Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Security Security Literacy Hello, Internet! The Flow of the Internet

Does Outlook and Gmail come with default email encryption? or do users have to turn it on specifically to secure email

What are examples of insecure email providers?

1 Answer

That is a very broad question you're asking.

By 'Outlook' are you referring to the application or Outlook.com?

How are you trying to access the mailboxes? Via a web browser? Or using an application such as Thunderbird, Outlook, Zimbra, etc...?

Both Gmail and Outlook.com support encryption in transit if you're accessing them via the web browser using HTTPS.

If you're trying to access your mailbox using another protocol, such as SMTP (to send email), POP or IMAP (to receive email) then you will need to ensure you are using the 'secure' version of those protocols. Typically they'll be labelled as being 'TLS' encrypted. I believe that most consumer-based services, such as Gmail and Outlook.com, will no longer allow you to connect using an unencrypted session.

Whether the locally cached copies of your emails are encrypted at rest on your computer though is dependent on the client you are using. Caching in modern browsers should ensure that any email data accessed via webmail are in the cache. Most desktop applications (Outlook, Zimbra, etc...), and several mobile applications, however store the emails unencrypted by default.

Some, but not all, desktop applications will allow you to enable encryption on the local files they use - typically they ask you to set a password for this purpose. For those applications that do not allow you to enable encryption: you can mitigate some of the risk of having unencrypted local copies of emails on your computer by using full disk encryption, such as Bitlocker on Windows or File Vault on Macs. Most modern mobile devices will automatically apply full disk encryption.

And all of that assumes you're not actually referring to the use of S/MIME for end-to-end message encryption.

You should be able to use a S/MIME desktop application with the consumer versions of their services, Gmail and Outlook.com, but if I recall correctly the use of S/MIME in the webmail client is only available in the corporate versions of their services: G-Suite and Office365 - and even then it is not enabled by default.

Examples of insecure email providers would be any that use no encryption, use weak encryption, don't enforce good password hygiene, don't encrypt the data at rest, have lax processes that allow unauthorised access to mailboxes, etc...