Secure Email Access at the Office and Elsewhere

Another tip for something commonly asked by friends, “How do I check and send personal email at work without it being read / intercepted?”

To start, one should know that there are two basic methods of accessing your own email system from anywhere on the Internet (home, office, wherever): web based email (i.e. through a web browser) or via a desktop client program (Outlook, Outlook Express, Thunderbird, Mail.app, etc.) using POP or IMAP protocols.

Let’s tackle the first and simplest case: web based mail.

This is offered by companies like Google, Yahoo!, AOL and so forth. Google’s mail (known as “GMail”) is generally the more popular, so we’ll discuss that.

If you use the gmail service, you are likely pointing your browser to http://www.gmail.com. Since this is using “http” instead of “https”, your browser interactions are not encrypted. The IT staff in your company could conceivably record all network traffic in and out of the office and read all your received and sent messages. So, access the gmail service using the secure http protocol: https.

Google has a few URLs that redirect to how they’ve setup gmail, so the URL I recommend you use (as it works for me) is: https://mail.google.com/mail/. The way to use this is to create a bookmark for exactly this URL in your browser. If you computer’s login (e.g. your Windows login to the machine at work) can be compromised, I recommend that you do not have your email password to gmail remembered by your browser. Yes, it’s more convenient to have it saved/remembered, but it is safer to not set it up this way.

Now, by accessing gmail through https, everything you do on that site is point to point encrypted between your browser and Google’s data center. That means that your IT department only sees a bunch on scrambled nonsensical encrypted data packets flowing back and forth. Your personal email is private.

If you use an ISP’s given email address (say, that given to you by Verizon, Rogers or what have you), I recommend you transition over to something that you can keep regardless of what service provider you have. That is, make gmail your primary, advertised email address. Just because Rogers provides the Internet pipe into your home, that doesn’t mean your personal email address needs to be branded with them.

Next, since this transition is generally exactly that, you’ll be happy to know that you can configure gmail to retrieve your other email (mail from other, existing email accounts), and bring it into your gmail inbox so that you only have one place to check (gmail). In doing this, it also allows you to set the “sent from” address when you compose a new message, as if it came directly from that other email address you used to use. In this way, if you wish, you can completely abstract from others, the fact that you’re using gmail (which is only really of value to those folks with custom/vanity domain names).

My advice though, would be to send out a mailing to your personal contacts indicating you can now be reached at your new gmail address. Of course, if you’re using something like Plaxo, this can be a semi-automatic notification.

Some related links on the material discussed above:

  1. Secure Gmail access of Public Networks (Lifehacker)
  2. Setting up Mail Fetcher (Google Mail FAQ)