Many organizations face the challenging task of balancing the confidentiality of their email messages with the enforcement of their security policies to prevent data loss, or to comply with legal email archiving obligations that mandate preserving and making searchable all individual emails. To protect confidentiality, web mail systems, such as Gmail, have adopted the HTTPS protocol, using secure sockets layer (SSL) certificates and encryption. This makes it hard for organizations to log or inspect the content of email and to prevent the loss of sensitive data such as customer social security numbers (SSNs) or mission-critical data.

This paper leverages a man-in-the-middle (MITM) attack on the SSL protocol, where the certificate is faked by another node between the mail client and the web mail server. It introduces an email security proxy server within an organization to serve as a certificate authority (CA); all client PCs are forced to use this CA’s public key for encrypting their email messages. The proxy server can decrypt the client’s email messages for logging and blocking to preserve content and prevent loss. This can prevent data theft and achieve compliance with email archiving and searchability mandates.

This system was implemented at LG Chemistry Company and was shown to be scalable. However, it is imperative that organizations inform employees of their policies, obligations, and justifications for technical solutions like this. Otherwise, employees will continue to have the illusion of “secure” and “private” email communication. The transparency will give employees the choice to opt out of the web mail services within the organization.