Encrypted email? Any issues with this scenario?
Encrypted email? Any issues with this scenario?
I am being asked to send a copy of my federal tax return to a company that has a legitimate use for it, but they are telling me if I put the word "encrypt" in the subject line it will be encrypted when they get it. That might be true, but heck wouldn't it have already been traveling to their servers unencrypted?
THEN they send it on to a third party (also legitimate) by encrypting the document and sending it on in an email AND then send the password for the document in a separate email to them.
Maybe I'm overthinking ... but this doesn't sound like a good idea to me.
And the SS# is redacted, but it still seems like sensitive information to send in this manner.
What do you think?
THEN they send it on to a third party (also legitimate) by encrypting the document and sending it on in an email AND then send the password for the document in a separate email to them.
Maybe I'm overthinking ... but this doesn't sound like a good idea to me.
And the SS# is redacted, but it still seems like sensitive information to send in this manner.
What do you think?
Re: Encrypted email? Any issues with this scenario?
All the recent cases I've had to do something like this, the company has a portal where you can upload the document. This bypasses emailing it altogether. Not sure why that isn't the case here.
Re: Encrypted email? Any issues with this scenario?
Yeah…writing encrypted in the subject is useless. If you truly need something encrypted via email, you need something like GGP that creates a public and private key. But a portal should be standard business practice for a legitimate company.
Re: Encrypted email? Any issues with this scenario?
In short, your understanding is correct for this purposes. The "encrypt" keyword would only be processed once it arrived on their server, unless you were also sending it from a corporate mail server that handled "encrypt" on your side.
(The slightly longer answer is that there might be encryption from your mail server to theirs (TLS, which is kind of like HTTPS but for other types of traffic like email) but you can't guarantee this, so safest to assume it's unencrypted.)
Also wrong. They must send the password through a separate trusted channel, not just in an additional plain email. Meaning, they should send encrypted email and call the third party to give the password verbally.
These are red flags that the party you're working with does not know how to keep your data safe. Thirding the advice to ask for a link/portal to upload the files instead.
Re: Encrypted email? Any issues with this scenario?
Just typing "encrypt" in the subject line is useless; it will do absolutely nothing on a public email system (e.g., Gmail, Yahoo, Comcast, etc).
Not only will your tax return arrive at its destination unencrypted, it will leave an unencrypted copy of itself at every hop along the way. Can you package it into an encrypted zip file and provide the encryption password to them verbally over the phone?
Not only will your tax return arrive at its destination unencrypted, it will leave an unencrypted copy of itself at every hop along the way. Can you package it into an encrypted zip file and provide the encryption password to them verbally over the phone?
"Happiness Is Not My Companion" - Gen. Gouverneur K. Warren. |
(Avatar is the statue of Gen. Warren atop Little Round Top @ Gettysburg National Military Park.)
Re: Encrypted email? Any issues with this scenario?
Most corporate systems have this type of setup where they can send to you encrypted by doing that. Once they do so, when you reply, you're taken to a special webpage that decrypts the message and allows you to reply within the confines of the encrypted system. I would encourage you to ask them to send you an encrypted message and reply to it through their platform.
- quantAndHold
- Posts: 10141
- Joined: Thu Sep 17, 2015 10:39 pm
- Location: West Coast
Re: Encrypted email? Any issues with this scenario?
This just screams that they don’t know anything about cybersecurity. I would be very concerned about their ability to keep your tax return private.
Re: Encrypted email? Any issues with this scenario?
Thank you everyone - you confirmed my concerns.
I have found out how to encrypt a folder with my document in it via my Mac and disk utility - in case they do not have a portal. Will a PC be able to open an Apple encrypted password folder? And how long complex for the password? It has to be give verbally? I'd be using 256 bit encryption with read-only (rather than compression ...which I read could leak info). Mail is a possible option.
Actually I am bit hesitant to do this with them, because as quantAndHold put it this just SCREAMS they do not know anything about cybersecurity. But do you think it is safe to do as I mention above? I have real concerns that the person / organization I'm dealing with not really understanding security issues. They are a non-profit, not a big corporate enterprise.
I have found out how to encrypt a folder with my document in it via my Mac and disk utility - in case they do not have a portal. Will a PC be able to open an Apple encrypted password folder? And how long complex for the password? It has to be give verbally? I'd be using 256 bit encryption with read-only (rather than compression ...which I read could leak info). Mail is a possible option.
Actually I am bit hesitant to do this with them, because as quantAndHold put it this just SCREAMS they do not know anything about cybersecurity. But do you think it is safe to do as I mention above? I have real concerns that the person / organization I'm dealing with not really understanding security issues. They are a non-profit, not a big corporate enterprise.
Last edited by URSnshn on Tue Dec 07, 2021 6:59 am, edited 1 time in total.
Re: Encrypted email? Any issues with this scenario?
If you create an encrypted Zip file a PC will be able to read it. If you are encrypting a folder using FileVault, files in it will not remain encrypted when you attach them to emails.URSnshn wrote: ↑Tue Dec 07, 2021 6:35 am I have found out how to encrypt a folder with my document in it via my Mac and disk utility - in case they do not have a portal. Will a PC be able to open an Apple encrypted password folder? And how long complex for the password? It has to be give verbally? Mail is a possible option.
If you're going to go the encrypted Zip file route, I would just download 7-zip (7-zip.org) and use that. Select ZipCrypto, set a strong password and you have a cross-platform archive that anyone with the password will be able to open.
Re: Encrypted email? Any issues with this scenario?
Is this a one time email transaction or will there be ongoing communications back and forth? Depending on the level of security desired, another option is to use end-to-end encrypted email service like ProtonMail.com or Tutanota.com.
Disclaimer: nothing written here should be taken as legal advice, but I did stay at a Holiday Inn Express last night.
Re: Encrypted email? Any issues with this scenario?
Sounds like you're making a disk image from your Mac - they won't be able to open that from a PC. For reference, compressed would be fine here, as it would be compressed and encrypted, not just compressed. Encrypted ZIP would work between a Mac and a PC, but I don't know how to do that on a Mac without using the command line.URSnshn wrote: ↑Tue Dec 07, 2021 6:35 am I have found out how to encrypt a folder with my document in it via my Mac and disk utility - in case they do not have a portal. Will a PC be able to open an Apple encrypted password folder? And how long complex for the password? It has to be give verbally? I'd be using 256 bit encryption with read-only (rather than compression ...which I read could leak info). Mail is a possible option.
Password does not need to be overly complex, and does not need to be given by voice. 8-12 random characters is fine.
The idea is to send it through a separate channel, which voice would satisfy. If you send the encrypted file and password both through email, you may as well not encrypt since you're essentially locking the door but hanging the key right next to the lock. You could text it, or regular mail, or send between two totally different email accounts (your secondary address, and their secondary address).
You have to decide if the risk is worth it.
Taking a step back, since I think this is potentially getting overly complex. Do you and the recipient both have an account at a common file-sharing service? Google, Dropbox, Box, OneDrive? Even better if all 3 parties have accounts at the same place. You could just upload the unencrypted file there, and share the file with the recipient through the service. Remove sharing access + delete the file once they have confirmed that they downloaded a copy. They would have to log in on their end, and could download it. This is less secure than encrypting, but likely "good enough" and better than what they have asked you to do.
Re: Encrypted email? Any issues with this scenario?
I'd consider using a real encrypted email service like Protonmail (https://protonmail.com/support/knowledg ... ide-users/) for something like this. They have a free tier.URSnshn wrote: ↑Mon Dec 06, 2021 5:27 pm I am being asked to send a copy of my federal tax return to a company that has a legitimate use for it, but they are telling me if I put the word "encrypt" in the subject line it will be encrypted when they get it. That might be true, but heck wouldn't it have already been traveling to their servers unencrypted?
What do you think?
motiv8ed
-
- Posts: 232
- Joined: Tue Dec 04, 2012 4:31 pm
Re: Encrypted email? Any issues with this scenario?
A common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.motiv8ed wrote: ↑Wed Dec 08, 2021 3:49 pmI'd consider using a real encrypted email service like Protonmail (https://protonmail.com/support/knowledg ... ide-users/) for something like this. They have a free tier.URSnshn wrote: ↑Mon Dec 06, 2021 5:27 pm I am being asked to send a copy of my federal tax return to a company that has a legitimate use for it, but they are telling me if I put the word "encrypt" in the subject line it will be encrypted when they get it. That might be true, but heck wouldn't it have already been traveling to their servers unencrypted?
What do you think?
motiv8ed
*edited to add a conjugated verb.. and the final sentence.
Last edited by Cunobelinus on Wed Dec 08, 2021 7:45 pm, edited 1 time in total.
-
- Posts: 232
- Joined: Tue Dec 04, 2012 4:31 pm
Re: Encrypted email? Any issues with this scenario?
You're not overthinking. It isn't a good idea. As others have said, this person (or company) doesn't have a handle on even basic security practices if they are telling you this.
You can fax or mail. At any rate, once you send them your tax return, by whichever means you choose (fax, mail, e-mail, encrypted portal) you can't really determine what they're going to do with it. If you don't trust them to receive the tax returns, I'm not sure I would trust their ability to handle your tax returns appropriately (not make copies or scan to an unencrypted volume connected to a public-facing network).
Re: Encrypted email? Any issues with this scenario?
Maybe this is a recent addition, but you absolutely can encrypt a message sent to an external user. They will receive a ProtonMail-branded email letting them know they received an encrypted message. They will then click a link to read the message, and enter a password that's been shared separately. You do have to specifically enable it, though. The recipient can also send a response through that link so it is also encrypted.Cunobelinus wrote: ↑Wed Dec 08, 2021 7:39 pm A common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.
*edited to add a conjugated verb.. and the final sentence.
Re: Encrypted email? Any issues with this scenario?
Just to add the source for more information..mpsz wrote: ↑Wed Dec 08, 2021 8:02 pmMaybe this is a recent addition, but you absolutely can encrypt a message sent to an external user. They will receive a ProtonMail-branded email letting them know they received an encrypted message. They will then click a link to read the message, and enter a password that's been shared separately. You do have to specifically enable it, though. The recipient can also send a response through that link so it is also encrypted.Cunobelinus wrote: ↑Wed Dec 08, 2021 7:39 pm A common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.
*edited to add a conjugated verb.. and the final sentence.
https://protonmail.com/security-details
Re: Encrypted email? Any issues with this scenario?
+1mpsz wrote: ↑Wed Dec 08, 2021 8:02 pmMaybe this is a recent addition, but you absolutely can encrypt a message sent to an external user. They will receive a ProtonMail-branded email letting them know they received an encrypted message. They will then click a link to read the message, and enter a password that's been shared separately. You do have to specifically enable it, though. The recipient can also send a response through that link so it is also encrypted.Cunobelinus wrote: ↑Wed Dec 08, 2021 7:39 pm A common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.
*edited to add a conjugated verb.. and the final sentence.
Yup, works like a charm. I tested this yesterday to multiple external email accounts, and it worked as advertised. To enable this external email encryption feature, you have to click on the padlock symbol in the lower-left of the email pane while you're writing the email. Just look at the link I posted earlier -- those are the instructions.
motiv8ed
Re: Encrypted email? Any issues with this scenario?
This is what I do as well. Follow the link motiv8ed sent for encrypting the message to the company in question, and then call the company and tell them your password. Password generation - 8 random characters you haven't used as a password anywhere else will do. I usuaully use my password manager (Bitwarden) for that.motiv8ed wrote: ↑Wed Dec 08, 2021 3:49 pmI'd consider using a real encrypted email service like Protonmail (https://protonmail.com/support/knowledg ... ide-users/) for something like this. They have a free tier.URSnshn wrote: ↑Mon Dec 06, 2021 5:27 pm I am being asked to send a copy of my federal tax return to a company that has a legitimate use for it, but they are telling me if I put the word "encrypt" in the subject line it will be encrypted when they get it. That might be true, but heck wouldn't it have already been traveling to their servers unencrypted?
What do you think?
motiv8ed
Re: Encrypted email? Any issues with this scenario?
ProtonMail.com (and similar services like Tutanota.com) can send encrypted messages to any email domain recipient. Communications are via an encrypted web portal.Cunobelinus wrote: ↑Wed Dec 08, 2021 7:39 pmA common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.
The message is encrypted using a password which the sender has to tell the recipient ahead of time (via phone call or text or other means). The recipient receives an email alert which links to the ProtonMail web portal and enters the password to unlock the message. Communications through this web portal are end to end encrypted.
Functionally it's similar to any brokerage or bank website secure email system where the user has to login to the secure portal to send/retrieve messages.
Disclaimer: nothing written here should be taken as legal advice, but I did stay at a Holiday Inn Express last night.
Re: Encrypted email? Any issues with this scenario?
Thank you all once more for the additional resources! I ended up deciding to deliver the document by mail because the person I was talking with didn't really seem to understand the issues at hand.
-
- Posts: 232
- Joined: Tue Dec 04, 2012 4:31 pm
Re: Encrypted email? Any issues with this scenario?
I stand corrected. Thank you. I really do appreciate you providing the source on that. This seems to be a "new" addition, as in, my info was at least a year or two old.AnB9a wrote: ↑Wed Dec 08, 2021 8:09 pmJust to add the source for more information..mpsz wrote: ↑Wed Dec 08, 2021 8:02 pmMaybe this is a recent addition, but you absolutely can encrypt a message sent to an external user. They will receive a ProtonMail-branded email letting them know they received an encrypted message. They will then click a link to read the message, and enter a password that's been shared separately. You do have to specifically enable it, though. The recipient can also send a response through that link so it is also encrypted.Cunobelinus wrote: ↑Wed Dec 08, 2021 7:39 pm A common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.
*edited to add a conjugated verb.. and the final sentence.
https://protonmail.com/security-details
- willthrill81
- Posts: 32250
- Joined: Thu Jan 26, 2017 2:17 pm
- Location: USA
- Contact:
Re: Encrypted email? Any issues with this scenario?
I believe that you mean either PGP ('pretty good privacy') or GPG ('Gnu privacy guard') encryption.
The Sensible Steward