Join 3,363 readers in helping fund MetaFilter (Hide)

Tags:

Are email Subject lines encrypted?
June 8, 2011 9:06 AM   Subscribe

Are email Subject lines encrypted when I am using SSL?

I recall hearing once that even with SSL on the Subject lines can be visible to an ISP. I use a Mac, OSX 10.6.x, and Mail, Outlook, Postbox, Zimbra, and Thunderbird. All have SSL checked in the preferences.

Am I mis-remembering that fact, or is it hidden/encrypted, just like the email body? Does it apply to emails I receive as well as send?

I did Google for over an hour but all the returns were for company- or service-specific setups, not a general email security answer.

Thank you.
posted by steppe to Computers & Internet (10 answers total) 2 users marked this as a favorite
 
SSL is for encryption of the traffic between you and the mail server. It means that if someone were tapping into the connection between you and the mail server, they wouldn't be able to understand the traffic. It is primarily useful because it prevents your email account's password being sniffed.

The subject line is as secure in this scenario as the rest of the communication.

But don't get a false sense of security. This doesn't mean your email is "encrypted", it means it is being transmitted securely to the mail server. Once the mail server has it, the rest of the journey across the Internet to the recipient's mail server isn't very secret.

Think of it like this:

Email encryption (PGP/GPG, S/MIME etc.) is like sending a letter to someone in code.

SSL encryption of your mail traffic is like sending a postcard but having armed guards take it to the mailbox.

Both are useful but they are not the same thing.
posted by tommorris at 9:12 AM on June 8, 2011 [1 favorite]


SSL encrypts the mail in transit*. While it's at rest at your ISP they have a decrypted copy (they must, as otherwise they wouldn't know where to forward it).

To encrypt the message itself, something like S/MIME is appropriate.


* encryption is a complex topic. This is true for STARTTLS in SMTP transactions, and the difference between using pop3 vs pop3s and imap vs imaps.
posted by devbrain at 9:13 AM on June 8, 2011


You're confusing transport-level encryption with message content encryption. There are a number of products (PGP was the old-school standby) for encrypting the content of a message. It is true that the subject line of those messages is not usually encrypted, as the begin/end blocks of the encrypted text are in the message body itself.

All the methods you're mentioning are transport-level. The message itself, and the subject, are never encrypted at the message level, only the traffic between you and the server is protected.
posted by mikeh at 9:38 AM on June 8, 2011


As others have said, you're misunderstanding SSL.

The purpose of SSL is to assure you that the web server (or mail server, in your case) that you are using is actually who and what it appears to be, rather than someone malicious appearing to be GMail, or eBay, or your ISP. That's all.

Your e-mail data is not saved or stored in any kind of encrypted way just because you're connecting to a server with SSL. The site/server you connect to for mail (your ISP, presumably) as well as every other mail server between you and the recipient (there may be several hops) has a plain-text copy of the e-mail content and the 'envelope', which includes the from, to, subject and a whole lot more. If you don't trust the network operators (ISPs, network admins), then e-mail is not secure at all, really.

If you want genuinely secure messages, you must encrypt your message contents with PGP or S/MIME or something else, and coordinate this with your recipient so s/he knows how to decrypt the gobbledegook message they will receive from you. SSL is not part of this.
posted by rokusan at 9:57 AM on June 8, 2011


To emphasize something that mikeh mentioned, the encryption only occurs between your computer and your outgoing mail sever. Once your mail server has it, it is no longer encrypted and is sent on to its destination totally readable by anyone.

If you choose to use S/MIME or PGP/GPG, which will keep the message encrypted until its destination, you can just leave the subject blank and embed it in the message body.
posted by tommasz at 9:59 AM on June 8, 2011


To answer your question, no.

In addition, the body of the email isn't encrypted either.
posted by blue_beetle at 11:34 AM on June 8, 2011


The purpose of SSL is to assure you that the web server (or mail server, in your case) that you are using is actually who and what it appears to be

Well, that's only part of it. SSL is meant to verify the identity of the server you are connecting too (mail, web, etc) and also encrypt all the data sent between you and the server in question.

But, as others point out, it's only that particular part of the transport that's encrypted. Your ISP mail server stores the message in plaintext/unencrypted. But your ISP is not the final destination of the message: it's just one waypoint of many. And the rest of your message's journey to its destination almost certainly happens unencrypted.

So, in this case, what's the purpose of encrypting the link to your mail server? It's because you ISP probably requires a username/password to connect to the mail server. The SSL in this case is to protect your ISP username and password. Not to protect the message.
posted by sbutler at 3:15 PM on June 8, 2011


Thank you all.

I think my use of the word "encrypted" was not accurate.

I understand that "encryption" of the body and Subject line does not take place with SSL. I thought I also understand that with SSL the message is secure from my laptop to my email service provider's server, and after that there is no guarantee unless the recipient also uses the same email service and also has SSL checked on.

I am not using my ISP's email service, but .Mac. Some of the answers suggest however that somehow in transit from my computer to the .Mac smtp servers the ISP stores the email message but can read it.??? Is this true? I mean, I understand it has to digitally get to the .Mac servers from my computer somehow, that the first jump is from my laptop to the ISP, and then onward via who knows where to the .Mac servers, but I thought with SSL on the email was unreadable in transit. That is more or less the gist of my question: what can the ISP read from my emails if I have SSL turned on? Can they read the Subject line with SSL on?

tommorris wrote "The subject line is as secure in this scenario as the rest of the communication." But then blue_beetle wrote "To answer your question, no. In addition, the body of the email isn't encrypted either." I don't think they are answering the same question (due to my lack of clarity), but it leaves just enough uncertainty in me about the Subject line being readable even with SSL on.

I appreciate all your help thus far.
posted by steppe at 7:19 PM on June 8, 2011


If you're using SSL to .Mac for your email then no, your ISP cannot read any part of your email as it transfers from your computer to the .Mac servers.
posted by sbutler at 7:40 PM on June 8, 2011


If you're using SSL to .Mac for your email then no, your ISP cannot read any part of your email as it transfers from your computer to the .Mac servers.
Unless they're transparently intercepting the SSL connection and performing a MITM attack. Which, you know, is not exactly far-fetched. There are commercial devices designed to do exactly this, and with a little cooperation from the certificate authorities, you'd never know.
posted by -1 at 10:16 AM on June 9, 2011


« Older A friend of mine went to fill ...   |  In 1934, could you travel by r... Newer »
This thread is closed to new comments.