Unsecured email can easily be monitored and even altered as it travels through the Internet.
Your privacy can be violated by a list of entities ranging from common criminals and con artists to your neighbours, co-your workers, your ISP, and government surveillance and censorship agencies.
Unauthorized access to your email by hackers and identity thieves can have disastrous consequences. And unlike with snail mail, electronic mail that has been copied or altered in transit shows no traces of tampering.
This lack of privacy makes normal email unsuitable for serious messaging applications, where confidentiality is important. Fortunately, the ancient art and science of cryptography can be applied to enable the use of email for private communications with customers, business associates, family and friends.
Here's a quick rundown of basic cryptography jargon:
Symmetric cryptosystems use the same key to both encrypt and decrypt the message.
This key is usually a large random number, generally in the range of 64 to 256 bits long (higher key sizes mean, all other things being equal, a higher level of security), which is used to mathematically transform the plaintext to create the ciphertext.
Symmetric cryptosystems raise the problem of secure key distribution. The encryption key must be transmitted from the sender to the receiver over a secure channel in order for the encrypted message to be secure. This means an infrastructure for secure key distribution is a pre-requisite for secure messaging using symmetric cryptosystems, making pure symmetric cryptosystems impractical for ad-hoc communication over the Internet.
Asymmetric cryptosystems solve the problem of secure key distribution through the use of two different keys. One for encryption, and another for decryption. The encryption key is made public, and is known as the public key. The decryption key is kept secret by its owner, and is known as the private key, or the secret key.
The public and private keys in an asymmetric cryptosystem are linked to each other through a mathematical relationship such that a message encrypted using a certain public key can only be decrypted using the corresponding private key.
There is no need to keep the public (encryption) key secret in order to prevent unauthorized decryption of an encrypted message, as the decryption operation requires the secret key, not the public key. So it is easy to distribute public keys over insecure networks, enabling encrypted communications without the need for secure key distribution. You can publish your public key on the Internet, enabling anyone to encrypt messages "for your eyes only". These messages can then be decrypted and read only by you, using your private key.
This solves the problem of secure key distribution, and enables ad-hoc secure messaging without the need to agree on a shared secret key first.
Asymmetric cryptosystems also enable secure digital signatures for messages, to assure the recipient that a message really did originate from the person who apparently sent it.
With normail email, it's really easy to forge a message to make it look like it was sent by someone you know, or from a company you deal with. Such messages could trick you into opening attachments that contain viruses or trojan programs, thereby granting some kid somewhere unauthorized access to your computer and all the data on it.
The ease with which From: addresses on email messages can be forged enables a very wide range of potential abuses, including "phishing" attacks which can cause victims serious financial losses, or worse. Digital signatures allow the receiver of an email message to verify that the message is authentic, and really is from who it appears to be from, foiling all such attacks.
Digital signatures make use of the same public and private keys that we use for encryption with an asymmetric cryptosystem, but using them in reverse.
The sender signs the message using her private key, and this signature can only be verified using the corresponding public key.
As only the owner of the private key can produce a signature that can be verified using the corresponding public key, the receiver can know that a message is authentic and hasn't been tampered with if it verifies correctly using the sender's public key.
Of-course, a message can be both encrypted and signed. This will ensure both that it can not be read by unauthorized parties, and also that it is authentic and has not been tampered with en-route or forged altogether.
Neomailbox provides encryption services at different levels:
We use SSL session encryption to protect all communication between your computer and our servers. IMAP, POP3, SMTP, Web mail, as well as the entire website, are all accessible over SSL secured connections.
This protects your communications with the mail servers from unauthorized interception and/or eavesdropping.
Note that we provide full hardware-accelerated SSL session encryption for all services which secures all your communications with our servers.
In contrast, some other services pretend to offer SSL access, but really only provide SSL-secured login, and not full SSL session encryption. Beware of such services!
OpenPGP is a widely deployed, time-tested, open protocol for asymmetric encryption, key distribution, and digital signatures.
Our alternate webmail system provides full support for OpenPGP encryption and digital signatures. You can also download free OpenPGP encryption tools and plug-ins for popular email programs from our OpenPGP tools page and use these to secure your communications with OpenPGP. We will happily assist you with using these tools, if you have any questions or need any help.
In conjunction with a compatible email program, such as SecureBat! from Ritlabs, and a hardware authentication token, such as the Aladdin eToken Pro or Rainbow iKey1000, Neomailbox servers provide challenge-response based secure hardware authentication. Using a physical hardware token (a small key-chain sized USB device) to login to your account can protect your account login information even when you access your account from an untrusted computer. Read more about hardware token authentication.
We're working on a number of additional encryption services to provide enhanced privacy, which will be announced soon.
If you care about your privacy online, why not sign up for our full-featured secure email service.
The service features state-of-the-art anti-spam and anti-virus systems to eliminate virus and malware threats and identify junk mail, as well as unlimited disposable email addresses - all integrated into a single service.
We're so sure you'll love the service that we offer a watertight, unconditional 30-day money back guarantee if you're not completely happy with your account for any reason. So try Neomailbox risk-free - sign up now.