Having an anti-aliased green lock icon on your address bar when you use Gmail or Yahoo doesn’t mean your email is secure.
On the contrary, SSL is only half of the picture. SSL provides a simple method for servers and clients to exchange session keys and decrypt data sent either direction, but once you compose and send a message on a third-party service like Gmail or Yahoo that message is completely out of your control.
To shorten what would otherwise be a lengthy description of networking architecture, think about your own home network and how little security actually exists between the different devices:
- You don’t personally set-up explicit firewall rules between your machines so they can only talk over well-established TCP/UDP ports
- You don’t set-up self-signed SSL certificates to encrypt traffic in-flight between devices(though utilizing WPA2 with AES encryption basically eliminates the need for this)
- And you certainly don’t spend time making sure that your devices are only transmitting data only to specific hosts
Basically, what I’m trying to get in the above example is very simple: Transmissions between email servers for various providers is not only potentially unsecured, it’s also likely that even when email messages are being sent between users on the same service (such as Gmail or Yahoo), these messages are transmitted in clear-text (unencrypted).
What do privacy-conscious consumers of email do under such circumstances? As I wrote previously in Encryption for Instant Messaging, part of the process of taking control of your data is deciding for yourself whether or not you can actively trust a third-party provider such as Google or Yahoo. Given recent revelations surrounding the NSA and GCHQ’s ability to tap directly into corporate infrastructure to harvest data, the credibility of these companies to keep your privileged information secure from unauthorized parties is dubious at-best.