Encrypted email? Any issues with this scenario?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
URSnshn
Posts: 441
Joined: Sun Mar 13, 2016 6:10 pm

Encrypted email? Any issues with this scenario?

Post by URSnshn »

I am being asked to send a copy of my federal tax return to a company that has a legitimate use for it, but they are telling me if I put the word "encrypt" in the subject line it will be encrypted when they get it. That might be true, but heck wouldn't it have already been traveling to their servers unencrypted?

THEN they send it on to a third party (also legitimate) by encrypting the document and sending it on in an email AND then send the password for the document in a separate email to them.

Maybe I'm overthinking ... but this doesn't sound like a good idea to me.

And the SS# is redacted, but it still seems like sensitive information to send in this manner.

What do you think?
twh
Posts: 1773
Joined: Sat Feb 08, 2020 2:15 pm

Re: Encrypted email? Any issues with this scenario?

Post by twh »

All the recent cases I've had to do something like this, the company has a portal where you can upload the document. This bypasses emailing it altogether. Not sure why that isn't the case here.
User avatar
riverant
Posts: 1073
Joined: Tue May 04, 2021 6:51 am

Re: Encrypted email? Any issues with this scenario?

Post by riverant »

Yeah…writing encrypted in the subject is useless. If you truly need something encrypted via email, you need something like GGP that creates a public and private key. But a portal should be standard business practice for a legitimate company.
mpsz
Posts: 516
Joined: Sat Jan 09, 2016 6:11 pm

Re: Encrypted email? Any issues with this scenario?

Post by mpsz »

URSnshn wrote: Mon Dec 06, 2021 5:27 pm they are telling me if I put the word "encrypt" in the subject line it will be encrypted when they get it. That might be true, but heck wouldn't it have already been traveling to their servers unencrypted?
In short, your understanding is correct for this purposes. The "encrypt" keyword would only be processed once it arrived on their server, unless you were also sending it from a corporate mail server that handled "encrypt" on your side.

(The slightly longer answer is that there might be encryption from your mail server to theirs (TLS, which is kind of like HTTPS but for other types of traffic like email) but you can't guarantee this, so safest to assume it's unencrypted.)
URSnshn wrote: Mon Dec 06, 2021 5:27 pm THEN they send it on to a third party (also legitimate) by encrypting the document and sending it on in an email AND then send the password for the document in a separate email to them.
Also wrong. They must send the password through a separate trusted channel, not just in an additional plain email. Meaning, they should send encrypted email and call the third party to give the password verbally.

These are red flags that the party you're working with does not know how to keep your data safe. Thirding the advice to ask for a link/portal to upload the files instead.
User avatar
samsoes
Posts: 2802
Joined: Tue Mar 05, 2013 8:12 am
Location: Northeast Rat Race

Re: Encrypted email? Any issues with this scenario?

Post by samsoes »

Just typing "encrypt" in the subject line is useless; it will do absolutely nothing on a public email system (e.g., Gmail, Yahoo, Comcast, etc).
Not only will your tax return arrive at its destination unencrypted, it will leave an unencrypted copy of itself at every hop along the way. Can you package it into an encrypted zip file and provide the encryption password to them verbally over the phone?
"Happiness Is Not My Companion" - Gen. Gouverneur K. Warren. | (Avatar is the statue of Gen. Warren atop Little Round Top @ Gettysburg National Military Park.)
User avatar
8foot7
Posts: 4427
Joined: Mon Jan 05, 2015 6:29 pm

Re: Encrypted email? Any issues with this scenario?

Post by 8foot7 »

Most corporate systems have this type of setup where they can send to you encrypted by doing that. Once they do so, when you reply, you're taken to a special webpage that decrypts the message and allows you to reply within the confines of the encrypted system. I would encourage you to ask them to send you an encrypted message and reply to it through their platform.
User avatar
quantAndHold
Posts: 10141
Joined: Thu Sep 17, 2015 10:39 pm
Location: West Coast

Re: Encrypted email? Any issues with this scenario?

Post by quantAndHold »

This just screams that they don’t know anything about cybersecurity. I would be very concerned about their ability to keep your tax return private.
Topic Author
URSnshn
Posts: 441
Joined: Sun Mar 13, 2016 6:10 pm

Re: Encrypted email? Any issues with this scenario?

Post by URSnshn »

Thank you everyone - you confirmed my concerns.

I have found out how to encrypt a folder with my document in it via my Mac and disk utility - in case they do not have a portal. Will a PC be able to open an Apple encrypted password folder? And how long complex for the password? It has to be give verbally? I'd be using 256 bit encryption with read-only (rather than compression ...which I read could leak info). Mail is a possible option.

Actually I am bit hesitant to do this with them, because as quantAndHold put it this just SCREAMS they do not know anything about cybersecurity. But do you think it is safe to do as I mention above? I have real concerns that the person / organization I'm dealing with not really understanding security issues. They are a non-profit, not a big corporate enterprise.
Last edited by URSnshn on Tue Dec 07, 2021 6:59 am, edited 1 time in total.
lazydavid
Posts: 5155
Joined: Wed Apr 06, 2016 1:37 pm

Re: Encrypted email? Any issues with this scenario?

Post by lazydavid »

URSnshn wrote: Tue Dec 07, 2021 6:35 am I have found out how to encrypt a folder with my document in it via my Mac and disk utility - in case they do not have a portal. Will a PC be able to open an Apple encrypted password folder? And how long complex for the password? It has to be give verbally? Mail is a possible option.
If you create an encrypted Zip file a PC will be able to read it. If you are encrypting a folder using FileVault, files in it will not remain encrypted when you attach them to emails.

If you're going to go the encrypted Zip file route, I would just download 7-zip (7-zip.org) and use that. Select ZipCrypto, set a strong password and you have a cross-platform archive that anyone with the password will be able to open.
smackboy1
Posts: 1285
Joined: Wed Mar 14, 2007 9:41 pm

Re: Encrypted email? Any issues with this scenario?

Post by smackboy1 »

Is this a one time email transaction or will there be ongoing communications back and forth? Depending on the level of security desired, another option is to use end-to-end encrypted email service like ProtonMail.com or Tutanota.com.
Disclaimer: nothing written here should be taken as legal advice, but I did stay at a Holiday Inn Express last night.
mpsz
Posts: 516
Joined: Sat Jan 09, 2016 6:11 pm

Re: Encrypted email? Any issues with this scenario?

Post by mpsz »

URSnshn wrote: Tue Dec 07, 2021 6:35 am I have found out how to encrypt a folder with my document in it via my Mac and disk utility - in case they do not have a portal. Will a PC be able to open an Apple encrypted password folder? And how long complex for the password? It has to be give verbally? I'd be using 256 bit encryption with read-only (rather than compression ...which I read could leak info). Mail is a possible option.
Sounds like you're making a disk image from your Mac - they won't be able to open that from a PC. For reference, compressed would be fine here, as it would be compressed and encrypted, not just compressed. Encrypted ZIP would work between a Mac and a PC, but I don't know how to do that on a Mac without using the command line.

Password does not need to be overly complex, and does not need to be given by voice. 8-12 random characters is fine.

The idea is to send it through a separate channel, which voice would satisfy. If you send the encrypted file and password both through email, you may as well not encrypt since you're essentially locking the door but hanging the key right next to the lock. You could text it, or regular mail, or send between two totally different email accounts (your secondary address, and their secondary address).

You have to decide if the risk is worth it.

Taking a step back, since I think this is potentially getting overly complex. Do you and the recipient both have an account at a common file-sharing service? Google, Dropbox, Box, OneDrive? Even better if all 3 parties have accounts at the same place. You could just upload the unencrypted file there, and share the file with the recipient through the service. Remove sharing access + delete the file once they have confirmed that they downloaded a copy. They would have to log in on their end, and could download it. This is less secure than encrypting, but likely "good enough" and better than what they have asked you to do.
motiv8ed
Posts: 120
Joined: Fri Jul 03, 2020 9:37 pm

Re: Encrypted email? Any issues with this scenario?

Post by motiv8ed »

URSnshn wrote: Mon Dec 06, 2021 5:27 pm I am being asked to send a copy of my federal tax return to a company that has a legitimate use for it, but they are telling me if I put the word "encrypt" in the subject line it will be encrypted when they get it. That might be true, but heck wouldn't it have already been traveling to their servers unencrypted?

What do you think?
I'd consider using a real encrypted email service like Protonmail (https://protonmail.com/support/knowledg ... ide-users/) for something like this. They have a free tier.


motiv8ed
Cunobelinus
Posts: 232
Joined: Tue Dec 04, 2012 4:31 pm

Re: Encrypted email? Any issues with this scenario?

Post by Cunobelinus »

motiv8ed wrote: Wed Dec 08, 2021 3:49 pm
URSnshn wrote: Mon Dec 06, 2021 5:27 pm I am being asked to send a copy of my federal tax return to a company that has a legitimate use for it, but they are telling me if I put the word "encrypt" in the subject line it will be encrypted when they get it. That might be true, but heck wouldn't it have already been traveling to their servers unencrypted?

What do you think?
I'd consider using a real encrypted email service like Protonmail (https://protonmail.com/support/knowledg ... ide-users/) for something like this. They have a free tier.


motiv8ed
A common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.

*edited to add a conjugated verb.. and the final sentence.
Last edited by Cunobelinus on Wed Dec 08, 2021 7:45 pm, edited 1 time in total.
Cunobelinus
Posts: 232
Joined: Tue Dec 04, 2012 4:31 pm

Re: Encrypted email? Any issues with this scenario?

Post by Cunobelinus »

URSnshn wrote: Mon Dec 06, 2021 5:27 pm Maybe I'm overthinking ... but this doesn't sound like a good idea to me.

What do you think?
You're not overthinking. It isn't a good idea. As others have said, this person (or company) doesn't have a handle on even basic security practices if they are telling you this.

You can fax or mail. At any rate, once you send them your tax return, by whichever means you choose (fax, mail, e-mail, encrypted portal) you can't really determine what they're going to do with it. If you don't trust them to receive the tax returns, I'm not sure I would trust their ability to handle your tax returns appropriately (not make copies or scan to an unencrypted volume connected to a public-facing network).
mpsz
Posts: 516
Joined: Sat Jan 09, 2016 6:11 pm

Re: Encrypted email? Any issues with this scenario?

Post by mpsz »

Cunobelinus wrote: Wed Dec 08, 2021 7:39 pm A common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.

*edited to add a conjugated verb.. and the final sentence.
Maybe this is a recent addition, but you absolutely can encrypt a message sent to an external user. They will receive a ProtonMail-branded email letting them know they received an encrypted message. They will then click a link to read the message, and enter a password that's been shared separately. You do have to specifically enable it, though. The recipient can also send a response through that link so it is also encrypted.
AnB9a
Posts: 8
Joined: Sun Feb 21, 2021 12:39 pm

Re: Encrypted email? Any issues with this scenario?

Post by AnB9a »

mpsz wrote: Wed Dec 08, 2021 8:02 pm
Cunobelinus wrote: Wed Dec 08, 2021 7:39 pm A common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.

*edited to add a conjugated verb.. and the final sentence.
Maybe this is a recent addition, but you absolutely can encrypt a message sent to an external user. They will receive a ProtonMail-branded email letting them know they received an encrypted message. They will then click a link to read the message, and enter a password that's been shared separately. You do have to specifically enable it, though. The recipient can also send a response through that link so it is also encrypted.
Just to add the source for more information..

https://protonmail.com/security-details
motiv8ed
Posts: 120
Joined: Fri Jul 03, 2020 9:37 pm

Re: Encrypted email? Any issues with this scenario?

Post by motiv8ed »

mpsz wrote: Wed Dec 08, 2021 8:02 pm
Cunobelinus wrote: Wed Dec 08, 2021 7:39 pm A common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.

*edited to add a conjugated verb.. and the final sentence.
Maybe this is a recent addition, but you absolutely can encrypt a message sent to an external user. They will receive a ProtonMail-branded email letting them know they received an encrypted message. They will then click a link to read the message, and enter a password that's been shared separately. You do have to specifically enable it, though. The recipient can also send a response through that link so it is also encrypted.
+1

Yup, works like a charm. I tested this yesterday to multiple external email accounts, and it worked as advertised. To enable this external email encryption feature, you have to click on the padlock symbol in the lower-left of the email pane while you're writing the email. Just look at the link I posted earlier -- those are the instructions.


motiv8ed
joetheo
Posts: 6
Joined: Sun Oct 24, 2021 1:00 am

Re: Encrypted email? Any issues with this scenario?

Post by joetheo »

motiv8ed wrote: Wed Dec 08, 2021 3:49 pm
URSnshn wrote: Mon Dec 06, 2021 5:27 pm I am being asked to send a copy of my federal tax return to a company that has a legitimate use for it, but they are telling me if I put the word "encrypt" in the subject line it will be encrypted when they get it. That might be true, but heck wouldn't it have already been traveling to their servers unencrypted?

What do you think?
I'd consider using a real encrypted email service like Protonmail (https://protonmail.com/support/knowledg ... ide-users/) for something like this. They have a free tier.


motiv8ed
This is what I do as well. Follow the link motiv8ed sent for encrypting the message to the company in question, and then call the company and tell them your password. Password generation - 8 random characters you haven't used as a password anywhere else will do. I usuaully use my password manager (Bitwarden) for that.
smackboy1
Posts: 1285
Joined: Wed Mar 14, 2007 9:41 pm

Re: Encrypted email? Any issues with this scenario?

Post by smackboy1 »

Cunobelinus wrote: Wed Dec 08, 2021 7:39 pmA common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.
ProtonMail.com (and similar services like Tutanota.com) can send encrypted messages to any email domain recipient. Communications are via an encrypted web portal.

The message is encrypted using a password which the sender has to tell the recipient ahead of time (via phone call or text or other means). The recipient receives an email alert which links to the ProtonMail web portal and enters the password to unlock the message. Communications through this web portal are end to end encrypted.

Functionally it's similar to any brokerage or bank website secure email system where the user has to login to the secure portal to send/retrieve messages.
Disclaimer: nothing written here should be taken as legal advice, but I did stay at a Holiday Inn Express last night.
Topic Author
URSnshn
Posts: 441
Joined: Sun Mar 13, 2016 6:10 pm

Re: Encrypted email? Any issues with this scenario?

Post by URSnshn »

Thank you all once more for the additional resources! I ended up deciding to deliver the document by mail because the person I was talking with didn't really seem to understand the issues at hand.
Cunobelinus
Posts: 232
Joined: Tue Dec 04, 2012 4:31 pm

Re: Encrypted email? Any issues with this scenario?

Post by Cunobelinus »

AnB9a wrote: Wed Dec 08, 2021 8:09 pm
mpsz wrote: Wed Dec 08, 2021 8:02 pm
Cunobelinus wrote: Wed Dec 08, 2021 7:39 pm A common misconception is that all of ProtonMail's e-mails are encrypted. When sending e-mail within the ProtonMail ecosystem, the e-mail is unreadable to anyone but the recipient. Once it leaves ProtonMail's ecosystem, say to arrive at gmail or another business, then all bets are off and it's a regular e-mail. Bottom line, no advantage to using ProtonMail or Tutanota if the recipient is also not using that system.

*edited to add a conjugated verb.. and the final sentence.
Maybe this is a recent addition, but you absolutely can encrypt a message sent to an external user. They will receive a ProtonMail-branded email letting them know they received an encrypted message. They will then click a link to read the message, and enter a password that's been shared separately. You do have to specifically enable it, though. The recipient can also send a response through that link so it is also encrypted.
Just to add the source for more information..

https://protonmail.com/security-details
I stand corrected. Thank you. I really do appreciate you providing the source on that. This seems to be a "new" addition, as in, my info was at least a year or two old.
User avatar
willthrill81
Posts: 32250
Joined: Thu Jan 26, 2017 2:17 pm
Location: USA
Contact:

Re: Encrypted email? Any issues with this scenario?

Post by willthrill81 »

TJat wrote: Mon Dec 06, 2021 6:25 pmIf you truly need something encrypted via email, you need something like GGP that creates a public and private key. But a portal should be standard business practice for a legitimate company.
I believe that you mean either PGP ('pretty good privacy') or GPG ('Gnu privacy guard') encryption.
The Sensible Steward
Post Reply