Are E-mail attachments encrypted with SSL?

[evansste]

I'm using an old laptop computer that is running Windows 98 and Outlook Express 5. In setting up Outlook Express I have noticed that it requires that I use a digital ID in order for me to send and receive messages securely. This is the only version of Outlook that I've come across that requires this. Other versions of Outlook are able to be set up with SSL without requesting a digital ID.

I often use attachments with E-mails that I send and receive. Does SSL affect whether or not these attachments are secure, or does SSL only secure the actual E-mail message contents that are sent/received, and not the attachments that are sent with the E-mails?

I care more about securing the attachments rather than the message contents of the E-mails that I receive. I'm tempted to just set up Outlook without SSL. But if I do this, will the attachments for the E-mails that I receive be unprotected?

Thanks for your time, and I appreciate any help that anyone is willing to offer on this matter.

 

[_michaelm]

A few points to note here (and I'll try to keep it brief)

1) Mail clients don't use SSL in the conventional web (HTTPS) sense, they use public-key cryptography certificates on both ends (sender and received, rather than just the web-server in HTTPS)

2) This certificate is essentially what you're referring to as a digital ID, and in order for you to converse securely (attachments or content) you need to share the public key with anyone who you want to send email to. Note: This provides non-repudiation only (often called your digital signature - proving it was you who sent the message), you need the recipients public key in order to actually encrypt the contents with such that only they can decrypt it with the corresponding private key

3) Encryption does provide protection for both message contents and attachments, however if attachments is all you care about (and in my opinion there would have to be a compelling reason not to encrypt everything anyway) then you can just use software such as 7-zip and create an encrypted archive. This you can then attach and send with a plaintext (unencrypted) email without recipients needing your digital ID. HOWEVER...

4) ... your problem then becomes 'key-management' i.e. sending your recipient the key you used for 7-zip, now this could be done over the phone or IM or some other channel, but is inevitably significantly less secure as either a) the recipient will write it down - and you will reuse the same key because you're human - or b) the IM will be insecure and/or seen on screen by someone else

In summary, yes disabling 'SSL' will remove all security, attachments and contents, unless you adopt a secondary mechanism such as that outlined above.

 

[evansste]

Thanks so much, _michaelm, for responding to my post.

You've given me a lot of valuable information that I wasn't aware of.

I have a website and my webhost offers me a free E-mail address. On their control panel, they mention that I can use programs like Outlook Express in order to send and receive E-mail. They give the information needed, such as server names, and port numbers, in order for me to set it up with Outlook Express. When giving this information, they showed two different sets of data (server names, and port numbers) that I can use. They show that one set is used for SSL, and the other is non-SSL.

With Outlook Express, on my machine that runs Windows XP, I was able to use the SSL data, given by my webhost, and Outlook didn't ask me for any sort of digital ID/digital certificate. Everything worked fine with that machine. However, it's only on the Windows 98 machine that Outlook asks me for the digital ID. But based on what you said, it seems that even if I did have a digital ID, that still wouldn't make Outlook work with the SSL server names and port numbers given by my webhost. Am I understanding this correctly?

If that's the case, then I suppose my option would be to try to use a newer version of Outlook in hopes that it will be like the version that's running on the Windows XP machine. My thought is that only the older versions require digital certificates, but I could be wrong about this.

Thanks for the idea of using 7-zip. It seems to involve more steps than getting a version of Outlook that doesn't require a digital ID. But at least I wouldn't have to go through the trouble of finding a version of Outlook that is newer than the one that I have, but is also still old enough to work with Windows 98. For that reason, 7-zip may be something to think about.

I have an old version of Eudora that I used to use a long time ago. I tried to use that instead of Outlook Express, but I couldn't get it to work. I also tried updating Internet Explorer, in hopes that it would give me a newer version of Outlook Express, but wasn't able to get that to install either. It seems that not many of today's programs want to work with Windows 98, or that Windows 98 isn't nearly as plug-and-play friendly as Windows XP.

 

[_michaelm]

Glad I could be of help.

Firstly, I'd be concerned that outlook on your XP machine was 'working with SSL' despite you not providing a digital ID - this sounds a little out of place.

Secondly, it is worth saying that when your webhost is referring to 'secure email' in this context, what they actually mean is your email client (i.e. outlook) connects securely to their mail servers. From this point onwards (i.e. between your webhost's mail server and gmail servers - in the case where the recipient is a gmail user) the email is unencrypted and visible to all intermediary mail-servers en-route.

Fundamentally, email is an unencrypted medium due to significant dependencies on well-established technologies such as mail relay servers etc. In order to get end-to-end security you must use independant certificates (i.e. digital IDs) or another form of encryption.

 

[evansste]

I can live with not having end-to-end security -- especially if I have to pay more for it, such as buying a digital certificate. If I can have security between my computer and my webhost's server, that may be good enough for me. I was content when Outlook, on the Windows XP computer, worked with the SSL option that my webhost provided. It's only when I tried to use Outlook on the Windows 98 computer that I became concerned because it won't let me use the SSL server names and ports that my webhost provides.

I don't know why Outlook on the Windows XP computer works with the SSL server names and ports. I'm away from my home, so I can't say what the "security" tab section of Outlook says on that computer. I do remember that it didn't ask for a digital certificate, unlike the one on the Windows 98 machine. Instead it said something to the effect of using some sort of encoding algorithm like "SED3", or something. I'd have to look at it again in order to repeat exactly what it says. Unfortunately, I'm out of town right now, so I can't look at it.

Thanks again for your response. When I get back, I'll look at that "security" tab in Outlook. Then I'll be able to describe exactly what encoding algorithm its performing.

 

[_michaelm]

The algorithm you're referring to is 3DES (pronounced triple DEZ) and is 3 passes of the symmetric cipher 'Data Encryption Standard' - it is the precursor to AES (Advanced Encryption Standard) and you should also note that it is an encryption cipher, not and encoding scheme. The difference is subtle, but significant. Consult stack overflow for a concise comparison of the two.

 

[evansste]

Thanks, _michaelm.

Who would have thought that so much thought, and security, would go into sending E-mail messages. It's good stuff to know, though.

I'm beginning to think that my best course of action is to only use E-mail for information that isn't very sensitive to begin with, rather than trying to focus on securing it. I could upgrade my hardware and software, but that would nearly defeat the purpose of me using it. My goal was to put this old hardware to use on a project that would allow me to pursue it without spending any money on new hardware or software. The good news is that I can at least use my old hardware to send E-mails. The bad news is that it won't be secure.

Thanks for helping me with this. All of the information that you've given has been very helpful.