Online communication is not intrinsically safe. Indeed, there are certain aspects of it that can be very dangerous, and in many cases bring about severe damages,
such as being infected with viruses, system crashes, data loss, identity theft and others. In this article we will examine two common problems faced when communicating
online, before offering a set of simple guidelines that can help prevent any possible danger or losses due to these problems.
|
Email (communication) Problem One. Who is talking to me? |
Presently, most people go about sending information via email in a very unsecure manner. For example, they look at the signature beneath the text of an email, and if the sender
address matches what they expect to see and the message is not too strange, they will assume that the email is genuine. This is unsafe to say the least.
The problem is that the sender address is not reliable information. An email is built by two or three parts. The first part has an administrative function and is called
a header. Among the different fields in the header are the email address of the recipient, and also "From", "Reply-To", "Sender" and others. Since the internet has been
designed to be a decentralized system there is no "central authority" to ensure the truthfulness of the content of all these fields. Thus, the software on the sender server
can place whatever information it likes into these two data fields. To put this into perspective, this information is about as authentic as the name of the sender and the
return address written on the back of a physical envelope, i.e. NOT AT ALL.
|
Email (communication) Problem Two. Who is reading and copying my private data? |
Another issue with emails and online communication in general is that a person’s message can be read by many (artificial) intelligence services (computers) and people. Furthermore, it
is possible for an unauthorized party to store messages for future reference without the person’s knowledge or consent.
When an email or data travels on the internet, it passes through a number of servers, which retransmit it to the next server. While being retransmitted, information can be parsed, read,
interpreted and stored (unless it is encrypted). In addition to that, it is also fully accessible to the administrators and software running on the servers from where it was sent and
where it is finally received (again, unless it is encrypted).
|
Exact Steps to Exchange Emails Safely |
Provided that the parties communicating online maintain appropriate level of security and keep their private keys secret, then they can be certain that:
- the other side on the communication line is the side that is expected, i.e. each side authenticates the identity of the other side;
- the integrity of the exchanged information is in tact, i.e. the information has not been tampered with, or altered by errors;
- the exchanged information is private and cannot be read and understood by unauthorized entities in foreseeable future;
by following the protocol below.
|
Suppose company A and person B both have websites, and both of them use Act On File or similarly capable software.
Both A and B have public-private key pairs. They keep the private keys safe and secure, while publishing their public key on their websites. Suppose also that the person
B wants to contact company A with some very important private information.
- Person B goes to the company A website and downloads their (public) Encryption Key.
- Person B uses the downloaded encryption key of company A to encrypt the document he wants to send. (Only company A can decrypt it.)
- Person B uses his/her own private Signature Key to generate signatures for the documents which are to be sent.
- Person B sends the encrypted documents and their signatures.
Company A receives documents from person B. They proceed in the following manner:
- Company A goes to the person B website and downloads their (public) Authentication Key.
- Company A uses the downloaded authentication key to verify the signatures. (This confirms or denies the origin the integrity of the documents.)
- Company A uses their own private Decryption Key to decrypt the documents.
- Company A is ready to use the documents confident in their origin and integrity.
|
This simple protocol ensures that information is safely transmitted over the internet and removes the possibility of phishing scams and other abuses. You can use Act On File
or similar software to generate the required Public-Private key pairs, and also for the authentication and encryption steps in the above protocol.
|
Go Back to Learning
|