• PC World
• » Software
• » Utilities

Foil E-Mail Eavesdroppers

Millions of people use e-mail every day to share private data--payroll numbers, passwords, gripes about the boss--without realizing the security risks. Anyone who handles your e-mail--from a server administrator to a hacker--can read it. How can you protect yourself? An e-mail encryption program hides your messages from prying eyes by scrambling plain text into gobbledegook, which only the recipient of your e-mail can decrypt.

If your company conducts business over the Internet, you should probably arrange to sign your e-mail with a digital signature, too. A digital signature assures the recipient that the message came from you, eliminating the possibility that a mischief maker or criminal might successfully pose as you by forging your e-mail address. A digitally signed e-mail is as legally binding as a written contract signed by hand.

You could use an e-mail program with the S/MIME (Secure Multipurpose Internet Mail Extensions) encryption protocol to encrypt and sign messages, but there are tradeoffs: You have to pay a fee for your own permanent set of keys to use S/MIME. And early implementations of S/MIME weren't always interoperable. To you and me, that means e-mail encrypted with S/MIME by some versions of Messenger wasn't always decryptable by some versions of Outlook, for example. Though Netscape and Microsoft claim that S/MIME now works perfectly between the newest releases of their applications, you still might run into S/MIME problems with older e-mail programs.

To protect your e-mail from snoops, buy a third-party encryption program. Unlike browsers, these programs make their own encryption keys, so you don't obtain them from a third party. Another plus: If you and the people to whom you send e-mail have the same encryption package, you need not even use the same e-mail program.

Stand-alone utilities also beat your built-in e-mail encryption system by offering tougher security. Encryption experts claim that e-mail created with a 40-bit encryption scheme (which is what the browsers offer) can be cracked by a college computer lab in a couple of hours. According to the same experts, it would take a computer lab "until the end of the universe" to break a file scrambled with 128-bit encryption keys. All the packages discussed here offer at least 40-bit encryption. But some--including our Best Buy, PGP for Personal Privacy--can scramble e-mail with keys as long as 4096 bits, a level of mathematical complexity that makes messages virtually uncrackable.

PGP for Personal Privacy works with any e-mail package and any other type of application, another reason it's the pick of the litter among encryption packages. You just highlight and copy the text you want to encrypt. PGP is the best encryption option to use with AOL or an office e-mail system like Lotus Notes. The other utilities work only with e-mail packages based on the Simple Mail Transfer Protocol for Internet e-mail.

For keeping your electronic correspondence private, we endorse PGP for Personal Privacy. It was the easiest of the four programs we tested to install and use, and it's free for nonbusiness purposes. (For business use, Network Associates expects you to cough up $40.) Like the other packages reviewed here, PGP uses a public key/private key encryption scheme (see "Security Speak" for definitions). To send another PGP user a private message, you must have that person's public key. If you do have it (people usually put their public key at the end of their e-mail messages), you can copy and paste it into the PGPKeys window. The PGPKeys program also lets you search special servers on the Internet that contain the public keys of everyone who posts one. When you find the public key you're looking for, you just select it from the list and click the Add button.

PGP works with any program. Encrypting is as easy as highlighting text, copying it, and clicking on the PGP icon in your system tray. PGP will encrypt or sign any text in the clipboard.

SUMMARY

PGP for Personal Privacy $40 list (for business) Network Associates 800/764-3337 www.nai.com

If you use Qualcomm's Eudora, Microsoft's Outlook or Exchange, or Netscape Messenger, RPK InvisiMail is an encryption option worth considering.

RPK InvisiMail monitors all your incoming and outgoing e-mail messages, encrypting and decrypting them on the fly. Everything is automatic: RPK InvisiMail keeps a running list of other InvisiMail users' public keys by scanning the header of every incoming message. Later, when you send a message to the same address, the program encrypts the e-mail with the appropriate public key. In turn, RPK InvisiMail inserts your public key into the headers of outgoing messages. And best of all, the program didn't crash our system (as did Mailguardian, discussed below).

SUMMARY

RPK InvisiMail $freeware InvisiMail www.invisimail.com

Mailguardian protects the same e-mail programs much as InvisiMail does. But picking InvisiMail over Mailguardian is a no-brainer. Mailguardian seems less stable (it repeatedly crashed Eudora); it's costly ($69, versus free for InvisiMail and PGP); it encrypts more slowly; and it's poorly documented. And because the company's based in Israel, you'll have to schedule tech support calls around the time-zone differences.

SUMMARY

Mailguardian $69 list Vanguard Security Technologies 972 4/855-1410

WorldSecure Client integrates smoothly with Eudora, Outlook, and a mountain of other e-mail applications, and it functions similarly to the other programs here--automatically identifying other people's keys included in messages to the user and adding them to its database, and encrypting the text of an e-mail message sent to someone in the database. Nonetheless, the application annoyed us with a never-ending stream of "OK to continue?" dialog boxes as we tried to manage our mail. Talk about insecure--by the time you've spent a few hours with this hesitant program, you'll feel like an overworked therapist. We click Not OK.

SUMMARY

WorldSecure Client $90 list Worldtalk 800/454-4674 www.worldtalk.com