Internet best practices: email security

There are a couple of things we need to understand about email.

Browsing is anonymous; email is not.  You can clicky-click all over the open web without logging in to most places.  You can search, look at youtube, read for days on wiki without logging in unless you want to.  It’s like listening to the radio station that’s broadcasting to everyone who wants to hear it.

But your email is secured with credentials, usually a login+password combination.  It is specific to you and requires you to prove you are who you say you are before accessing your email.

A side effect of this is a Bad Guy reading one of your emails does not necessarily compromise your credentials, but if the Bad Guy has your credentials he can read (or delete,  or send) emails as if s/he were you.  For this reason your email credentials are more generally important than your email’s individual content.

What to do

The easiest way to handle this (and the way most folks do it already) is to use your provider’s secured webmail site like https://mail.google.com or https://mail.yahoo.com. No extra work required on your part and your credentials are transmitted over the secured connection.

Before web-based email most people used a mail reader (or “client”), and many power users still do it this way.  They like client-based email because it can works better than webmail on intermittent and/or low-bandwidth connections.  Luckily, modern clients can talk to modern mail servers with similar encryption found on secured websites.  It generally requires fiddling port numbers and turning on transport encryption in your client.   Here are sample configs for google and yahoo.    As with secured websites your credentials and content are safe between you and the mail server.

With either of these in place you can securely log into your email over unsecured networks like open wifi.