer doesn't want the city's bank account and routing info transported through e-mail. He was willing to do it if we could come up with a way that would guarantee it could not be read in transit.

I do believe there is another option, now that you have changed the rules to the bolded above. TLS, TLS gives you this. And this is something you can confirm beforehand.

If by confirm you mean refuse to send the email if the recipient server rejects the STARTTLS then yes.

scottalanmiller

@JasGot said in Sending Secure E-Mail?:

Our customer doesn't want the city's bank account and routing info transported through e-mail. He was willing to do it if we could come up with a way that would guarantee it could not be read in transit.

That's totally different than what was asked. Of course normal email cannot be read in transit. So all you have to do is enforce TLS instead of letting it be opportunistic and ta da, problem solved.

scottalanmiller

@JasGot said in Sending Secure E-Mail?:

With the possibility of little or no cooperation at the receiving end, the customer is basically SOL.

No, actually they are in great shape.

Because...

1. Any system that isn't using TLS for their email you have way, way bigger concerns and you shouldn't be talking to anyway.
2. You simply set to enforcing and everything is guaranteed to meet your needs.

It's a great situation and why most of us have no issues like this, because TLS meets the needs.

Danp

@JasGot said in Sending Secure E-Mail?:

He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.

I have a need for such a system. Recommendations anyone?

scottalanmiller

@Danp said in Sending Secure E-Mail?:

@JasGot said in Sending Secure E-Mail?:

He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.

I have a need for such a system. Recommendations anyone?

There are tons of these "web instead of email" systems out there. They are quite common and features tend to be quite close.

Dashrender

@scottalanmiller said in Sending Secure E-Mail?:

@Danp said in Sending Secure E-Mail?:

@JasGot said in Sending Secure E-Mail?:

He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.

I have a need for such a system. Recommendations anyone?

There are tons of these "web instead of email" systems out there. They are quite common and features tend to be quite close.

And expensive - last time I looked Zix was like $5/user/month one of the big names in this arena.

scottalanmiller

@Dashrender said in Sending Secure E-Mail?:

@scottalanmiller said in Sending Secure E-Mail?:

@Danp said in Sending Secure E-Mail?:

@JasGot said in Sending Secure E-Mail?:

He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.

I have a need for such a system. Recommendations anyone?

There are tons of these "web instead of email" systems out there. They are quite common and features tend to be quite close.

And expensive - last time I looked Zix was like $5/user/month one of the big names in this arena.

I think that they lean to the high side.

Dashrender

@scottalanmiller said in Sending Secure E-Mail?:

@Dashrender said in Sending Secure E-Mail?:

@scottalanmiller said in Sending Secure E-Mail?:

@Danp said in Sending Secure E-Mail?:

@JasGot said in Sending Secure E-Mail?:

He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.

I have a need for such a system. Recommendations anyone?

There are tons of these "web instead of email" systems out there. They are quite common and features tend to be quite close.

And expensive - last time I looked Zix was like $5/user/month one of the big names in this arena.

I think that they lean to the high side.

sure they do - but $4/user/month is found everywhere... I think I've seen $3/user/month once, but that was a rare one a the time... but I haven't look for years.. there might be more competition today.

brandon220

Zix works as advertised and everyone is happy. Been using it for a while for about 10 users and can't complain. Their support is good if you need it.

jt1001001

we use Mimecast for filtering and the web feature is built in. Expensive though.

jmoore

@jt1001001 We use Mimecast here also. No complaints about it.

1337

@JasGot said in Sending Secure E-Mail?:

The dept is engaged in a grant program with the State Department of Environment…, which requires us to include our banking information on every reimbursement application.

Come to think of it, banking information is not really sensitive info, is it? If you send an invoice to anyone, they have your banking information.

The only risk here is a man-in-the-middle attack where banking information is changed on the application while it's being submitted. So that the money is transferred into another account.

So do the company send all their invoices and ordinary mail containing banking info by registered mail in locked containers, so it is secure from end to end?

If not, then email isn't any less secure.