“Following the publication of an NPR article detailing the security of major email services, Apple has informed the network that it is working on an update to its iCloud Mail service that encrypts emails in transit from other providers,” Mark Gurman reports for 9to5Mac.
“As of right now, iCloud emails are solely encrypted in transit from one iCloud email account to another, but an email sent from iCloud to Gmail or Yahoo (as examples) or vice versa is not currently encrypted,” Gurman reports. “This is what will change: ‘Apple encrypts e-mail from its customers to iCloud. However, Apple is one of the few global email providers based in the U.S. that is not encrypting any of its customers’ email in transit between providers. After we published, the company told us this would soon change. This affects users of me.com and mac.com email addresses.'”
Gurman reports, “The enhancement will come into effect ‘soon,’ but Apple is not more specific than that on the timeframe. While the quote above oddly does not specify icloud.com addresses, that newer Apple email domain likely falls into the same category as me.com and mac.com.”
More info about which services Apple encrypts in transit and on server in the full article here.
Meanwhile, make sure you’re at least using TLS/SSL between your Mac and iCloud:
1) Open up Mail, then its Preferences.
2) Click the Accounts tab.
3) Click the Account Information sub-tab.
4) Click the icon for iCloud on the left of the Preferences pane.
5) Down at the bottom is a pop-up menu labled ‘TLS Certificate’. Click the pop-up and choose “com.apple.idms.appleid.prd.xxxxxxxxxx”. The “xxx” stuff is the certificate number of Apple’s current TLS security certificate.
6) Close the Preferences pane and you’re all done! Now you’ll be sure your email back and forth to iCloud is encrypted via TLS/SSL.
Choosing Apple’s certificate for other services, such as Gmail, won’t work. When Apple sorts out encryption to other email account services, you’ll be able to choose their security certificates as well for each account.
If you’d like to use full end-to-end email encryption to individual receivers, check out GPG (GNU Privacy Guard). I still consider it geekware, but it has been dramatically improving in usability over the past couple years. The catch is that the receiver must have it set up on their end as well in order to decrypt what you send them. An alternative is PGP (Pretty Good Privacy) which is commercial software from Symantec.
I presume you helped Mom out with all this, Derek 🙂
There’s a subject. How did you know? I suspect you’d have a lot more patience with her that I do. She tends to fight me when she doesn’t understand or accept something. Help!
If you want to get real geeky, then simply use the built in end to end encryption instead of GPG or PGP. If you have certificates for both parties in your keychain, you have an option to encrypt the mail or have it automatically done.
The issue is: getting the certificate. There are a few services. Some free. Or you can buy one for $20 from some others.
Next is the keychain. My mom says, “huh? What? My computer has a keychain?” And keytool, and requests? And what’s this login and system keychain and what’s that?
And, if you loose your certificate or upgrade your make and or lose your keychain then you can’t ever read those messages again… Ever…
There is absolutely NO NEED for this to be so hard or cost so much. I smell conspiracy.
Thanks, just set mine up. So why in the world doesn’t Apple make this the default setting?
No idea. Why don’t they provide OS X with the Firewall turned on by default? Why do they persist in providing Safari with “Open ‘safe’ files after downloading” still on?
Thanks, will change mine too
Great stuff! Thank You.
Being security conscious and one who tries to keep things locked down, I was surprised to learn the Apple TLS/SSL Certificate was not enabled on my Mac.
Is there a comparable setting under iOS?
And we can all thank Edward Snowden for making everyone take security more seriously.
Oh, and one other thing: NSA, F__k You.
The NSA is looking after your security! Unless of course you’re involved in terrorism in which case I hope the NSA get you before you get me or anyone else on this forum. Or perhaps you are just a simple conspiracy theorist – why does the US have so many of those?
Because we have the freedom to say so.. Without the fear of being persecuted. Or do we?
“Conspiracy theorists?” I don’t think you know what conspiracies and theorists are. Conspiracies are groups of two or more people working together in secret to do something nefarious. Every terrorist act is a conspiracy unless it’s a lone wacko like the Unabomber. Theorists are people who ardently believe in things that aren’t true. The NSA attacks on our freedom are true. They’ve been exposed, and they haven’t denied it. It’s a conspiracy and it’s not a theory.
This language thing isn’t that hard really.
The US is awash with conspiracy theorists, from “man didn’t land on the moon” to “911 was carried out by the US government”. The more recent attacks on US security agencies like the NSA, because they gather information designed to actually protect US citizens, is just ridiculous. Edward Snowden is a treasonous snake who hopefully will be brought to justice. Oh, while you very cleverly separated the two words to suit your own argument, you are correct only with the two unassociated words. It’s well accepted that the term “conspiracy theorists” refers to people who see a heinous plot in just about everything a government or other organisation does. And no, this has nothing to do with which side of the political fence one may reside. See? Language isn’t so clear cut after all is it SJG?
What a dope. That is all.
The danger of complacency.