Gwebs Cryptographer

Recently, all of the big email providers in the consumer arena, including Yahoo! Mail, Gmail, and MSN Live Mail have begun to offer “security solutions”.  Google Apps, Microsoft’s Live Admin Mail, Bluetie and Rackspace also offer business security solutions for both small and large enterprises.
But what are these solutions, and how does our new product, MailCloak, differ from them?  In this blog post Sarah Yu, Global Web Security Systems’ (gWebs) marketing executive, interviews gWebs CTO and lead programmer Jin Anderson to discuss what’s happening in the email security space and how MailCloak differs from the security solutions already offered by these providers. I have translated this post from the original Chinese.

“Let’s take the metaphor of snail-mail. The username and password authentication system is a lot like the key to a mailbox. If this key is copied or stolen, all the mail inside can be stolen and read. But MailCloak is like a steel envelope. It will protect the message even if an intruder guesses or steals your login credentials.”

Sarah： First, Jin, I’d like to ask you to introduce yourself to our readers – tell them a little about who you are and what you do.

Anderson：I was gWebs’ first software engineer，and I have watched over gWebs’ progress, from a tiny startup to a company with a mature product line ready to go to market.  As we’ve grown, I have worked to constantly improve my programming and leadership skills and build a close-knit team of programmers with diverse experiences and deep understanding of the emerging technologies we work with.  I have done thorough analysis of many technologies emerging around the world, especially in the webmail field. I have deeply analyzed the webmail login process and carefully researched sending and receiving email at the network level.  In email clients, I have studied all of the major protocols（including POP3，SMTP，IMAP）and sending formats（like MIME）and I am very familiar with all of them.  I have also studied the source code for many open source P2P technologies, and I am very familiar with their development processes.

Sarah： These days, email providers often talk about “Email Safety Features”; they usually provide spam filters, virus filters, and point to point encryption (HTTPS).  How are these features different from what gWebs MailCloak provides?

Anderson：To help users understand how MailCloak is different from the built in security features available in many webmail systems, I would like to start with a simple overview of how email is sent and received. This process, at the very minimum, consists of the following steps:  First, the user writes an email, they then send the email from their computer to their email server.  The message is now saved on the server. Now the original server will pass the message over the internet to the receiving server, and then the recipient will download the message from the receiving server to their own computer.

Email service providers usually provide “safety features”，which protect the message as it travels from the user to the server, or vise versa. When the user reads the message, it is easy to find security problems. For example, HTTPS protects from a man–in-the-middle (interception) attack between the user and their mail server; virus and spam filters are self explanatory - they protect users from viruses and spam - but none of these products protect the message from the email provider itself, or the internet-at-large between sender and receiver.

Gwebs MailCloak privacy protection solutions are designed to protect the content of the message throughout the entire lifespan of the email message.  For example, when you write your message, we protect against Trojan horses and key loggers (keyboard sniffers), we encrypt all drafts saved to the email server, and the message is encrypted as it travels to the server.

The message is also encrypted when it is saved on the server, and as it passes across the internet.  Only when the message reaches the recipient can it be decrypted and read– but it is never saved in decrypted format.  We also filter out all scripts, and other forms of attack found in messages.  Of course, the most important thing for us to do here is to protect the content of the message, so we can guarantee that the email providers and transfer points have no way to read the message.

Sarah：Most users’ mailboxes are only protected by a username and password.  We assume that if the username and password are safe, then we are protected.  What other security concerns exist?

Anderson: Let’s take the metaphor of snail-mail. The username and password authentication system is a lot like the key to a mailbox. If this key is copied or stolen, all the mail inside can be stolen and read. But MailCloak is like a steel envelope. It will protect the message even if an intruder guesses or steals your login credentials.  The message remains locked, and only the intended recipient can read it.
Most email users’ understanding of email security stops at usernames and passwords, or maybe they know about virus scanning or have heard of HTTPS.  They know to protect their email password from being stolen or copied, but perhaps they don’t understand that email (as opposed to regular mail) has a whole additional set of security concerns – similar to all other security concerns on the internet.

Sarah：Will installing MailCloak affect the way I send email？

Anderson：When we designed our product, we thought very carefully about the way people use email, and we tried to preserve 100% of the convenience of sending email.  Of course, adding a new kind of security and privacy protection will involve SOME changes, but we have tried our best to reduce them.  In the end, we find that we have only added one or two clicks to the process - turning email encryption on, and entering a password when signing or receiving a message, but that’s about it.  We also welcome suggestions on how to make MailCloak easier to use.

Sarah：In your view，what kind of emails should be encrypted？

Anderson：In my opinion, any kind of email involving money should be encrypted.  For example, I hope everyone will protect messages concerning account balances and pay stubs.  But I also think that the internet is a very dangerous place.  Client records, attorney-client communications, communications involving shipments of valuable cargo, communications involving passwords of any kind, messages carrying insider information, files that are related to patents and everything like that ought to be encrypted as well.  And of course, if you’re having an affair, or doing some other disreputable act, you’d better encrypt your email to cover your ass! HAHA!

Sarah：Thank you very much!

Anderson：My Pleasure！I would also like to thank all the readers who took the opportunity to read this and learn more about MailCloak and email security.

Security, email encryption, encryption, interview, software Email Encryption, Email Security, gWebs Team