Are email Subject lines encrypted?
June 8, 2011 9:06 AM Subscribe
Are email Subject lines encrypted when I am using SSL?
I recall hearing once that even with SSL on the Subject lines can be visible to an ISP. I use a Mac, OSX 10.6.x, and Mail, Outlook, Postbox, Zimbra, and Thunderbird. All have SSL checked in the preferences.
Am I mis-remembering that fact, or is it hidden/encrypted, just like the email body? Does it apply to emails I receive as well as send?
I did Google for over an hour but all the returns were for company- or service-specific setups, not a general email security answer.
Thank you.
I recall hearing once that even with SSL on the Subject lines can be visible to an ISP. I use a Mac, OSX 10.6.x, and Mail, Outlook, Postbox, Zimbra, and Thunderbird. All have SSL checked in the preferences.
Am I mis-remembering that fact, or is it hidden/encrypted, just like the email body? Does it apply to emails I receive as well as send?
I did Google for over an hour but all the returns were for company- or service-specific setups, not a general email security answer.
Thank you.
SSL encrypts the mail in transit*. While it's at rest at your ISP they have a decrypted copy (they must, as otherwise they wouldn't know where to forward it).
To encrypt the message itself, something like S/MIME is appropriate.
* encryption is a complex topic. This is true for STARTTLS in SMTP transactions, and the difference between using pop3 vs pop3s and imap vs imaps.
posted by devbrain at 9:13 AM on June 8, 2011
To encrypt the message itself, something like S/MIME is appropriate.
* encryption is a complex topic. This is true for STARTTLS in SMTP transactions, and the difference between using pop3 vs pop3s and imap vs imaps.
posted by devbrain at 9:13 AM on June 8, 2011
You're confusing transport-level encryption with message content encryption. There are a number of products (PGP was the old-school standby) for encrypting the content of a message. It is true that the subject line of those messages is not usually encrypted, as the begin/end blocks of the encrypted text are in the message body itself.
All the methods you're mentioning are transport-level. The message itself, and the subject, are never encrypted at the message level, only the traffic between you and the server is protected.
posted by mikeh at 9:38 AM on June 8, 2011
All the methods you're mentioning are transport-level. The message itself, and the subject, are never encrypted at the message level, only the traffic between you and the server is protected.
posted by mikeh at 9:38 AM on June 8, 2011
As others have said, you're misunderstanding SSL.
The purpose of SSL is to assure you that the web server (or mail server, in your case) that you are using is actually who and what it appears to be, rather than someone malicious appearing to be GMail, or eBay, or your ISP. That's all.
Your e-mail data is not saved or stored in any kind of encrypted way just because you're connecting to a server with SSL. The site/server you connect to for mail (your ISP, presumably) as well as every other mail server between you and the recipient (there may be several hops) has a plain-text copy of the e-mail content and the 'envelope', which includes the from, to, subject and a whole lot more. If you don't trust the network operators (ISPs, network admins), then e-mail is not secure at all, really.
If you want genuinely secure messages, you must encrypt your message contents with PGP or S/MIME or something else, and coordinate this with your recipient so s/he knows how to decrypt the gobbledegook message they will receive from you. SSL is not part of this.
posted by rokusan at 9:57 AM on June 8, 2011
The purpose of SSL is to assure you that the web server (or mail server, in your case) that you are using is actually who and what it appears to be, rather than someone malicious appearing to be GMail, or eBay, or your ISP. That's all.
Your e-mail data is not saved or stored in any kind of encrypted way just because you're connecting to a server with SSL. The site/server you connect to for mail (your ISP, presumably) as well as every other mail server between you and the recipient (there may be several hops) has a plain-text copy of the e-mail content and the 'envelope', which includes the from, to, subject and a whole lot more. If you don't trust the network operators (ISPs, network admins), then e-mail is not secure at all, really.
If you want genuinely secure messages, you must encrypt your message contents with PGP or S/MIME or something else, and coordinate this with your recipient so s/he knows how to decrypt the gobbledegook message they will receive from you. SSL is not part of this.
posted by rokusan at 9:57 AM on June 8, 2011
To emphasize something that mikeh mentioned, the encryption only occurs between your computer and your outgoing mail sever. Once your mail server has it, it is no longer encrypted and is sent on to its destination totally readable by anyone.
If you choose to use S/MIME or PGP/GPG, which will keep the message encrypted until its destination, you can just leave the subject blank and embed it in the message body.
posted by tommasz at 9:59 AM on June 8, 2011
If you choose to use S/MIME or PGP/GPG, which will keep the message encrypted until its destination, you can just leave the subject blank and embed it in the message body.
posted by tommasz at 9:59 AM on June 8, 2011
To answer your question, no.
In addition, the body of the email isn't encrypted either.
posted by blue_beetle at 11:34 AM on June 8, 2011
In addition, the body of the email isn't encrypted either.
posted by blue_beetle at 11:34 AM on June 8, 2011
The purpose of SSL is to assure you that the web server (or mail server, in your case) that you are using is actually who and what it appears to be
Well, that's only part of it. SSL is meant to verify the identity of the server you are connecting too (mail, web, etc) and also encrypt all the data sent between you and the server in question.
But, as others point out, it's only that particular part of the transport that's encrypted. Your ISP mail server stores the message in plaintext/unencrypted. But your ISP is not the final destination of the message: it's just one waypoint of many. And the rest of your message's journey to its destination almost certainly happens unencrypted.
So, in this case, what's the purpose of encrypting the link to your mail server? It's because you ISP probably requires a username/password to connect to the mail server. The SSL in this case is to protect your ISP username and password. Not to protect the message.
posted by sbutler at 3:15 PM on June 8, 2011
Well, that's only part of it. SSL is meant to verify the identity of the server you are connecting too (mail, web, etc) and also encrypt all the data sent between you and the server in question.
But, as others point out, it's only that particular part of the transport that's encrypted. Your ISP mail server stores the message in plaintext/unencrypted. But your ISP is not the final destination of the message: it's just one waypoint of many. And the rest of your message's journey to its destination almost certainly happens unencrypted.
So, in this case, what's the purpose of encrypting the link to your mail server? It's because you ISP probably requires a username/password to connect to the mail server. The SSL in this case is to protect your ISP username and password. Not to protect the message.
posted by sbutler at 3:15 PM on June 8, 2011
Response by poster: Thank you all.
I think my use of the word "encrypted" was not accurate.
I understand that "encryption" of the body and Subject line does not take place with SSL. I thought I also understand that with SSL the message is secure from my laptop to my email service provider's server, and after that there is no guarantee unless the recipient also uses the same email service and also has SSL checked on.
I am not using my ISP's email service, but .Mac. Some of the answers suggest however that somehow in transit from my computer to the .Mac smtp servers the ISP stores the email message but can read it.??? Is this true? I mean, I understand it has to digitally get to the .Mac servers from my computer somehow, that the first jump is from my laptop to the ISP, and then onward via who knows where to the .Mac servers, but I thought with SSL on the email was unreadable in transit. That is more or less the gist of my question: what can the ISP read from my emails if I have SSL turned on? Can they read the Subject line with SSL on?
tommorris wrote "The subject line is as secure in this scenario as the rest of the communication." But then blue_beetle wrote "To answer your question, no. In addition, the body of the email isn't encrypted either." I don't think they are answering the same question (due to my lack of clarity), but it leaves just enough uncertainty in me about the Subject line being readable even with SSL on.
I appreciate all your help thus far.
posted by steppe at 7:19 PM on June 8, 2011
I think my use of the word "encrypted" was not accurate.
I understand that "encryption" of the body and Subject line does not take place with SSL. I thought I also understand that with SSL the message is secure from my laptop to my email service provider's server, and after that there is no guarantee unless the recipient also uses the same email service and also has SSL checked on.
I am not using my ISP's email service, but .Mac. Some of the answers suggest however that somehow in transit from my computer to the .Mac smtp servers the ISP stores the email message but can read it.??? Is this true? I mean, I understand it has to digitally get to the .Mac servers from my computer somehow, that the first jump is from my laptop to the ISP, and then onward via who knows where to the .Mac servers, but I thought with SSL on the email was unreadable in transit. That is more or less the gist of my question: what can the ISP read from my emails if I have SSL turned on? Can they read the Subject line with SSL on?
tommorris wrote "The subject line is as secure in this scenario as the rest of the communication." But then blue_beetle wrote "To answer your question, no. In addition, the body of the email isn't encrypted either." I don't think they are answering the same question (due to my lack of clarity), but it leaves just enough uncertainty in me about the Subject line being readable even with SSL on.
I appreciate all your help thus far.
posted by steppe at 7:19 PM on June 8, 2011
If you're using SSL to .Mac for your email then no, your ISP cannot read any part of your email as it transfers from your computer to the .Mac servers.
posted by sbutler at 7:40 PM on June 8, 2011
posted by sbutler at 7:40 PM on June 8, 2011
If you're using SSL to .Mac for your email then no, your ISP cannot read any part of your email as it transfers from your computer to the .Mac servers.Unless they're transparently intercepting the SSL connection and performing a MITM attack. Which, you know, is not exactly far-fetched. There are commercial devices designed to do exactly this, and with a little cooperation from the certificate authorities, you'd never know.
posted by -1 at 10:16 AM on June 9, 2011
« Older Can a pharmacist refuse to dispense antibiotics? | Train from NYC to Paterson, NJ in 1934? Newer »
This thread is closed to new comments.
The subject line is as secure in this scenario as the rest of the communication.
But don't get a false sense of security. This doesn't mean your email is "encrypted", it means it is being transmitted securely to the mail server. Once the mail server has it, the rest of the journey across the Internet to the recipient's mail server isn't very secret.
Think of it like this:
Email encryption (PGP/GPG, S/MIME etc.) is like sending a letter to someone in code.
SSL encryption of your mail traffic is like sending a postcard but having armed guards take it to the mailbox.
Both are useful but they are not the same thing.
posted by tommorris at 9:12 AM on June 8, 2011 [1 favorite]