Information security is one of the most important issues facing businesses today. Interception of an email can result in serious financial loss. Proper use of security certificates is necessary, but what are they and what exactly are the benefits of using them?
How messages are sent over email
When an email is “sent”, what does that mean? It’s written at the source, sent from one PC to an email server, and from there it’s routed into the internet. In theory, it will be shuffled from one point to another until it reaches its destination, and is read by the recipient. However, those points in-between are potentially vulnerable to what’s called a “Man in the Middle” attack — someone pretending to just pass the message on, but in reality they’re reading it themselves, or changing it. This is why encryption is used.
How encryption works
There are different kinds of certificates, used for different purposes or levels of security. Most encryption is based on a standard “public” and “private” key method. Everyone using the system will have one of both: a public key, which everyone else can see and use, and a private key, which only you should have access to. When an email is sent, it will be encrypted twice — once with the sender’s private key (for example, using an S/MIME certificate), and once with the recipient’s public key (which the sender will know) — e.g., an SSL certificate. Only the private key can decrypt the public key, and vice-versa. This means that Man in the Middle attackers shouldn’t be able to read the message (they don’t have the recipient’s private key) and they also won’t be able to modify the message (if they changed it, it would no longer be signed by the sender’s private key). The recipient then uses two keys to decrypt the message, thereby verifying that only the real sender could have encrypted and signed it, and also that no one else was able to read it. As long as the math used in encryption was strong enough, the system is reasonably secure, and it’s been adopted world-wide as a standard sequence.
Benefits of certificate encryption
In addition to obvious privacy concerns (who would want random strangers reading their emails?), the primary benefits are financial. Intercepted emails could result in a competitor learning a company’s business secrets, which would obviously be detrimental. In turn this could lead to lawsuits from people using the system who have a reasonable expectation of security in their communications. Additionally, security certificates allow a company to meet basic standards of security for compliance and licensing regulations. Verifying the identity of the original sender via S/MIME digital signatures is important for other reasons: if an attacker were able to imitate the sender, they could issue phony directives, or (more likely) send “phishing” scam emails — opening the receiver up to even more security vulnerabilities. If a recipient believed they’d opened an email from a trusted source, they would be willing to open attachments or click links which install viruses on their computers, and once a single computer in a network is infected in this way, a skilled hacker can use that foothold to expand their presence or control many other machines for malicious purposes.
As we head into the next decade, it’s more obvious than ever that information must be secure for people to feel safe and businesses to prosper. There’s no telling how much damage hackers could cause in the near future, and email security certificates are one of several standard business practices that everyone should be on board with.