Where I work (large international investment bank) they block access to all webmail, online docs & spreadsheets, and social sites like Myspace and Orkut. They also disable Exchange rules to prevent people forwarding everything to an offsite mail account and have explicitly stated that we are not allowed to forward mail to ourselves at outside email adresses.
The belief seems to be that this will somehow prevent people transferring information out of the company. Apparently they haven't actually been online lately as there's literally thousands of other ways to transfer information outside – take this forum for example.
Paranoia!= security |
I am still surprised that given the amount of confidential info that is contained within Emails these days all email providers don't insist on using https to transport all traffic.
I know gmail have it as an option, but they could go further and add it as an option to the gmail settings tab that will identify users who wish to insist on a https secure page and thus auto-start with that set up regardless of what computer they are on.
However, I believe that the paranoia is more to do with the lack of control of user actions rather than blocking any one specific technology. For example, in some countries there is a legal requirement to archive all employee emails, which is virtually impossible for technologies outside the company's control, without some sort of keylogging and screen-capturing. |
Um, email is transported in plaintext regardless of your browser settings. SMTP (the email protocol) is plaintext. The best you can do is encrypt your emails (see GPG and PGP). Other measures are inspired by fear, uncertainly and doubt. |
I have had all of my work email forwarded to my g-mail account since the 1st week I created my g-mail account. It is just much easier to have one location to check mail, especially when working from home or on the road.
Granted, my job/email generally does not involve any corporate secrets or high priority files. I can see where this would be a concern for some companies. |
Not necessarily Ricky.
If you check this tutorial for Outlook 2003 from the Gmail FAQ you can see that the POP and SMTP are both sent through the https setting. (See Step 9)
http://mail.google.com/support/bin/answer.py?answer=13278
It's all possible without the PGP/GPG route. Making https the default route or the 'only' route may well be the only way to go to prevent any leaks of confidential data. At the end of the day, users want convenience and will try to circumvent any security policies where they can to make life more convenient. |
And for small companies, there's Google Apps for your Domain! :) |
>Not necessarily Ricky.
If you check this tutorial for Outlook 2003 from the Gmail FAQ you can see that the POP and SMTP are both sent through the https setting. (See Step 9) That only applies to the communication between your computer and gmail's servers. Transfers between gmail's and say yahoo's servers are still performed in plaintext. |
Hurray! Yes I work for a startup and we love Google Apps for your Domain.
It could use a few more features (system for customer service) but it works and is free! And the only weakness is the users (like myself). Which you can't ever keep Johnny from accidentally emailing something to the wrong person. |
Utills,
No, you're wrong. SMTP is used to send email from one provider to another. You send an email from a gmail account to a Hotmail account, both of which may use HTTPS, fine, but gmail and Hotmail (unless they have a special agreement – unlikely), use SMTP to transfer the mail between each other.
On the upside, at least whoever sniffs your traffic probably won't be your boss/ISP this way, unless they magically get themselves into the core of the routing between Google and Microsoft. |
Hmmm. . . not quite, guys. . .
Yes, server-to-server mail communications are done with SMTP, which, yes, is always in plain text. HTTP and HTTPS are never used for inter-server mail transfer--they're only used for user access to webmail.
*However*, the the commonly used SMTP server applications (Postfix, Qmail, Exim, and Sendmail) can *all* be configured to optionally encrypt SMTP transfers using TLS ("Transport Layer Security"), which is more-or-less the same encryption method that's used by HTTPS (and which is a newer version of what used to be called "SSL"). It works great, and can protect server-to-server email transfers.
There are a couple of flies in the ointment, though: the biggest one is that since most SMTP servers aren't configured with this option turned on, even the servers that do have it turned on need to keep its use optional, or they risk turning away most of the legitimate mail out there today. In order for TLS to be used, the servers on both ends have to agree with each other to use it when they negotiate the start of an SMTP session--otherwise they fall back to unencrypted, plain-text SMTP.
Because of most SMTP servers don't have TLS turned on, you're left with the likelyhood that your mail will be transported in plain text across the internet--but it's not because SMTP can't be secured, it's because lots of admins don't know enough about the subject to configure TLS.
|
I think we should all use pigeons for data transfer. |
Ricky: Fan of PigeonRank? :D |
Your company is smart not to want you to transfer emails especially to Google. They store the content of your emails and sell the data to advertisers.
Google mail has failed miserably. As a metter of fact the only Google hasn't failed at so far is search engine and that is soon to be wrestled from them by the up-and-coming start-ups who provide ten times better search than Google is capable of providing.
Google is bad for our society. |
And who are those "up-and-coming start-ups who provide ten times better search than Google"? |
yes, i'd give your comment some consideration if you can provide a link to those stats. If there's a search engine with results 10x better, i will use it and drop google in a heartbeat. |