Wednesday 3 March 2010

Who is Reading Your Email?

Are you sitting comfortably in your favourite café having a cuppa while you are reading this on your notebook, webtop or Wi-Fi enabled smartphone? If yes, then you are most likely connected to the Internet by the wireless router (Wi-Fi hotspot) of the café. And you probably just checked your email or you plan to do this next.

When you log into your email your computer sends your username (typically your email address) and your password to your email provider over the Internet. This is OK as long as your email provider is the only one to get to see this information. But when you are connected to the Internet via a Wi-Fi hotspot anyone with another computer near yours can also receive the information your computer sends out. In order to protect your information it must be encrypted (scrambled).

If you are using Wi-Fi at home, then you are using your own wireless router that is configured to automatically encrypt your data (at least it should be set up this way!). Only your router and your computer know how to make sense of the encrypted information. Although someone with a computer in front of your house could receive the information exchanged between your router and your computer they would not be able to make sense of the scrambled data and your information is secure (if everything is set up properly).

This is not possible in your café. In order for any customer of the café to connect to the Internet the Wi-Fi hotspot must be ‘open’. That means it cannot use encryption. Anyone who can receive the radio waves your computer sends out to the Wi-Fi hotspot can potentially discover the username and password for your email account when you log in. And when they do, they can read your email, change your password and lock you out of your email, and send emails under your name to anyone.

In order to secure your information you have to make sure that the software on your computer or smartphone is configured to use another form of secure encryption – one that is used to encrypt the information exchanged between your email client (the software program you read your email with) and the email provider. The difference is that the encryption is not arranged directly between your computer or smartphone and the Wi-Fi hotspot, but between your email client and your email provider.

If you have used the Internet for shopping before, you should know that you have to look out for the lock symbol in your browser when you enter your credit card details. The lock symbol shows that the information exchanged between your browser and the web site you are visiting is encrypted and secure (you can also tell this from the https:// in front of the web site address instead of the normal http://).

Look for the https:// to make sure you have a secure connection
Look for the lock symbol to make sure you have a secure connection

If you are reading your email in a browser and you can see the lock symbol and the https:// in front of the web address then you are fine. When your email account is with one of the large free email services like Google Mail, Hotmail or Yahoo you should automatically be using a secure HTTPS connection in your browser when you read your email. If you cannot see the lock symbol and the https:// in the address field, you should find out how your email provider allows you to read your email securely.

Mail Server setting in Thunderbird. Select SSL for a secure connection
If you are using an email client on your computer to read your email, for example Thunderbird or Outlook, or you are using the email client on your smartphone, then you need to configure this email client yourself in order to read email securely. Unfortunately, this is not always straightforward and every email client has a different way of letting you do this. Somewhere in your email programme you can specify the settings for the email account. Here you typically have to enter the address of the email provider (e.g. or, the username (usually your email address) and the password. Additionally, you can also say that you want to use a secure connection. This is typically called something like ‘connection security’ and you can select entries like None (no encryption, i.e. no security), SSL/TLS or STARTTLS (for securely encrypted connections). With it comes a port-number – a kind of extension number over which email client and email provider can talk. For insecure connections this is typically 110 or 143 and for secure connections 993 or 995. You should be able to get this information from the online help of your email provider.

Mail server settings in the iPhone. Set 'Use SSL' to On
If you are using an email client on your laptop consider using the new Thunderbird. It promises to figure out automatically how to set-up your secure email connection and this should work at least for the large email providers. Still, you should check the account settings. In Thunderbird click on your mail account and view the settings for the account. Select the “Server settings”. Here you can select the connection security and specify the correct port number.

Smartphones like the iPhone have their own way of specifying secure email connections. The iPhone tries to configure a secure connection when you specify a new email account. But if that fails it sets up the account without security. To check this, tap on Settings on your home screen, select ‘Mail, Contacts, Calendars’ and then the email account you want to check. Scroll down and select Advanced. There you can switch SSL to on and specify a port number (Server Port).

If you are using an email client on your mobile phone or smartphone and you cannot find your way around the settings try to find help on the Internet. Google for the name or type of your phone and add the key words “secure email” and try your luck – or find a geek to help you.