Can I Have Encrypted Emails Please?

We are often asked if it is possible to have encrypted emails. It’s a simple question. If only the answer were as simple …..

There are two types of encryption available for emails: “transport level” and “end-to-end”.

Transport Level Email Encryption

Transport level encryption is easy to set up (you are probably already using it). The way it works is this …

If you are sending an email to me, your email goes in “hops” from your computer/phone/etc to your domain server to intermediary servers to my domain server and to my computer etc. Transport layer encryption works by encrypting each hop. Your computer will encrypt the email and your domain server will decrypt it and then encrypt it again and the intermediary server will decrypt it and encrypt it again and so on.

While it is easy to set up, your email is converted to plain text at each intermediary (hop) point and so it is at risk of being read by a hacker etc. In addition, if I chose not to set my computer to use an encrypted connection then the email would be in plain text between my domain server and my computer. Transport level encryption is better than no encryption but is probably not what you are after.

End-To-End Email Encryption

End-to-end encryption works on the basis of the email being encrypted by your computer and remaining encrypted until my computer decrypts it.

This is much more secure but a pain in the bum to set up!

For this to work, your computer would need to know the “public encryption key” for my email address and use that to encrypt it. My computer would then use my email’s “private encryption key” to decrypt it. Therefore, before you send an encrypted email to me, I would need to set up a public key and you would need to install that public key on your computer. I would then be able to read your email once I have installed the private key. Therefore, it takes time and communication between each person you want to send encrypted emails to before it will work. To make matters worse, the installation of these keys is not as simple as it could be and most people give up trying to work out how to do it!

We recommend only going down this path if you have specific people that you are going to be regularly needing to send encrypted emails to. It is too complex for occasional emails to people.

So, what can you do?

Option one is to use an encrypted email service.

The way that these typically work is that you log on to their website and compose something on their screen that looks very like an email. When you click on the send button, an email is sent to the recipient to say that there is a message for them and they have to log on to the same server to read it. In this way, the message never actually leaves the service provider’s servers so can easily be kept in encrypted form.

The downside of this is that you have no record of the email within your normal email client (Outlook etc) and the recipient does not get sent your email, they get sent a message to say that they need to login to read your message so it is more cumbersome to use. These services also normally have a monthly charge and if you ever cancel the service you will have lost all of these emails.

Option two is to encrypt the content

What I mean by “encrypting the content” is that you encrypt the email content, not the whole email and you attach the encrypted content to the email. Your email would now simply say something like “Hi Fred, As promised, please open the attachment, Regards, Jim”. That message is unencrypted and any hacker could read it without gaining access to any sensitive information. The attachment is, however, encrypted and password protected so all a hacker would see if they tried to hack into it would be gibberish. So it achieves end to end encryption of the content.

Doing this is surprisingly simple. You create a Word document for your email content, then when saving it you simply ask Word to “protect” it and give it a password. This encrypts it and sets it so that it cannot be opened without the password. You then email the Word document to the recipient and tell them (by phone or text message?) what password they need to use to open the document.

This is our recommendation and is what most small and medium businesses do.

Let us know if you have further questions about this.

SCA: Why Do I Care?

What is SCA?

Strong Customer Authentication (SCA) is being introduced by the financial services industry across the EU. It is aimed at making online payment transactions more secure by introducing extra authentication into the payment process. For instance, in addition to entering your card details to pay for something online, you might also have to enter a PIN that you have just been sent to your phone.

If your website takes online payments then you may have to make changes for SCA.

From Wikipedia: Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The SCA requirement comes into force from 14 September 2019. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip or Contactless and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement.

When Does SCA Happen?

14th September 2019 was going to be the date when SCA had to be fully operational for everybody. However, the FCA have changed this to become a start date with an 18 month period by when SCA has to be fully implemented.

This means that some banks and card companies may introduce extra authentication as early as 14th September and some may wait up to a further 18 months. We don’t know! However, what we do know is that if your website is not ready for SCA and somebody tries to pay for something online and their bank requires the extra authentication, the payment will fail. Therefore, although there is no legal requirement to have your website SCA compliant by 14th September, you might want it to be compliant sooner rather than later so you do not miss out on payments.

You will need to decide for yourself whether you feel it is better to be ready asap or whether it is better to defer the work and wait to see what happens.

Will I Need To Do Something?

There are different ways that websites can be set up to take payments. Two of the most common ways are:

  • Card details are directly entered into a page on your website (such as our domain management system as shown in the screenshot below)
  • Card details are entered into a page that is separate to your website and is provided by a card processing company (such as the WorldPay payment page shown below)
RPM_Domains_Screenshot
RPM Domains Screenshot
WorldPay Screenshot
WorldPay Screenshot

If your website simply links to a page that is separate to your website (such as the WorldPay example above) then check with the card processor to make sure that they are changing their system and that they do not need you to do anything.

If your website takes payments on a page in your site then you will almost certainly need changes made so please read on …

How Will My Website Need To Change?

With SCA, when a customer enters their card details into your website to make a payment to you, there could be three outcomes:

  1. Everything’s ok, the charge goes through (as now)
  2. Something’s wrong, the charge fails (as now)
  3. Further authentication is required to decide whether or not the charge will go through – this is the new bit!

Further authentication can include a number of things (such as entering a PIN, receiving a code to your mobile, confirming with your fingerprint, answering a security question, …). Different banks/card companies will be using different things for different transactions and different circumstances.

That further authentication will result in your website having to ask an extra question (eg “enter the code number just sent to your phone”). The website will then have to send that off to the card processor to check to see whether your customer has entered the correct details before it is decided whether the transactions is successful or not.

This video shows some test transactions so you can see how things might work with SCA on your website. Note that the popups you see here are from a test card processing system. Real live popups will ask you to enter the authentication response, not just click a button!

 

What needs to be done?

If you have card processing built in to your website then your website needs extra functionality built in to it to handle authentications. This includes handling extra communication with the card processor and, through them, to the bank. As a result, although the payment forms and messages you show your customer may remain largely unchanged (depending on how that communicates with your website’s server code and to the card processor), most of your site’s payment processing (behind the scenes) will change. In addition, your site may have to communicate with a different system/product from the card processor.

However, the plus side of this is that the processing flow can be more streamlined and, if required (and depending on your site and the card processor you use) may be able to be fully achieved all on one page. The lower drop-out rates you obtain from using an on-site payment solution can be further improved with a complete single-page solution. With the example you saw above (our domain renewal system) you will see that we have left the site using two pages (a payment page and a thank you page) but this could have been further streamlined into one page, maybe for you this might offer the opportunity to offer up-sells or cross-sells etc.

If you have the enthusiasm to work through a before and after payment processing flow then you may find these helpful:

non SCA payment flow
Non-SCA Payment Flow
SCA Payment Flow
SCA Payment Flow

 

What To Do Next?

Drop us an email to when you are ready to look into this further and we’ll check out how your website needs to change to incorporate SCA.

 

 

 

Should I get a security certificate?

October 2018: Short answer: Yes!

Long Answer:

What is a Security Certificate?

A security certificate is installed on the server that hosts your website. When installed and when your site is configured to use it, everything that is sent from the server (traffic) to a visitor’s web browser (page content, images, etc) is encrypted. And, traffic sent in the other direction (eg when a visitor has typed some information into a form on your website) is also encrypted.

These days it is not difficult for determined people (hackers etc) to intercept web traffic. However, if that traffic is encrypted, it becomes extremely difficult for them to decipher and use.

Therefore, a security certificate means that information you display on your website to a visitor (eg information about an order they have placed) and information a visitor enters into your website (eg their payment details) are safe* from hackers.

A security certificate has become a standard requirement for all websites that take online payments for some years.

(* well, nothing’s 100% of course but this is considered to be “close enough” for all normal business transactions)

January 2018:

We are often asked “Will my website rank better if I get a security certificate?

Google announced that having a security certificate (aka SSL or HTTPS) was to become a ranking factor in August 2014. They said: “we’re starting to use HTTPS as a ranking signal”. Many salespeople picked up on this and started selling security certificates to website owners to “help their site rank better”.

However, if they had read on, the very next sentence in Google’s announcement had said: “For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content.” Google has said that they may increase the importance of security certificates in their ranking algorithms over time but, based on the latest analysis we have seen, there is at best only “a slight positive correlation between the https URL and rankings”.

In other words, our recommendation today (Jan 2018) is: don’t make the switch to HTTPS solely for SEO purposes. It’s a resource intensive process (to do properly) and there isn’t a strong correlation between the two.

Update: May 2018:

chrome not secureFrom July 2018 the Google Chrome web browser will, according to Google, “mark all HTTP sites as ‘not secure’” (a HTTP site is a site without a security certificate). To date, Google Chrome has only been marking HTTP pages that have a form on them as “not secure”. It seems that, from July onwards, all of your site’s pages, whether you have a form on them or not, will be marked as “not secure”.

As the Google Chrome browser is the most popular web browser, and as “not secure” is not a message that we would encourage anybody to broadcast about their website, our advice now is to have a security certificate installed and activated on ALL websites.

October 2018:

Well, Google Chrome did make the predicted change on about 31st July. And, it sparked a series of copycat changes from other browsers. Now other browsers are also marking all web pages as “not secure” even when there is no security risk to a website visitor.

Even though a security certificate may not be required from a technical/security perspective, we advise you to have a security certificate to avoid the perception issues that come from the “not secure” messages. A basic security certificate is sufficient for most websites (that do not sell products or services online) and can be acquired and set up for the equivalent of less than the cost of a cup of coffee each week. 🙂