Something that comes up a lot in this business is the need to transmit sensitive information, the most obvious examples being passwords and usernames. Clearly this issue isn’t exclusively relevant to web developers – we all need to share our private information with other people at one time or another. Since a lot of clients (and family members and friends and neighbors… you get the idea) ask if they can just email me their information, I thought it would be a good idea to tackle the subject as part of my security series.
So, can you just email passwords and usernames? Unless you’re using encrypted email (to be explained in more detail later), the answer is no. Let’s talk about the basics.
Sending Sensitive Information Basics:
(1) Online security starts with good password practices. Refer to my previous post on the subject if you aren’t sure: Security 101 – Storing Sensitive Information
(2) Break it into pieces. If we’re talking usernames, passwords, social security numbers, that kind of thing – don’t send related information in a single email. For example, send the username via email, but then send the password via text message. You can also send the password via email (with no context around it), and then call in the username.
(3) This may sound very common sense, but it still warrants saying: only share your information with someone that you trust! If you aren’t sure that you still can still trust that person / agency / business – change your username and password, or delete your account.
Now let’s talk about encrypted email.
Thanks to Snowden we all now have a pretty good idea that the NSA is snooping into the privacy of everyday citizens. Some people are bothered by this, and others are more of the “meh – I have nothing to hide” mindset. Personally, I believe that everyone has a right to privacy, but you don’t have to care about personal privacy to be interested in encrypted email.
Encrypted email should be a basic tool that everyone uses to protect themselves when they need to send sensitive information, and there are a lot of ways to encrypt emails. Today I’m going to do a walkthrough of the coolest new kid on the block, Virtru. Not only they are able to provide NSA grade level encryption (read their blog for details), they provide some incredibly cool features like blocking email forwarding, message expiration – otherwise known as self-destructing messages(!) – and message revocation. This last option tends to get people really excited since it FINALLY allows their to be an undo button for those really ill judged emails.
If you go to Virtru’s website: https://www.virtru.com/ you’ll notice that they’re still in Beta. I’m an early adopter on this one. They already have browser extensions for Google Chrome and Mozilla Firefox (it integrates very well with my Gmail!), and an app for iOS 7, which is pretty basic but so far quite usable. Plenty more browser extensions, plugins, and apps are in development and if you go to the website you can request to be notified when your preferred widget is available.
Now, let me show you how this very Q (obligatory James Bond reference) service works.
Virtru Encrypted Email Service
Go to the Virtru website and click on the big blue “Get Virtru” button.
This will take you to a screen that will automatically detect which browser extension you should install (by detecting which browser you’re using).
You then navigate to the webmail service of your choice. The rest of this email will assume that you’re using Gmail since that’s the service that I chose to try Virtru with.
As you can see from the screengrab, you’ll want to open up a new message window. You’ll now have the option of turning Virtru protection on by toggling the switch in the upper right corner.
There are several pretty cool options now at your clever little fingertips. (Click on any of the images in this post to view a larger version if you’re having trouble seeing the details.)
As the next image indicates, you can now check the option to disable email forwarding (!) and / or to set an expiration date. The expiry can be set in increments of minutes, hours, days, weeks, months, or years. This means that you can set how long your message is viewable to others, and after that amount of time – poof! – it’s gone. Access is revoked and for all intents and purposes, your email has just self-destructed. This may not be quite as cool as an exploding pen, or a watch that is really a bug detector, but you have to admit it’s pretty neat.
Hovering over each of the two choices will give you more detail regarding your options.
When you send the email you have the choice of entering a personal message to let the receiving party know that you are indeed the person that you say you are, and that you are sending a special encrypted email through Virtru. This is really just an introduction to the service, since this (1) isn’t required, and (2) isn’t at all necessary if the party receiving the email has Virtru installed already.
Once I set the expiration date and disabled email forwarding, the only thing left to do was send the message. This is what my testing buddy saw in his non-standard web based email (i.e. not Gmail, Yahoo, etc). I’ve obviously blocked the individual’s identifying information in order to respect his privacy.
Once you click on the “Open Email” button, you are taken to a secure-reader browser window that asks the receiver to verify his or her identity by confirming the email service used to send the message or the specific email address that the email was sent to. Either method can be used as a form of verification which is a nice bit of flexibility in the app.
This sends a verification email to that address, which then opens the email in the secure reader. It sounds like a lot of steps, but in practice it took less than 15 seconds. From this “secure reader” screen you can also send a secure encrypted reply.
If someone tries to access an email that has expired, this is what they will see:
And last, but DEFINITELY not least is the nearly *magic* undo button. This feature alone is a pretty big reason to use Virtru for every email that you send, because any email that you send with Virtru can be revoked at any time. If you go to your sent email folder and open an email sent with Virtru, you’ll see two icons in the upper right corner.
The first icon – the downward pointing arrow – allows you to belatedly block email forwarding or add a message expiration date. The second icon – the red hand – allows you to retrieve your email at any time. That horrible email that you sent at 3am to your [ boss | coworker | professor | friend |family member | ex significant other ] after one too many Gin & Tonics at 3am – you know the one. That suddenly has an undo button. Of course there’s no guarantee that you’ll be able to retrieve the email before it’s been read, but even if it has been seen, it no longer has to sit in that person’s inbox for all of eternity mocking you with it’s presence. You can GET IT BACK.
And of course, Virtru is an excellent way to send sensitive information such as your password and / or username since it is both encrypted and you have control of access to your data at all times. Needless to say, I’m pretty impressed with this app.
If you’d like more information about Virtru services or what they’re all about, check out their website: https://www.virtru.com/