Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:02,050 --> 00:00:04,179
Email, now, is one of
the most important
2
00:00:04,180 --> 00:00:06,100
online services that we use.
3
00:00:06,330 --> 00:00:07,120
For most people
4
00:00:07,200 --> 00:00:09,859
it can be a single point
of security failure,
5
00:00:09,860 --> 00:00:12,690
because many of our
accounts are linked to it.
6
00:00:13,450 --> 00:00:15,930
If you have a email compromise,
7
00:00:16,370 --> 00:00:19,600
your associated accounts
are also compromised.
8
00:00:20,090 --> 00:00:22,129
Private information will be
compromised,
9
00:00:22,130 --> 00:00:26,009
including your name,
address, contacts,
10
00:00:26,010 --> 00:00:27,919
friends and anything else
11
00:00:27,920 --> 00:00:31,360
that’s associated or stored
within your email.
12
00:00:32,060 --> 00:00:33,739
It’s obvious to most people
13
00:00:33,740 --> 00:00:35,880
why email security is important,
14
00:00:36,200 --> 00:00:41,549
but email unfortunately is
fundamentally broken,
15
00:00:41,550 --> 00:00:43,400
as far as security is concerned,
16
00:00:43,750 --> 00:00:45,550
and it cannot be fixed.
17
00:00:45,950 --> 00:00:49,939
All we can do is keep putting
sticky plasters on it.
18
00:00:49,940 --> 00:00:53,880
Plasters which, unless
everyone else adopts,
19
00:00:53,920 --> 00:00:55,400
which is pretty much the same as
20
00:00:55,560 --> 00:00:57,230
changing email completely,
21
00:00:57,500 --> 00:00:58,879
we’re just not going to fix
22
00:00:58,880 --> 00:01:01,530
these security problems
that are inherent in email.
23
00:01:01,820 --> 00:01:05,550
Email is from a time when
security wasn't thought of.
24
00:01:05,760 --> 00:01:08,510
But we continue to use email
25
00:01:08,560 --> 00:01:10,720
because it is ubiquitous,
26
00:01:10,780 --> 00:01:13,020
everybody has an email
address now.
27
00:01:13,480 --> 00:01:14,999
If everyone suddenly switched
28
00:01:15,000 --> 00:01:18,240
to a secure messaging
alternative tomorrow,
29
00:01:18,460 --> 00:01:19,740
the problem would be solved.
30
00:01:20,090 --> 00:01:22,110
But because that’s not
going to happen,
31
00:01:22,300 --> 00:01:23,849
we are stuck with a broken
32
00:01:23,850 --> 00:01:26,010
messaging system called email.
33
00:01:26,670 --> 00:01:29,210
This means you will need
to convince others
34
00:01:29,450 --> 00:01:31,340
to adopt encryption technology
35
00:01:31,680 --> 00:01:34,120
if you want to communicate
with them privately.
36
00:01:34,430 --> 00:01:35,630
You can't do it on your own.
37
00:01:36,460 --> 00:01:37,400
Let's take it from
the beginning.
38
00:01:37,401 --> 00:01:40,399
So there are two ways
to access email.
39
00:01:40,400 --> 00:01:43,130
First, you’ve got
your web browser
40
00:01:43,320 --> 00:01:47,290
using functionality like
HTML5 and JavaScript.
41
00:01:47,470 --> 00:01:50,429
And probably most people
now think of that as email,
42
00:01:50,430 --> 00:01:52,379
that is the most common way
43
00:01:52,380 --> 00:01:54,219
that people tend
to access email,
44
00:01:54,220 --> 00:01:56,750
you know, via Gmail
or Yahoo Mail.
45
00:01:57,690 --> 00:02:00,919
But the second way that
is used is an email client,
46
00:02:00,920 --> 00:02:05,850
which is something like Thunderbird,
or Claws, or Outlook,
47
00:02:05,900 --> 00:02:07,850
people might use
commonly at work.
48
00:02:08,170 --> 00:02:10,030
You have Mac Mail,
49
00:02:10,490 --> 00:02:11,799
or you have the mail apps
50
00:02:11,800 --> 00:02:14,640
that you get on your cell
and mobile phones.
51
00:02:14,870 --> 00:02:16,320
Those are all email clients.
52
00:02:16,920 --> 00:02:18,539
And most email providers
will allow you
53
00:02:18,540 --> 00:02:21,700
to use both methods,
the webmail access
54
00:02:21,980 --> 00:02:23,090
and the email client.
55
00:02:23,780 --> 00:02:28,960
With webmail, you access
via HTTPS, port 443,
56
00:02:29,380 --> 00:02:32,290
which is running SSL
and TLS encryption,
57
00:02:32,570 --> 00:02:33,810
or at least you should be,
58
00:02:34,210 --> 00:02:36,370
that is the standard solution
for most people.
59
00:02:36,610 --> 00:02:38,599
If you’re not, then it’s extremely
insecure,
60
00:02:38,600 --> 00:02:42,190
but really, almost all webmail
will be encrypted
61
00:02:42,550 --> 00:02:46,870
using HTTPS, port 443, SSL/TLS.
62
00:02:47,330 --> 00:02:49,599
You authenticate that server,
63
00:02:49,600 --> 00:02:50,960
that the server is genuine
64
00:02:51,160 --> 00:02:54,840
via a certificate as is
normal with HTTPS,
65
00:02:55,200 --> 00:02:58,620
and the client is authenticated
usually with a password.
66
00:02:59,070 --> 00:02:59,820
And if you can,
67
00:02:59,821 --> 00:03:01,710
you should change your
authentication method
68
00:03:02,030 --> 00:03:03,900
to be Two Factor Authentication,
69
00:03:04,220 --> 00:03:05,999
as this mitigates
password attacks
70
00:03:06,000 --> 00:03:08,260
as we’ve discussed in
the Password section.
71
00:03:08,940 --> 00:03:10,189
You should find
an email provider
72
00:03:10,190 --> 00:03:12,330
that offers Two Factor
Authentication.
73
00:03:13,540 --> 00:03:14,720
If you only use webmail,
74
00:03:15,170 --> 00:03:17,930
then emails are only
stored on the server.
75
00:03:19,000 --> 00:03:20,990
And then we have
the email client.
76
00:03:21,100 --> 00:03:24,640
With an email client, there are
a number of protocols
77
00:03:25,130 --> 00:03:28,640
and port options for both
sending and receiving email.
78
00:03:29,080 --> 00:03:31,770
So the options when it comes
to receiving mail,
79
00:03:32,120 --> 00:03:36,210
is you have IMAP port 143,
which is unencrypted,
80
00:03:36,550 --> 00:03:41,260
you have POP port 110,
which is unencrypted;
81
00:03:41,620 --> 00:03:43,100
you don't want to use these.
82
00:03:43,440 --> 00:03:46,390
If you care anything about
your email security,
83
00:03:46,920 --> 00:03:50,399
receiving emails, then you
don't want to use these,
84
00:03:50,400 --> 00:03:53,499
and most providers now
either don't provide them,
85
00:03:53,500 --> 00:03:55,690
or provide encrypted alternatives.
86
00:03:56,400 --> 00:03:59,720
And those alternatives
are IMAP port 993,
87
00:04:00,080 --> 00:04:02,520
which is running SSL/TLS
encryption
88
00:04:02,890 --> 00:04:07,120
with the certificate based
server-side authentication,
89
00:04:07,610 --> 00:04:08,880
like with a website,
90
00:04:09,160 --> 00:04:12,750
and you have POP 3 on port 995,
91
00:04:13,370 --> 00:04:16,280
running the same SSL/TLS
encryption
92
00:04:16,730 --> 00:04:20,300
with, again, certificate based
server-side authentication.
93
00:04:20,940 --> 00:04:21,880
And those are the two that
94
00:04:21,881 --> 00:04:24,320
you want to go after
for receiving email.
95
00:04:24,690 --> 00:04:29,560
IMAP port 993 and
POP 3 port 995.
96
00:04:29,960 --> 00:04:31,619
Now, some email providers
97
00:04:31,620 --> 00:04:33,940
may put those on
different ports,
98
00:04:34,020 --> 00:04:36,810
but those are the de facto
port numbers.
99
00:04:37,300 --> 00:04:38,989
But what is important, is that
100
00:04:38,990 --> 00:04:42,220
they are both running
SSL and TLS.
101
00:04:42,890 --> 00:04:43,710
Now, when it comes
to the difference
102
00:04:43,711 --> 00:04:45,160
between IMAP and POP,
103
00:04:45,640 --> 00:04:49,050
of the two, IMAP is
the popular option
104
00:04:49,290 --> 00:04:50,599
when you need to check
your emails
105
00:04:50,600 --> 00:04:53,789
from multiple devices,
such as a laptop,
106
00:04:53,790 --> 00:04:55,230
phone, tablet and so on,
107
00:04:55,680 --> 00:04:58,230
because the emails are
synced using IMAP
108
00:04:58,650 --> 00:05:00,890
with the server and all devices.
109
00:05:01,590 --> 00:05:03,880
All devices retain copies
110
00:05:04,380 --> 00:05:06,400
with the server having
the master copy.
111
00:05:06,790 --> 00:05:08,370
This is the most convenient
112
00:05:08,670 --> 00:05:11,280
and what most people
will be used to using.
113
00:05:11,620 --> 00:05:15,219
POP3, alternatively,
downloads emails
114
00:05:15,220 --> 00:05:18,210
from the server to
a single email client,
115
00:05:18,500 --> 00:05:20,800
then deletes the emails
from the server.
116
00:05:21,190 --> 00:05:22,699
Because your messages
get downloaded
117
00:05:22,700 --> 00:05:24,149
to a single email client,
118
00:05:24,150 --> 00:05:25,630
and then deleted
from the server,
119
00:05:25,970 --> 00:05:28,390
it can appear that
the mail is missing,
120
00:05:28,730 --> 00:05:30,840
or disappeared from your inbox
121
00:05:31,030 --> 00:05:32,239
if you try to check your mail
122
00:05:32,240 --> 00:05:34,590
from a different email
client or webmail.
123
00:05:35,120 --> 00:05:36,910
But you may want this
for security though,
124
00:05:37,210 --> 00:05:39,610
to have no emails
stored on the server.
125
00:05:40,310 --> 00:05:42,570
If you’re worried about people
accessing the server,
126
00:05:42,940 --> 00:05:43,940
use POP3.
127
00:05:44,410 --> 00:05:46,490
If you’re worried about people
accessing your laptop,
128
00:05:46,780 --> 00:05:48,800
store on the server and
the client with IMAP.
129
00:05:49,830 --> 00:05:50,750
Then we have the protocols
130
00:05:50,751 --> 00:05:53,440
for sending emails
with an email client.
131
00:05:53,950 --> 00:05:57,410
We have SMTP port 25,
132
00:05:57,870 --> 00:06:01,900
which is the original
unencrypted port to use;
133
00:06:02,090 --> 00:06:04,649
you don't want to use this
if you care about
134
00:06:04,650 --> 00:06:07,600
your emails and sending your
emails and privacy.
135
00:06:08,480 --> 00:06:11,610
Then you have something
called STARTTLS,
136
00:06:11,690 --> 00:06:14,560
which is usually on port 587.
137
00:06:14,910 --> 00:06:17,930
And that is for using
SSL/TLS encryption.
138
00:06:18,490 --> 00:06:22,079
And then you have SMTP port 465,
139
00:06:22,080 --> 00:06:24,830
which again is SSL/TLS
encrypted.
140
00:06:25,330 --> 00:06:27,470
You want to use,
when it’s possible,
141
00:06:27,940 --> 00:06:32,450
SMPT port 465 with the SSL/TLS.
142
00:06:32,820 --> 00:06:37,290
STARTTLS on 587 is
more susceptible
143
00:06:37,480 --> 00:06:39,180
to man-in-the middle
attacks.
144
00:06:39,520 --> 00:06:45,140
So go with the SMTP port 465,
SSL/TLS option.
145
00:06:46,160 --> 00:06:48,610
For both email clients
and webmail,
146
00:06:48,960 --> 00:06:52,300
the SSL/TLS will use
a cipher suite, obviously.
147
00:06:52,900 --> 00:06:54,170
You want this to be a good one.
148
00:06:54,570 --> 00:06:58,140
Ideally, using Elliptical Curve
Diffie-Hellman,
149
00:06:58,360 --> 00:07:00,490
so the session keys
are ephemeral,
150
00:07:00,780 --> 00:07:03,090
so that if the private
key is compromised,
151
00:07:03,320 --> 00:07:05,970
only small amounts of data
is compromised.
152
00:07:06,200 --> 00:07:08,140
The section on Encryption
covers this.
153
00:07:08,360 --> 00:07:11,720
If you remember, back to when
we looked at Cipher Suites,
154
00:07:11,850 --> 00:07:15,820
we used a tool called SSL Labs,
which is here.
155
00:07:16,410 --> 00:07:20,869
This doesn't scan
SMTP or IMAP SSL
156
00:07:20,870 --> 00:07:23,890
mail ports unfortunately,
but you can use it
157
00:07:24,190 --> 00:07:26,830
for checking port 443
for webmail.
158
00:07:27,280 --> 00:07:30,500
So for example here,
I could check “ghostmail”,
159
00:07:32,540 --> 00:07:35,620
and see how their
SSL/TLS stacks up.
160
00:07:36,340 --> 00:07:37,890
And here we go, A+.
161
00:07:44,580 --> 00:07:48,279
Now see, elliptical curve,
RSA_WITH_AES,
162
00:07:48,280 --> 00:07:50,561
so yeah, they seem to be doing
all the right things there.
163
00:07:50,660 --> 00:07:55,010
And, if you want to examine
the other ports like 465, 587,
164
00:07:55,360 --> 00:07:57,570
you’ve got a few options
for how you can do that.
165
00:07:58,520 --> 00:08:02,160
One with Kali, is you have
SSLscan,
166
00:08:03,450 --> 00:08:04,519
and if you press Return here,
167
00:08:04,520 --> 00:08:07,880
that's just going to simply
do port 443.
168
00:08:08,370 --> 00:08:10,249
But if you want to do
a special port,
169
00:08:10,250 --> 00:08:11,660
you would do 465,
170
00:08:12,260 --> 00:08:16,720
so then you could look at
the SMTP over TLS/SSL.
171
00:08:17,240 --> 00:08:18,440
Just press return here.
172
00:08:18,620 --> 00:08:19,500
And look at there;
173
00:08:19,570 --> 00:08:22,540
because ghostmail only has
a webmail interface,
174
00:08:22,780 --> 00:08:25,859
but if they did have
port 465 open,
175
00:08:25,860 --> 00:08:26,860
you could check that out.
176
00:08:27,570 --> 00:08:28,919
So here we see what we saw
177
00:08:28,920 --> 00:08:31,880
with SSL Labs, the same
Cipher Suites.
178
00:08:32,410 --> 00:08:33,929
Another way of checking out
the mail servers
179
00:08:33,930 --> 00:08:38,560
which I like is these guys here.
180
00:08:38,770 --> 00:08:44,010
So if we put in an email address
181
00:08:44,080 --> 00:08:47,580
of someone that you know,
and we click Try,
182
00:08:48,340 --> 00:08:50,219
or if you put in even
a dummy email address,
183
00:08:50,220 --> 00:08:53,379
if you put test@ghostmail,
or gmail,
184
00:08:53,380 --> 00:08:56,030
or what have you, click Try,
185
00:08:56,620 --> 00:08:59,370
it communicates with
the mail servers.
186
00:09:00,720 --> 00:09:01,310
It finds out
187
00:09:01,311 --> 00:09:03,039
who the mail server is
for that domain,
188
00:09:03,040 --> 00:09:06,769
because it isn't always ghostmail.com,
or that domain.
189
00:09:06,770 --> 00:09:07,830
So we can see here,
190
00:09:08,450 --> 00:09:11,419
we have the mail server
there, that is taken
191
00:09:11,420 --> 00:09:14,079
from what’s called the MX
record for that domain,
192
00:09:14,080 --> 00:09:16,620
MX is the mail record,
or mail exchange record.
193
00:09:17,560 --> 00:09:18,560
And what we can see here
194
00:09:18,880 --> 00:09:20,950
is the communication
with the mail server,
195
00:09:21,250 --> 00:09:23,950
you can see there, this is
using STARTTLS,
196
00:09:25,700 --> 00:09:28,420
and there we can see the Cipher
Suite that it uses.
197
00:09:28,890 --> 00:09:31,960
And what you’re actually
seeing here is text,
198
00:09:32,000 --> 00:09:34,350
ASCII communication
with that port.
199
00:09:34,820 --> 00:09:37,010
So these commands are
actually being put
200
00:09:37,210 --> 00:09:39,680
into the package stream
for that port.
201
00:09:40,210 --> 00:09:42,120
But I can show you
an example of that.
202
00:09:44,000 --> 00:09:46,605
So let's check out maybe Gmail.
203
00:09:47,028 --> 00:09:49,039
So first of all, we need
to figure out
204
00:09:49,040 --> 00:09:51,249
what the mail server address is,
205
00:09:51,250 --> 00:09:53,142
so we need to use something
called “NSLOOKUP”.
206
00:09:54,217 --> 00:09:56,125
Says is doing a DNS lookup
207
00:09:56,365 --> 00:09:58,662
to check the mail
exchange record,
208
00:09:59,097 --> 00:09:59,897
which will give us
209
00:09:59,965 --> 00:10:04,182
the IP address of the mail
server for gmail.com.
210
00:10:07,211 --> 00:10:08,299
And there we go,
211
00:10:08,300 --> 00:10:09,599
and we can see actually
they’ve got
212
00:10:09,600 --> 00:10:11,817
quite a few which
is no surprise.
213
00:10:12,057 --> 00:10:15,389
So to issue text-based
SMTP commands,
214
00:10:15,390 --> 00:10:17,977
we need to use some sort of tool
that allows us to do that,
215
00:10:17,978 --> 00:10:20,519
we can use Telnet,
we can use Netcat.
216
00:10:20,520 --> 00:10:23,954
Netcat is a tool that enables you
to read and write
217
00:10:24,171 --> 00:10:27,405
to network connections
using TCP and UDP.
218
00:10:27,897 --> 00:10:28,897
So if I go –
219
00:10:40,100 --> 00:10:40,640
So as you can see,
220
00:10:40,641 --> 00:10:43,577
I can just issue standard
text commands.
221
00:10:45,234 --> 00:10:46,502
But that is what this is doing,
222
00:10:46,503 --> 00:10:54,950
so I must try that command.
223
00:10:58,445 --> 00:11:04,428
25. Paste. There we go.
224
00:11:04,971 --> 00:11:06,571
So we see we get
the same response.
225
00:11:06,689 --> 00:11:07,794
It’s given us some options,
226
00:11:07,795 --> 00:11:08,849
therefore what we want to do.
227
00:11:08,850 --> 00:11:12,260
So STARTTLS, etc.
228
00:11:13,930 --> 00:11:15,130
So, let’s escape out of there.
229
00:11:19,300 --> 00:11:19,930
But yeah, essentially
230
00:11:19,931 --> 00:11:21,660
if we issue the same
commands here,
231
00:11:22,820 --> 00:11:24,670
we are going to get the same
sort of response.
232
00:11:25,890 --> 00:11:27,819
Now, moving on
to Authentication.
233
00:11:27,820 --> 00:11:29,550
For Authentication,
as I’ve said,
234
00:11:29,730 --> 00:11:32,790
certificates are used
to verify the server,
235
00:11:32,980 --> 00:11:34,290
“is who they claim to be?”
236
00:11:34,990 --> 00:11:38,570
The email client will use his
own certificate repository
237
00:11:38,660 --> 00:11:40,230
or that of the operating system,
238
00:11:40,560 --> 00:11:42,009
just the same as a browser does
239
00:11:42,010 --> 00:11:44,869
to validate that the server is
who the server is.
240
00:11:44,870 --> 00:11:46,790
So that’s the same as HTTPS,
241
00:11:47,270 --> 00:11:50,170
browsing, server authentication,
you know, it’s the same thing.
242
00:11:50,320 --> 00:11:51,240
And we can, of course,
243
00:11:51,241 --> 00:11:53,450
look at the certificates
that are on there,
244
00:11:54,040 --> 00:11:55,999
and this is a useful
site to do that.
245
00:11:56,000 --> 00:11:58,540
So if we click on
“More Detail” here,
246
00:12:00,190 --> 00:12:01,310
let's have a look down.
247
00:12:02,900 --> 00:12:03,370
And there we go,
248
00:12:03,371 --> 00:12:05,171
we can see the first
certificate in the chain.
249
00:12:06,383 --> 00:12:07,408
There’s the public key.
250
00:12:11,633 --> 00:12:13,166
And the certificate itself,
251
00:12:14,000 --> 00:12:16,233
and then the second
certificate in the chain,
252
00:12:16,666 --> 00:12:18,232
we can see all the way
down as to
253
00:12:18,233 --> 00:12:20,290
where the root certificate is.
254
00:12:21,750 --> 00:12:23,679
Client-side authentication.
255
00:12:23,680 --> 00:12:26,490
So depending on the mail client,
256
00:12:26,810 --> 00:12:29,599
you will have different options
for authentication,
257
00:12:29,600 --> 00:12:31,170
so those include things like
258
00:12:31,660 --> 00:12:33,429
transmitting the password
unencrypted,
259
00:12:33,430 --> 00:12:35,270
which was what was
originally done.
260
00:12:35,740 --> 00:12:37,809
And then you’ve got transmitting
the password encrypted,
261
00:12:37,810 --> 00:12:39,920
because you’re using SSL or TLS.
262
00:12:40,490 --> 00:12:44,330
You can do things like
Kerberos or GSSAPI,
263
00:12:44,760 --> 00:12:46,679
which is something
generally used
264
00:12:46,680 --> 00:12:48,560
for enterprise solutions.
265
00:12:49,100 --> 00:12:50,420
You’ve got NTLM,
266
00:12:50,540 --> 00:12:52,529
which is a Microsoft solution
267
00:12:52,530 --> 00:12:55,137
if you’re connecting
to exchange servers.
268
00:12:55,714 --> 00:12:58,102
You could use TLS/SSL
269
00:12:58,360 --> 00:13:00,257
or some type of certificate
270
00:13:00,368 --> 00:13:02,200
for your client authentication.
271
00:13:02,728 --> 00:13:04,552
There’s something called OAuth2
272
00:13:04,896 --> 00:13:07,048
that you can use;
but generally,
273
00:13:07,368 --> 00:13:08,583
you want to try and use
274
00:13:08,584 --> 00:13:10,494
some form of strong
authentication
275
00:13:10,850 --> 00:13:13,610
or two-factor authentication
if you can,
276
00:13:13,780 --> 00:13:16,920
and we covered two-factor
authentication in its own section.
22244
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.