Four Tools for Private Communication

Internet-based communications such as email and instant messaging are inexpensive and globally available, which make them great tools for nonprofit organizations. However, these methods of communication are also vulnerable to interception and eavesdropping.

The best way to protect your communications from eavesdroppers is to encode data using encryption.

Encryption, whether it be through email, instant messaging, or a virtual private network (VPN), is particularly useful if remote workers use publicly accessible computers and wireless connections such as those found at libraries and cafés.

Luckily, there are plenty of tools to help you work safely and securely. Bellow, we'll examine low-cost and free technologies that encrypt Internet communications, including email and instant messages. We'll also look at ways to protect blogs and wikis.

1. VPN: Your Own Private Highway

The information traversing the Internet is neither safe nor secure. Imagine, if you will, that the Internet is a public highway. The information you transmit are the cars that move along this highway. Of course, public highways aren't completely safe, as anyone can look inside your car, steal it, or crash into it. A VPN is akin to a safe highway or a tunnel where cars — or your information — can safely travel.

A VPN creates an encrypted tunnel between a user's computer and the main office. It uses encryption keys to scramble the communication as it travels across the network, and unscramble it when it arrives at its destination. VPNs also ensure that the message hasn't been tampered with as it passes from sender to receiver.

If you're a remote user and need to access files on your organization's internal network or intranet, a VPN will make it seem as though you're in the office, but it also makes connecting from an outside location private.

Thanks to a VPN appliance, all the traffic is encrypted regardless of the application. Thus, if you create a VPN connection to your organization's main network and then use your email program, you don't need to add additional encryption — assuming you're sending communications to other people in the main office. If you are sending email or instant messages to a recipient outside the organization, they will be encrypted and sent to the main office first and transmitted from there in the clear. (With a VPN, the encryption tunnel exists between the user's computer and the VPN appliance at the main office.)

VPNs use one of two protocols — Internet protocol security (IPSec) or secure sockets layer (SSL).

IPSec

An IPSec VPN typically comes with a built-in firewall and sits between the public Internet and your private network. (A firewall allows or denies connections between computers inside your private network with computers on the Internet based on policies defined by the firewall administrator.)

IPSec VPN/firewall products are commonly sold as appliances; that is, all the hardware and software you need are delivered in one package, making it easier to set up and operate. Software-based firewall/VPNs are also available, but you'll have to buy the server separately and install both the VPN software and an operating system.

An IPSec VPN requires that you install software on every remote computer to connect to your organization's internal network. This VPN software includes the certificate and keys required to connect to the VPN appliance and set up the encrypted connection. IPSec firewall/VPN appliances are generally priced according to the amount of traffic the device can process. Most vendors include a small number of licenses (usually five) for the VPN software in the base price of a firewall/appliance. (Additional licenses will add to the overall cost.)

An IPSec VPN is ideal for remote users who own a computer and use it to connect to the main office. An IPSec VPN is also less expensive than an SSL VPN (depending on the number of people you need to connect; prices range from $300 to 400, and even up to $2,000). And because an IPSec VPN comes with a network firewall, you get additional functionality for your money. Many IPSec firewall/VPN products also offer features such as antivirus and spam protection and Web-site filtering.

Low-cost IPSec firewall/VPN appliances start around $500 and are available from a wide range of vendors, including Juniper Networks, Nokia, Secure Computing (the SnapGear product line), Symantec, and WatchGuard. You can also buy firewall/VPN software from Check Point and SmoothWall. (Contact a sales rep to find out about nonprofit pricing.)

If you're looking for a free option, a free open-source VPN that runs on Linux is available at Linux Poptop.

SSL

An SSL VPN also encrypts communications between a remote user and the main office; however, it doesn't require specific VPN software on the remote computer. Instead, it uses a Web browser and the SSL (secure sockets layer) encryption protocol to encipher the traffic. (SSL is the same type of encryption used to encrypt your credit-card number when you order something from an e-commerce Web site.)

The benefit of an SSL VPN is that remote users can use any computer that has a Web browser. This is particularly useful for employees who are traveling or need to use publicly available computers at an Internet café. An SSL VPN is a standalone device, however, so it won't include firewall functionality.

One drawback of an SSL VPN is that it may not support all the applications your nonprofit uses, or may require some modification of certain applications to run via the SSL VPN. Microsoft Office applications should work without problems, but be sure to ask about the product's ability to support other applications before making a purchase.

You can buy a low-cost (approximately $400) SSL VPN from Netgear.

If you're comfortable using open-source software, you can also check out SSL-Explorer, which offers a Community version (free) and an Enterprise version that provides additional features and tech support.

Other commercial options for SSL VPNs include SonicWall and WatchGuard, though you will pay more for those than you would for NetGear. Contact the vendors to find out about nonprofit pricing options.

2. Email Encryption

Even if you aren't using a VPN, you can still send encrypted email. However, you'll have to understand a few basics about public key cryptography and go through several steps to enable secure correspondence among co-workers and anyone else to whom you want to send encrypted messages.

In public key cryptography, a single mathematical function generates two keys: one key is used to encrypt data and the other key to decrypt it, and vice versa.

In this encryption system one key (the public one) is available in an Internet-accessible directory (which is usually managed by a trusted, third-party service). The other key (called a private key) is stored in a secure location accessible only to the private key's owner (usually on the user's computer or stored in a safe place).

When you want to encrypt an email message, your computer looks up the recipient's public key and uses that to encipher the data. When the message is received, the recipient uses his or her private key to decrypt the message.

The most common public key crypto system used to encipher email is PGP, which stands for Pretty Good Privacy, a free encryption program developed by activist Phil Zimmerman. (A corporation that provides encryption products for consumers and businesses now also shares that name.)

To learn more about encryption and how it works, read NetAction's Guide to Using Encryption Software.

Secure Multipurpose Internet Mail Extension (S/MIME) is another way to encrypt email using public key cryptography. S/MIME is an industry standard and so is supported by all the major email systems.

Digital Certificates

To use either PGP or S/MIME, you must first acquire a digital certificate, which will register your public key and provide a private key that you'll store on your PC. Thwate offers free certificates. Anyone you send encrypted messages to must also have a digital certificate because these systems use the recipient's public key to encrypt the message.

For instance, if Alice and Bob want to send encrypted messages to each other, Alice must send her public key to Bob, and Bob must send his public key to Alice. Once Alice has Bob's public key, she'll use that key to encrypt messages to him, and vice versa.

The free Thunderbird mail client from Mozilla, the makers of the Firefox Web browser, comes equipped with GnuPG — a free, open-source version of PGP. To send secure messages with Thunderbird mail client, you'll need to acquire a digital certificate and to install the Enigmail add-on. Once you have everything set up, open Mail/News in the Thunderbird client, and go to Edit/Mail & Newsgroup Account Settings > Account name > Security. From here you can choose the certificate to use. For details on using Thunderbird and PGP, go to Enigmail.

Microsoft Outlook and Mozilla Thunderbird both support S/MIME; however, once you've acquired a digital certifcate, you have to send your public key to each person with whom you want to share encrypted messages.

To send a secure message in Outlook, go to View > Options, and then click the Security Settings button. From there, you can encrypt the message with your public key, add your digital signature, or request an S/MIME receipt. To add the sender's public key to your contacts, the recipient should right-click on the sender's name in the To: line and then click "Add to Contacts."

If all that sounds too complex, there are free and for-pay services that will encrypt email for you. For instance, a service called Hushmail has free and paid options for sending encrypted email.

The free version will create a digital certificate for you based on the open-source OpenPGP standard. To use the service, you'll first have to create an account with Hushmail. Then you simply use the Hushmail Web client to send and receive encrypted messages.

Unlike other PGP systems that store the private key directly on your computer, the free Hushmail version sends your private key to you each time you use the Webmail system. This means you can send and receive encrypted messages at any computer with a Web browser that supports Java, a software language that can run small applications inside a Web browser.

However, Hushmail works best if your correspondents are also Hushmail users. While Hushmail does allow you to send an encrypted message to a non-Hushmail user, it requires the recipient to answer a security question created by the sender. This means you have to inform the recipient of the question and answer before they can read the email.

3. Encrypted IM

There are two good choices for encrypted IM conversations. One useful program is Trillian, from Cerulean Studios. Trillian allows you to connect to users of some of the more popular IM programs, including Yahoo Messenger, AOL AIM, ICQ, and MSN Messenger. Trillian also uses 128-bit encryption to ensure basic privacy of messages.

A free client is available for download, or you can pay $25 a year for Trillian Pro, which offers additional features such as video chat and the ability to chat with users running the Jabber IM client.

Skype, which enables you to place calls over the Internet, also includes a chat client to send instant messages to other Skype users. Skype protects both its voice calls and chat sessions with 256-bit encryption. If your remote employees already use Skype for its voice capabilities, it's a logical choice for a chat client as well.

4. Secure Wikis/Blogs

Both wikis and blogs are designed to be public mediums. While some offer rudimentary access control, they should not be relied upon if you are highly concerned about privacy. If you need to share sensitive information with others, encrypted email or IM is a better vehicle.

Wikis are an excellent way to provide storehouses of information that may be useful to employees, and for encouraging collaboration among remote users.

Wiki security controls tend to be fairly basic: most require only a password to access the site. Some wikis allow you to set up basic rights based on the user account, such as giving some users read-only privileges while allowing others to make changes or additions. Even if you have such controls in place, they won't stop a determined attacker, so you should not post sensitive information to a wiki.

Wiki hosting services are useful if you don't have on-hand expertise in running a Web server. Some services, like EditMe, also provide basic access controls such as password protection so only authorized users can visit the site and make changes or additions. EditMe offers a basic hosting service starting at $4.95 per month.

When it comes to blogs, most organizations want as many people to visit as possible. They're typically more public-facing than a wiki and require very little in terms of setup. Services such as WordPress and LiveJournal can help you set up and host blog at very low cost. They also allow you to set up private blogs that can only be accessed by select readers. WordPress also encrypts your posting as it's uploaded to the blog. (For more information on the technical aspects of anonymous blogging, please see TechSoup's article A Technical Guide to Anonymous Blogging.

If communication privacy is important to your organization, encryption is your best bet. Setting up an organization-wide system to encrypt messages will take some time and some tinkering, but the end result — strong privacy of messages in transit — is worth it.