I had an enquiry yesterday regarding the necessity for encrypted emails to be GDPR compliant. O_O
It was so out of the blue that it left me speechless for a moment, before realising where the request was coming from. Sure enough, a further Google/DuckDuckGo/Bing/Weapon Of Choice suggests that this is a common issue or query string. Thankfully it’s the right stick – but the wrong end. Here follow some words on where I think this is coming from, why it is so prevalent, and why we have it covered here at Hosting UK.
Encrypted data at rest is an ever evasive panacea. So much so that it continues to plague us in the future: The Death Star Plans would have been secure from the prying eyes of those pesky Rebels.
Encryption – to work for more mass consumption needs to be transparent. It needs to work without thought, and it needs to be ubiquitous. There are plenty of formal methods of hard, weapons-grade encryption such as PGP, GPG, or even SMIME if that is more your bag. The issue is that it’s not as easy as falling off a log, and some people don’t have logs. For example a quick straw poll around an office of engineers, and only a third have GPG or PGP keys… the chances are Aunty Mable and Cousin Steve are going to found wanting too.
So what is this all about then?
Well, I believe the confusion is coming from where the encryption is found.
Let’s transpose this away from email and talk about web pages. Specifically, lets talk about the address bar, and what goes on there when you visit a site that is secured with an SSL certificate (albeit hopefully a TLS certificate – it lives zombie-like as the Floppy Disk as the save icon). The Padlock. The Green Bar. The Company name. We know what we are looking for to indicate that the connection between that browser and the remote server is encrypted end to end. It would take someone with access, skills, motivation, and possibly most critically a whole bunch of time to see the contents of the traffic passing between the two IF they did not have access to one of the ends of that conversation.
Irrespective of whether the certificate is in date, or the name you called the server versus its Common Name – if the certificate is in place – and the keys are secure – then the connection is. Simple.
Let’s jump back to email again – specifically “encrypted email”.
Let us also consider how we interact with email, and how email interacts with other servers – to the point of writing a list:
Sorry, what? HTTP? Well yes – Webmail, Outlook Web Access, SmarterMail, Horde, RoundCube, Squirrel – you may or may not be aware – but there is usually a web interface to get to your email. How would you feel about typing in your username and password to a server that had no certificate, no padlock, was showing as not secure? Well, you are probably going to want to avoid that on the whole unless you are within a very controlled and trusted environment.
So let’s take that as a second example and consider POP (it is 2018 but some people still do use it despite the issues within a multi-device access environment), and IMAP. We use them to collect or check the email on the server. Move things between folders, and so on. POP and IMAP both have secure versions of these protocols using either STARTTLS or TLS (TLS is a rework of the protocol that used to be delivered by the more familiar protocol SSL). This is great. This means that your passwords are never passed in plain text, and the contents of your emails cannot be seen in transit. Great things.
So that leaves us with SMTP. SMTP does not just collect email – it sends it.
<actionfilmvoice>In a time before POP, SMTP did all email</actionfilmvoice>
You send your email to your server, smart host, or relay using SMTP. While it is in transit – it is readable. Your email server will be happily receiving connections from other servers with email for you, and, of course, sending your email on to the server that deals with your recipient’s email. You will be glad to know that certificates are available for this as well – ensuring the transit is encrypted (for those servers that support it).
People talking about Encrypted Email and GDPR are most likely referring to the accessibility of webmail, SMTP, POP, IMAP over SSL or TLS. So in answer to that – yes, Hosting UK does support GDPR compliant Encrypted Email solutions. Nice to know.
However, if you would like to know more about the specifics of our email services, or indeed GPG/GPG/SMIME or similar – do let us know.