Secure Web-Based E-mail Solutions: Yahoo!/Zixit Mail, HushMail, and LokMail
Although they do not all use PGP, many online e-mail providers are offering Web-based e-mail with security. You can sign up for a free e-mail account and you only need a Web browser to check, send, and manage your e-mail. Many people have used Hotmail, Yahoo! mail, or some similar type of Web-based e-mail service before. Adding secure e-mail to these services is a recent trend, and will no doubt continue.
Yahoo!, LokMail, and HushMail each work differently. Yahoo! provides its e-mail security through a third-party organization. E-mail messages can be sent encrypted to any e-mail address on the Internet. The recipient of the Yahoo! message must go to http://www.SecureDelivery.com to read the encrypted message.
This is in contrast to LokMail, which can only encrypt messages to people who have PGP set up either on their computer or through some Web-based e-mail service (such as LokMail). Based on the OpenPGP standard, the advantages of using LokMail include security throughout the entire e-mail process, from composing to sending to receiving. More than that, LokMail offers you LokVault, which is PGP encrypted storage space for your files. The other advantage is that it allows you to manage a PGP keyring and send e-mail between anybody who uses PGP. You must have somebody's PGP public key on your keyring before you can send that person encrypted e-mail. LokMail is a wonderful and advanced system whose main disadvantage is perhaps that it is more difficult to use. You have a password for logging into your mail account, and another password for encrypting/decrypting with PGP.
HushMail is also based on the OpenPGP standard. HushMail is simple to use because no PGP keyring is required to manage, and you only need to remember one password. The same password used for logging into your mail account is the one you use to encrypt and decrypt e-mail. Encrypted e-mail messages can only be sent between HushMail users. In this way, the HushMail system acts like its own central authority for managing people's PGP keys. You can trust the validity of the keys more because they are centrally managed, but you can not send e-mail to other PGP users outside of the HushMail network. This is true at least in the free, current version of HushMail.
Table 8.2 lists some of the features of each.
| Web-Based E-mail Service | Characteristics |
|---|---|
| Yahoo!/Zixit Mail http://mail.yahoo.com | Free.
Requests personal information for account setup.Easy for sender to use, but not necessarily receiver. Inconvenient for receiver to use because he has to check mail from the Web site, rather than having it delivered to his mailbox. Exchange secure mail with any e-mail address on the Internet. |
| LokMail http://www.lokmail.com | Free
More difficult to use than HushMail. No sponsor advertising. No personal information requested for account setup. Easy for sender and receiver to use. E-mail is sent directly to the receiver's mailbox. Uses OpenPGP as the method of encryption. Full-blown Web-based e-mail system that allows you to manage e-mail, folders, and PGP keyring, and exchange unsecured mail with anybody on the Internet. Exchange secure e-mail only with people using PGP or PGP-enabled systems, such as LokMail. Digitally sign e-mail messages (to anybody) using OpenPGP. LokVault—encrypted and secure storage for your files. |
| HushMail http://www.hushmail.com | Free.
Simplest to use. No personal information is required for setup. Easy for sender and receiver to use. E-mail sent directly to the receiver's mailbox. Uses OpenPGP as the method of encryption. Full-blown Web-based e-mail system; you can manage e-mail and folders and even have new mail notifications sent to another e-mail account of yours. Exchange secure e-mail only with other HushMail users. Digitally sign e-mail messages (to anybody) using OpenPGP. |
Yahoo! Mail
Yahoo! has joined forces with Zixit.com, formerly SecureDelivery.com, to bring secure e-mail to its user community. When you sign up for a free Yahoo! e-mail account, you are asked for personal information such as your name, zip code, and occupation. Of course, no checking takes place to see if the information that you register is true. As a Yahoo! mail user, the steps for creating and sending a secure, encrypted e-mail message to someone are as follows:
1. | Bob composes a message and selects the Send via free SecureDelivery.com option, as shown in Figure 8.14. Figure 8.14. Yahoo! mail enables you to encrypt mail by clicking Send Via Free SecureDelivery.com before sending your message.
|
2. | |
3. | Alice goes to the SecureDelivery.com Web site and sets up her passphrase. |
4. | Alice is e-mailed a confirmation request inviting her back to the Web site. |
5. | At the SecureDelivery.com Web site, Alice accepts her passphrase and reads the secure message that Bob sent. |
6. | Bob gets a Message Pickup Receipt, indicating that Alice has read the message. |
After Alice has read the message from the SecureDelivery.com Web site, she has the option to reply using the same level of security. The same process will repeat, but this time Bob will be the one receiving the secure message.
Security is achieved by keeping the encrypted e-mail on the SecureDelivery.com e-mail servers; however, the extra steps of having to log into this Web site cannot be ignored. Alice must visit this Web site to view the mail, but after she is in, she can also send secure messages to Bob.
HushMail
HushMail provides an effective solution in what is perhaps the most simple to use OpenPGP Web-based e-mail system available. If you just want to get up and running with secure e-mail, without having a bunch of advanced options to figure out, use HushMail. Through a completely Web-based interface, you can exchange secure e-mail with other HushMail users, and even send non-encrypted e-mail to non-HushMail users. As of October 2001, HushMail began offering HushMail Professional, a software application that integrates with Microsoft Outlook, to allow for secure HushMail usage directly from your Outlook e-mail client. In this section, we will be referring only to the features of the HushMail Web-based e-mail system available from http://www.hushmail.com.
Setting up a HushMail account is simple and does not require you to enter personal information. You sign up by entering the username of your choice (such as [email protected]) and your chosen password. As usual, be sure not to forget your password or you will be unable to open encrypted messages. The HushMail support staff cannot retrieve messages encrypted for you if you forget your password.
The HushMail user interface is friendly and familiar. As shown in Figure 8.15, buttons are available for checking mail, composing mail, and managing your contacts, preferences, and folders.
Figure 8.15. The HushMail interface.
Sending and reading e-mail is simple. To send it, click the Compose button to start a new message. As shown in Figure 8.16, your options are limited, making the decisions easy. You choose to encrypt or sign the e-mail message, and then you send it. If the person you are e-mailing is a member of the HushMail.com network, your message goes through as soon as you click Send. If the recipient is not a member, you will get an error saying that the message cannot be encrypted. Remember: With the HushMail system, messages can only be encrypted between HushMail users. The HushMail people store and manage all of the PGP keys. You can still send messages to people who don't use HushMail, but you can't encrypt them.
Figure 8.16. Composing a secure e-mail message is simple using HushMail.
Part of the simplistic allure of HushMail is that you do not have to bother with multiple passwords. Although some people find separate passwords to bring added security, others find them to bring headaches. HushMail requires only one password, and after you have entered it the first time, you do not need to continue typing it in every time you want to sign a message or read an encrypted one.
Web-Based PGP by LokMail: A Tutorial
LokMail works differently, providing perhaps one of the most advanced and usable secure e-mail experiences. LokMail provides more advanced functionality than HushMail, and it is not for the faint of heart. If you are looking for an advanced secure e-mail solution, and you are willing to spend some time figuring things out, use LokMail; otherwise, try out HushMail which provides an easier-to-use secure e-mail system, without many of the advanced features. LokMail uses OpenPGP security at the core of its system. LokMail operates over a secure SSL-enabled channel. You can notice this in the URL address bar, where https:// precedes the address. Everything you send between your browser and LokMail is encrypted and secured.
By using LokMail, you get two main features:
LokMail OpenPGP encrypted and signed e-mail
LokVault OpenPGP secure file storage
LokMail gives you the benefit of easily exchanging secure e-mail with people who use PGP (or LokMail). It provides a rich Web-based e-mail experience, offering you full control of e-mail, folders, and preferences. You get the LokVault, which is basically just secure storage space for your files. One of the best parts is that you have a PGP Keyring built right in for you.
Setting up and using LokMail is simple and free, and possibly one of the easiest Web-based e-mail systems to get started with in under a minute. Currently, LokMail version 2 works only with Internet Explorer and versions of Netscape prior to 6.0. LokMail does not ask for personal information when you are setting up a free account.
Follow these steps to set up LokMail:
1. | |
2. |
At the LokMail signup screen, you are asked to enter four items. Make sure you read the few paragraphs describing the requirements for setting up each of the following because minimum and maximum lengths are allowed for each: |
That's it. After you make it through steps 1 and 2, you are ready to start using your new LokMail account.
When you finish signing up with LokMail, you are given a chance to e-mail your new public key to somebody. Take this opportunity to e-mail a friend, so that he can respond by sending you a secured message.
Sending e-mail with LokMail is fun and secure. It is important to note that not only do you have a password for access to LokMail, but you have a separate passphrase for use with PGP. Do not forget either of these. Before we walk through setting up secure e-mail with LokMail and PGP, realize that you can also send e-mail unsecured to anybody on the Internet. Just click Compose and off you go. LokMail is a full-blown Web-based e-mail client, allowing you to send and receive your choice of unsecured or secured messages.
When you first log in to LokMail, you are given a chance to configure your options, as shown in Figure 8.17. Take a minute to see what your options are, and customize LokMail to suite your needs.
Figure 8.17. The LokMail configuration.
You have options for things like the following:
Display name
Message signature
E-mail or pager notifications for new e-mail
Warn/deny access to certain file attachment extensions (.exe and .vbs are good ones to include here)
Miscellaneous options related to your LokMail preferences
To send secure e-mail to somebody, you first need to get that person's PGP public key from a public key server and add it to your key ring. For starters, you can use our PGP public key, created just for this exercise. Follow these steps to find our PGP public key and add it to your key ring in LokMail. You must first have completed the previous steps to set up your LokMail account:
1. |
Use your Web browser to visit http://pgpkeys.mit.edu:11371. (Make sure you put in the colon and 11371 just as shown.) This site exists just for PGP public keys. In its database, millions of people have uploaded their PGP public keys, which can be searched, downloaded, and viewed publicly. If you cannot reach this site, try http://keyserver.pgp.com instead. |
2. | |
3. |
Our PGP public key will be returned, as shown in Figure 8.18. Figure 8.18. Your PGP public key for [email protected] e-mail address.
|
4. |
Use the mouse to highlight and copy all of the text starting from the words Public Key Server. Windows users can click inside the browser and then press Ctrl+A and then Ctrl+C to copy everything. |
5. | |
6. |
Log in using your username and password, and select Key Ring, Add Key, as shown in Figure 8.19. Figure 8.19. Add a public key to your LokMail key ring by selecting Key Ring, Add Key.
|
7. |
Paste our public key for [email protected] into the form, and click Execute. If you get a message saying that the public key is invalid, you have copied the wrong text. Just try again, this time copying all of the text that appears in your browser. |
That's it! You have added the first public key to your keyring.
If you select Key Ring on the LokMail menu, you should see a screen similar to Figure 8.20. You will see our PGP public key and your own keys for your e-mail address and your private key.
Figure 8.20. LokMail provides a PGP keyring for you to store people's public keys.
Note
 | Other people must have your PGP public key to securely e-mail you. You can send it to them via e-mail by clicking KEY RING and then clicking the link with your e-mail address located under the Public Keys section. Type the e-mail address for a friend or someone you know who uses PGP, and select Send Key. |
The grueling part is over. From now on, you are ready to exchange secure e-mail. You just need to add new people's public keys to your KEY RING when you are ready to mail them. Follow the next few steps to send an encrypted and signed e-mail to [email protected]:
1. |
Select LokMail, Compose. |
2. |
You will see a screen similar to Figure 8.21, where you can create and send your e-mail. Figure 8.21. Composing an e-mail message at www.lok.com.
|
3. | |
4. |
Select Sign and Encrypt Message and Attachments from the Encryption drop-down menu, and select Send Message Now from the other drop-down menu. |
5. |
You are asked to enter your passphrase so the message can be signed. Remember that your passphrase is specific to PGP and separate from your login password. |
That's it! Your e-mail message is signed, encrypted, and securely sent on its way to [email protected]. Try to get one of your friends to send you a PGP encrypted message using your PGP public key.
LokVault
Lok Technologiesalso provides you a place to securely store your files. LokVault is integrated with the LokMail service. Just click LOKVAULT on the Links menu to access the secure storage area. From here, you can create folders and upload files, as shown in Figure 8.22. Your files are encrypted either with a password of your choice or by using your public key. The free account comes with 25MB of storage space, but if you need more, you can upgrade to a Premium Service that is bound to give you or your company what you need.
Figure 8.22. LokVault access.
Think of LokVault like Windows Explorer. You create folders on your computer in which to store files. LokVault is no different, except that your files are encrypted and stored securely on the LokMail servers instead of your hard drive.
For more information regarding LokMail, and to see tutorials on using it, visit https://admin0.lok.com/support/.