How does the paubox.com technique work "seamlessly" for *me* to receive an encrypted e-mail without my doing anything?
The care mgr for a family member needs to send me encrypted e-mails to be HIPPA compliant. She now subscribes to a service called "Paubox" (www.paubox.com) and sends her e-mails through their server. Supposedly, every e-mail that she sends me is automatically encrypted (including attachments) and then decrypted when I receive it in Thunderbird -- all without my doing anything. And, magically, if I send a reply back to her, then supposedly it is automatically encrypted and then decrypted at her end.
How can this work? I am NOT subscribing to the Paubox service, and I am not exchanging any kind of public/private keys with her.
All Replies (1)
Most of us use SSL and TLS on a regular basis. This silently and invisibly encrypts a message without us knowing anything about it. Your gmail, yahoo, hotmail, gmx accounts will all use this as a matter of course. Increasingly many ISPs are using it too.
I don't know too much about these encryption technologies, so I started reading up. After about 5 pages I started losing the will to live. It was all about the transaction that goes on between a server and a client, keys being issued and symmetrical encoding going on.
So if you send a message to me, using one of the well-known email providers (gmail, yahoo, hotmail) they will use SSL or TLS to encrypt the message on its journey from you to their SMTP server. So far so good.
However, one of my email accounts is operated by an email provider who doesn't use these encryption systems. So for the leg of the journey from his IMAP server to my Thunderbird, the message is unencrypted. So if you send to this particular account, no way will it be encrypted when it lands on my machine.
And that scenario had me wondering how paubox could do what they claim.
Their website explains it. Under the circumstances outlined above, somehow it would refuse to deliver your message to my provider's server, and in its place I'd get an email message asking me to visit the paubox site via my browser. The connection via browser would use HTTPS (yet another secure protocol) and so ensure that I could only use a secured connection to see your message.
So by and large, paubox are simply using technologies that are already in place, with the clever twist that they can discern if a connection is insecure and refuse to use it. I guess your care manager has had to sign up and pay for an account with paubox to benefit from this service? Is she using a specific email address for this hippa-compliant correspondence?
And I guess that they must be able to screen your replies to the care manager to ensure that they are guaranteed to be hippa compliant. There is no point her messages to you being hippa compliant if the same cannot be said of your messages to her. So they would accept messages or replies from you only if they arrived via a secured connection using SSL or TLS. or if you didn't have one, over HTTPS from your browser.
Ilungisiwe