Browse Site

E-Mail: About As Secure As …. erm …

I wasn’t going to post this (and by the time you get to the end of the post, you may wish I hadn’t!!), as I thought that the e-mail message had finally arrived by 2012. It appears not… In a previous workplace I became infamous for the phrase “e-mail is not a secure medium” in response to people telling me their plans for getting sensitive data from one location to another, for example from a website to an office network. Even over the last twelve months, it doesn’t take long to find examples of paid developers posting questions like “Encrypting/Decrypting a POST form” and “Is it safe to email Credit Card information from a PHP script?“.

The short answer to whether you can e-mail any sensitive information whatsoever by e-mail is no. No you can’t. Just don’t.

Although there was probably something of a similar nature around before, credit for inventing e-mail is given to Ray Tomlinson in 1972 for using the ‘@’ symbol to denote a user@location. There wasn’t any great need for security; in the age of small networks the text file being written to a user’s directory was covered by the network’s security. Since the advent of needing a username and password for POP3 (Post Office Protocol) to get hold of new messages, using the @ symbol was probably the last great advancement in e-mail technology. E-mail was, and continues to be, pieces of raw text being bounced around the world. This is the reason why we all get so much spam; you don’t need to authenticate (usually) to spoof an e-mail address; sending an e-mail on someone else’s behalf is something that can be done within a matter of seconds.

In the last few weeks alone, a company that I work with had put a whole-scale project plan in place to get customers’ payment details from their online shop to their (manual) payment gateway by e-mail. Seriously, no!! It’s 2012 now – it’s time to realise that you just can’t do this.

This entry was posted in Geeky Stuff, php, Rant Central, Systems.

Comments are closed.