

Ask HN: How can I send a secure email? - MarkMc

I want to send a message and a few files to my accountant securely, and I want him to be able to reply securely.  He's not too technical so I'd prefer something simple that didn't require a browser extension or a particular email client.<p>What's the best way to do this?
======
ColinWright
Define "securely". Against whom are you defending? What threat modes are you
considering? What do you expect your accountant to be able to do? What do you
expect them _actually_ to do when they read this "secure" email?

It's really not clear what you're asking ...

~~~
MarkMc
'Securely' means that only my accountant can read the message and view the
files. I'm afraid I don't know what a 'thread mode' is. I expect my accountant
to view the information I provide, reply to me securely and then submit my tax
return on my behalf.

~~~
ColinWright
That's "Threat" mode, not "Thread" mode.

Do you want to defend against:

* ... someone in their office reading the email if your accountant's computer is left unattended?

* ... your ISP storing the email and reading it?

* ... _their_ ISP storing the email and reading it?

* ... someone sniffing the packets through a router?

* ... the NSA reading the emails?

If you want your accountant not to have to do anything, then you need
something like storing the emails and/or documents on an "https" only server,
and then sending them a link. Given your comment about not wanting them to
have to do anything, this will be one way only, and they won't be able to
reply securely.

Sending them an encrypted email and asking them to read it will, I believe,
require them to set something up, and you seem to have ruled that out.

You could use something like a password in a standard document format, and
then phone and tell them the password separately. I think you can password
lock Microsoft Word files, for example. Not very secure, but secure enough
against idle sniffing. Probably not secure against a full on attack by someone
seriously capable.

So, again, against what, exactly, are you defending?

~~~
MarkMc
At the risk of being too inexact: I want to defend against all those things,
although I don't think it's practical to defend against someone in his office
looking over his shoulder or reading his screen when he gets up to make a
coffee.

Using a password-protected Microsoft Word file is an option, but it's a little
cumbersome because (a) I would also have to password-protect the other
attachment files separately; and (b) he would have to reply with a password-
protected Microsoft word file and individually password-protect any files he
wants to send me.

I like the idea of an https server, but why won't my accountant be able to
reply? That is, accountant clicks a link to the https site, puts in password,
sees message, clicks the 'reply' button on the webpage, then I get an email
saying 'click here to see your accountants reply'.

~~~
ColinWright
With regards defending against the NSA - I believe you have no chance.

With regards the password protected Word files, yes, you would have to
protected every attachment, and your accountant would have to password protect
every document in the reply. But what else would you expect?

With the https server, will you implement the mail package? In other words,
what "Reply" button? Even then, the document will be stored in clear on the
server, so whoever owns it will be able to read them. So that had better be
you.

------
dominikjames
Encrypt a single message 1\. In the message, on the Message tab, in the
Options group on the ribbon, click the Encrypt Message Contents and
Attachments button Note If you don't see this button, click the Options Dialog
Box Launcher in the lower right corner of the group to open the Message
Options dialog box. Click the Security Settings button and in the Security
Properties dialog box, select Encrypt message contents and attachments. Click
OK and then close the Message Options dialog box. 2\. Compose your message and
send it.

Encrypt all outgoing messages Choosing to encrypt all outgoing messages means,
in effect, your e-mail is encrypted by default. You can write and send
messages the same as with any other e-mail messages, but all potential
recipients must have your digital ID to decode your messages. 1\. On the Tools
menu, click Trust Center, and then click E-mail Security. 2\. Under Encrypted
e-mail, select the Encrypt contents and attachments for outgoing messages
check box. 3\. To change additional settings, such as choosing a specific
certificate to use, click Settings. 4\. Click OK twice. Note3DES is the
default encryption algorithm used in Outlook 2007. For more information, see
the Overview of certificates and cryptographic e-mail messaging in Outlook.

------
JoachimSchipper
Get a GMail account for yourself and your accountant; choose half-decent
secret questions; enable two-factor authentication; use webmail (exclusively)
to send mail back and forth. (Do _not_ set GMail to forward mail to another
account.)

It should be obvious that this isn't secure if your local government decides
to come after you, and will likely fail if someone specifically comes after
you(r accountant), but it does keep mail from travelling over unprotected
lines and stored on a pretty well-protected system. Crucially, although it's
slightly less secure than a perfect implementation of some of the other
suggestions on this page, it's _much_ easier.

[GMail is good, but not magical; if your accountant already has an account at,
say, Hotmail, consider setting up a Hotmail account instead, even if you do
lose two-factor authentication in the process.]

------
Mankhool
I'm not saying this will solve all of your security needs, but I use it and
have for years. <https://www.hushmail.com/>

------
milanvrekic
I am biased (full disclosure - I'm a founder), but TitanFile offers a secure
file sharing solution (encryption, audit trails...) . There are free accounts
available for new users at titanfile.com.

------
Bjartr
encipher.it[1] actually looks like it'll fit the bill. It's a browser tool
that works from a bookmark, but does all the encryption clientside with JS
(I've done a quick glance through the code to verify this)

You and your accountant just need a shared password. For the other
attachments, a protected zip/rar file should be sufficient.

[1] <https://encipher.it/>

