You Can Trust Our Reviews
Deeper Dive: Our Top Tested Picks
Buying Guide: Secure Your E-Mail and IM Communications
Wired and wireless networks can be easily snooped. What does that mean to you? Anyone with a computer on your network—or in your area, if you use wireless access—can monitor your communications, unless you make sure those communications are secured.
Securing E-Mail
You can easily and simply upgrade your e-mail to be secure and private. A free -
e-mail security certificate will certify that all of your outgoing messages really came from you and have not been altered. And if your correspondents use certificates as well, then exchanging keys with them will securely encrypt any e-mail between you, protecting it from snooping eyes.
All this protection is accomplished through the use of public and private keys, without the need to exchange passwords over insecure channels. The first step is to get a certificate for your mail program. Comodo and Thawte (www.thawte.com) both provide free and nearly instant certificates for your e-mail. Submitting a form with your name and e-mail address generates a certificate request that is confirmed when the company sends an e-mail to that address asking you to collect the requested certificate. You'll need to make sure to add the company's system to your list of trusted sites for it to work. Thawte's certificates are more general-purpose, but currently you can't request one from IE7 (although you can from Firefox and then export it for later use in other software). Comodo offers nearly instant response as well, but make sure to select the Advanced option on the certificate request and check the "exportable" box so that you can back up your key—essential for recovering any information encrypted with it should you lose the original key.
If you requested and retrieved the key from IE (note that you must retrieve the key from the same machine on which you requested it), then it is already installed and ready to use in Outlook. Simply press the Digitally sign button on the message composition window and your outgoing mail will be signed, certifying that it came from you and is unaltered. The recipient will see a small medallion icon when signed mail arrives. (Signatures appear in desktop clients like Lotus Notes, Outlook, and Thunderbird but not currently in Gmail.) If a virus- or spam-scanning program alters a message, then the recipient will get a warning saying that the message may have been altered.
You can set Outlook to sign all outgoing messages in the Trust Center of Outlook 2007 or in Options for previous versions of Outlook. If you want to read your e-mail on more than one machine, you'll need to export your certificate from the machine you received it on and import it onto your other machines. Don't try to get a different certificate for each machine—it'll be a mess if you start encrypting messages with different certificates.
To securely encrypt e-mail requires one more step. First, you need to receive a signed e-mail from the person you want to exchange messages with and then add that person's certificate to your system. With Outlook this is as easy as right-clicking on the From address on a signed message in the message header and choosing Add to Outlook Contacts. Once you save the new contact, the contact's certificate is also saved and will be used automatically when you encrypt an e-mail to that user. If you don't have a certificate for a user, then you'll receive an error when you try to send that person an encrypted message. You can also manually import or export certificates that users send to you, but it is much easier just to do it with an e-mail message exchange. When the recipient gets your encrypted e-mail, it'll display with a small lock in the header window. Note that it won't display in the Outlook preview window once it is encrypted; the recipient will need to open it to read it.
Remember to make a full backup (including the private key) of your certificate if you are going to use it to encrypt mail. Otherwise, if you lose it you won't be able to read the mail. You can back up your certificate by exporting it from the Trust Center of Outlook 2007, the Import/Export button on the Security tab of earlier versions of Outlook, or from the Tools | Internet Options | Content | Certificates dialog in IE. Of course, this is the same procedure you will have followed already if you use the same e-mail account on multiple machines.
There is another "gotcha" when you're signing e-mail with Outlook. Since Outlook has no way of knowing whether the recipient also has a certificate, it provides a simple option to "sign all e-mails." But if you send a signed e-mail to a Windows Mail user, the recipient will not be able to reply. That is because, for some reason, Microsoft has made it a default for Windows Mail to send signed mail when replying to signed mail—a problem if the user has yet to set up the certificate process. Windows Mail users can change the policy, but because they are usually unprepared for this problem when it first occurs, I don't recommend asking Outlook to sign all your mail. Instead simply click the "Sign" icon for messages you know are going to recipients with their own certificates.—Next: "One-Click" Secure E-Mail Solution from PG >
"One-Click" Secure E-Mail Solution from PGP
If you or your organization is serious about securing your e-mail, then PGP Desktop is worth a look. As a commercial product, it nicely integrates all the steps you need to take to secure your e-mail—so you don't have to go through a separate process of requesting certificates. Instead, the software itself connects with the PGP Global Directory, authenticates your e-mail address, issues a key pair for you, publishes your public key to the directory, and then automatically signs and encrypts any -e-mails you send to another PGP user.
Aside from the one large caveat that your correspondents also need to use PGP for this to work transparently, it's a quick and painless solution to the encryption problem. As a bonus, PGP Desktop can also secure portions of your hard drives as virtual drives, encrypt individual files, and "shred" information so it cannot be recovered. What's more, PGP includes a policy editor to enable you to tweak your encryption and signature settings.
Securing Your Instant Messages
What happens in IM doesn't necessarily stay in IM. Anyone on your network can easily tap into your IM packets and extract your message content. (See the screenshot at the beginning of this article for an example of what a snooper might see.) The ideal solution is full end-to-end encryption—that way even your service provider doesn't have access to your messages and can't accidentally let them get out.
Several small utilities let you secure your IM when you communicate with another user of the same utility. Two of the most popular are IMSecure from ZoneAlarm—a small utility that's also wrapped into the company's ZoneAlarm Internet Security Suite—and Simp from Secway (www.secway.fr/us/products). Both come either as limited-functionality freeware for single IM accounts or as fully functional Pro versions to secure multiple accounts.
For those who want a simple solution, one free alternative is the built-in Secure-IM functionality in Trillian for AIM users. As long as all participants in a Trillian AIM session turn on the SecureIM feature, the session will be encrypted. And AOL itself now also offers a free alternative, AIM Pro. Featuring a more streamlined interface than the standard AOL client, AIM Pro automatically secures sessions between AIM Pro users.
If you want to secure all of your messaging in the most powerful way, PGP Desktop will secure all your AIM messages in addition to your e-mail. If your buddies also have PGP Desktop installed, you'll get a message saying the session with them is secure—and with some IM clients (such as Pidgin), you'll see a reassuring padlock icon next to their names in the buddy list.
Skype is one vendor that seems to have gotten security right from the beginning. Skype conversations are all end-to-end encrypted using a fairly strong algorithm. While not as well known for traditional text-based IM as AIM, Skype is certainly a viable alternative, as it has rounded out its platform. Mac users are left out in the cold by many of the freeware solutions, but .Mac offers built-in security for iChat users (an AIM-compatible client) who use .Mac as their server. But to get true cross-platform security between Windows and Mac clients, either Skype (which offers Mac and Linux versions) or a separate solution like PGP Desktop (which runs on both platforms) is still the best way to go.
This article originally appeared on PCMag.com.