Outlook web based email security question

[groze]

Outlook web based email security question.

I am sending an email to someone but I don't want third parties to look at it.

Which is the best method?
Uploaded to Outlook dot com, then send the email
Use Thunderbird IMAP and send email through outlook dot com servers

I know once mail is uploaded to Outlook dot com servers or outlook dot com it remains secure.

Does it remain secure after outlook dot com sends the email or is it wide open? I hope you can understanding what I am asking.

 

[Alejandro85]

Email is an incredibly insecure protocol. It provides NO authentication and NO validation, meaning that anyone can read and modify emails in transit, and spoof the sender/receiver too if someone really wants to. The immediate consequence is that it's impossible to use with confidential data.

The ideal solution is to not use email at all. Ideally, you would use an encrypted peer-to-peer connection, without any intervening thrd party. This of course is pretty difficult if you don't know how to host a server and secure it, but it's a good option otherwise.
A non-electronic method is even more secure too

But back on email, the only way to make it totally safe is to use an end-to-end encryption protocol. PGP is an option for such thing. It encrypts the content on the sender machine and only the final receiver can decrypt it (using a previously shared key), so the whole chain of servers involved in mail delivery only see the cipher text. On the bad side it requires both parties to actively use this technique to send/receive the email, a naive email program would not suffice. A Windows implementation could be Gpg4win. No idea how easy or difficult it's to use, though.

The most straighforward way could be to send a normal email with an encrypted attachment containing the private data. TrueCrypt would be the ideal program to create such file (sending the container as an attachment). 7zip and WinRar also similar functions though password protected archives, attaching the 7z/rar file. The problem this approach has is that you must share the key though some other, secure channel for the receiver to decrypt the data. Needless to say that the password must be strong enough to resist a guessing by a potential attacker.

I know once mail is uploaded to Outlook dot com servers or outlook dot com it remains secure

That's not correct. With email, the only thing you can warrant is that the message is encrypted between the sender and the sender's server, while it's in transit, if it uses SSL. But from server to server, and to server to receiver, that's optional, and depends on each server configuration. Moreover, when the email is stored in each intermediate system, it stays there in plain text. That's the main reason why email is so weak, the protocol has not been updated in decades to introduce any kind of security. SSL is only an optional component, and only can be ensured in the initial connection, not in subsequent retransmitions.

 

[Layback Bear]

Boy oh boy am I glad I don't have any email worth encrypting. Anybody reading my email would get bored and leave me alone.