How Secure is Your Web-Mail?

How do you check your email when out of the office? Most of us use some sort of web-based email. Unfortunately not all webmails are created equal. Frustrated by our campus webmail solution SquirrelMail, I began using gmail in October of 2004 and switched over to gmail exclusively in April of 2006. Many others at the college have followed suit. Some of my reasons include limited storage - 200MB versus 6.3 GB, a penchant for SquirrelMail crashing while I was composing an email, an interface that is old and dated and lastly security. If you don't believe me, here is a quote from the SquirrelMail documentation:

SquirrelMail interface consists of dynamically generated HTML pages. These pages are transfered to user's browser using HTTP protocol. HTTP protocol does not have any built-in encryption functions. Information is transfered in plain text. HTTP traffic contains login passwords and any information viewed or entered in browser.

If you want to secure web traffic, you should use HTTP protocol with SSL encryption. [emphasis added]

What does that mean? In plain English, that means anything you type while logged into SquirrelMail can be intercepted and read by eavesdroppers. That includes usernames, passwords, credit card and social security numbers, any student information and communication and even private communications that might be embarrassing and/or compromising.
Now a little about gmail - not to say that there aren't plenty of other secure web-based mail solutions available. I use gmail because it's free, fast and reliable. When you start using gmail it's through a regular http - unsecured - connection. How do you set up secure email in gmail? It's actually much easier than you would think. Instead of typing http:// just type https:// - yes, it's really that simple - just add the "s" and you're communicating over a secure connection. Now for the dirty little secret. Where does SquirrelMail come from? It's actually part of an open source Linux distribution - that's right, your IT department doesn't pay for it. I learned this fact teaching my Linux course, when we looked at what applications to install. You can also install SpamAssassin an open source spam filter. I love open source applications, but we shouldn't be exposing our communications to eavesdroppers and subjecting ourselves to tons of spam just to save a few bucks. The spam has been addressed - at least for faculty, administrators, and staff - with the purchase and installation of a spam appliance from barracuda. Unfortunately, students are still using insecure email with no reliable spam filtering. Many students don't bother using the campus email solution for these very reasons.

What's the solution? It's not hard. Consider migrating to Google Apps for Education - here's a case study from Arizona State University. Another "quick fix" is to install the already existing secure login and encryption plugins for SquirrelMail.