Helping people with computers... one answer at a time.

Encrypted email cannot be sniffed, but chances are that you aren't using encrypted email. I'll explain what I mean and what you might want to do.

Can sniffers be used with encrypted email like Gmail? Aren't https connections secure even for public/ wireless connections? Someone told me Gmail was hacked by China. Can they do this?

There's a misconception here that I want to clear up: Gmail is not encrypted mail.

In fact, encrypted mail is very rare.

I want to cover what encrypted mail means and how it relates to https.

And then I'll talk about getting hacked.

Encrypted email

Encrypted email implies that the message that you are sending is itself encrypted before it even leaves your machine.

The great news about using this kind of encryption is that it doesn't matter if the email message is being transmitted in the clear or not or if someone accessed it at any point in transit. The message is and remains encrypted until the recipient decrypts it.

The problem is that there is no pervasive standard for encrypted email. Actually, encrypting email messages today requires a little bit of savvy on both the sender and the recipient's part, and typically, it requires additional software or encryption certificates to be installed. On top of that, encryption technologies that are commonly used are not necessarily compatible with each other.

In other words, email encryption remains a bit of a mess.

But for those sufficiently motivated, it is indeed possible. Personally, I recommend the Enigmail extension to Thunderbird which relies on PGP/GPG public-key encryption to encrypt and/or digitally sign messages.

And none of that relates to https.

Encrypted connections

Https encrypts your data while it is being transmitted between your computer and the remote server.

What that means is that when you use a service like Gmail, a message is actually stored in the clear on your machine and Google's mail servers. Https encrypts the message, and anything else, only while that message is in transit between your computer and Google's.

The good news is that https is a ubiquitous standard. It doesn't suffer from the confusion around email encryption. All web browsers support it; it's simply up to the service whether or not to make an https connection available.

Additional good news is that https protects you from the most common form of data sniffing: the wireless connection between your computer and your Internet connection. As I've written about before, anyone with a laptop and the appropriate free software can listen in to unencrypted conversations at an open Wi-Fi hotspot. If your email messages themselves are not encrypted (and most are not), then https is there to protect you.

A downside - sort of - is that https only protects the connection between your computer and the server. The message is stored in unencrypted form, transmitted between mail servers in potentially unencrypted form, stored on your recipient's computer in unencrypted form, and may even have been downloaded to your recipient's computer in unencrypted form if they were not using https or an equivalent.

Hacking Google

Google was not hacked.

My recollection is that there was an attempt to infiltrate Google's network using malware delivered as email attachments. But at no time were Google's public servers compromised.

Is it possible? Absolutely.

Is it likely? Not very. Seriously, I consider this possibility extremely, extremely small.

I definitely hear from people who are absolutely convinced that their email provider's servers have been hacked, but in absolutely every case that I've encountered, deeper inspection turns up some significantly more mundane explanation for whatever problem it is that they're seeing.

Article C4919 - September 1, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

5 Comments
Bob
September 2, 2011 2:30 AM

I think this dovetails neatly into the other recent article about LockNote.
Store your 'e-mail' in there, tell your recipient what the password is by some other method (SMS seems ideal for this) and take steps to make sure the program actually gets received their end.

Bob Russsell
September 6, 2011 9:51 AM

Good article -- best explanation I've seen about what https actually is/does.

Robin Clay
September 6, 2011 11:27 AM

Personally, I regard e-mail as I do a postcard - that "anybody" can read it. That "anybody" usually means the postman - or any sorting-office staff en-route - i.e. people whom you trust, to a certain extent..

padfoot
September 6, 2011 1:38 PM

"British Broadcasting Channel" just write some news about hacking Google certificates and gmail users data by an Iranian team.

ron
September 7, 2011 3:36 PM

Your answer is good, but it missed one of the points of the question. They asked if gmail can be sniffed.The specific answer is YES. Sniffing is done to communication in transit.

However, even though someone can sniff your gmail, since it is HTTPS encrypted, the gmail traffic between your computer and the gmail server is reasonably secure.

Unless of course they set up a Man-in-the-middle attack and intercepted your communication before the HTTPS encryption was in place.
SSL Hijacking - http://www.windowsecurity.com/articles/Understanding-Man-in-the-Middle-Attacks-ARP-Part4.html

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.