You only need to look at a few spam messages to see it’s surprisingly easy to make email look like it came from someone else. Likewise, most email is transported over the Internet in plain text, so anyone with network monitoring tools could read your mail — even before you do. These tools are extremely easy to obtain and could easily be configured to watch for email for a particular person or organisation. They could even save your messages to a file and mail the file to anyone.
Some businesses are fully aware of this and insist important emails are digitally signed, which means the recipient can be sure the message has not been altered since it was sent. Some also insist messages are encrypted, so nobody but the intended recipient can read them. Most of us don’t do anything to ensure our email remains private, even when we’re sending important financial information. For example, most of us send our bank details to friends or family from time to time, and we might live to regret it if that email was intercepted somewhere along the line.
Given that newspapers report an increasing number of cases of identity theft, many people might want to take better care of their data. In fact, people using Windows software have two main options for signing and encrypting email. One is to buy the PGP Desktop Professional suite, which costs £199 per person. The other is to use the open-source GPG suite, which is free of charge and easy to setup.
We tested the open-source GPG by installing on a PC running Windows Vista and Thunderbird email software. We were surprised to find installation was extremely quick and simple. Although we needed to download and run three installation utilities, we didn’t need to reboot our PC at all during the installation.
People using Microsoft Outlook could use PGP Professional Desktop, but bear in mind Outlook stores email in PST files on your hard disk. When we tested PGP Professional Desktop with Microsoft Outlook 2007 recently, we found our outgoing mail was stored without encryption in our PST file and also on our mail server. Therefore, even though PGP Professional encrypted mail sent to other people, sensitive data would still have been vulnerable to anyone or anything that had access to our hard disk or mail server.
In contrast, it’s relatively easy to configure Thunderbird so that it does not store messages on your PC. Better still, the open source GPG tools we tested encrypted messages as soon as they left our Thunderbird mail software, so they were encrypted on our mail server and everywhere else they went on the Internet.
Messages are decrypted when they are viewed by the recipient’s email software, provided of course, we have given them access.
Setting up the GPG software for Windows could not be easier. Simply download and install the Windows version of the GPG tools from here.
If you’re not already using it, next you need to download and install the Thunderbird email software from here.
Finally, download the Enigmail GPG add on for Thunderbird and save it to your hard disk. Install it using Thunderbird’s “Tools – Add Ons” menu.
Once you have all the software in place, use Thunderbird’s OpenGPG menu to access the OpenGPG Key Management tool. Now take the “Generate New Key Pair” option to make a new set of keys. Finally, upload your keys to a key server using the Keyserver menu, and you’re setup and ready to sign or encrypt your emails.
There’s an excellent quick setup guide document covering how to setup GPG software at this link. However, the guide was written a little time ago so some of the download links are out of date.
Remember, people need to install similar tools on their PC in order to verify digital signatures or read encrypted email. And of course, once received and decrypted, you have no control over whether someone forwards a copy of your message or saves it in an unencrypted document.