Email Security with ZSentry
Protect Yourself Online
The following describes the security measures that we take to protect your information on the Internet and how you can help to further protect yourself:
- SSL: ZSentry uses standards-based Secure Sockets Layer (SSL) for secure transactions. SSL applies encryption between two communicating applications, such as at your PC and at our secure Internet server, authenticated at our server end. When your data is transmitted over the Internet, it is encrypted at the sending end and then decrypted at the receiving end. When using ZSentry Mail, make sure that the web addresses of the ZSentry pages you use begin with "https://zsentry.com/" -- information exchanged with any address beginning with https is encrypted using SSL before transmission.
- Encryption: Encryption is a technology that allows secure transmittal of information by encoding the transmitted data using a mathematical formula that scrambles it. Without a corresponding "decoder" (decryption) the transmission looks like gibberish text and has no meaning. SSL encryption protects the transmission of data from one party to another, both ways. The sender encodes the data by scrambling it, then sends it on to the recipient. The recipient must decode the data with the correct "decoder" in order to be able to use the data.
- 128-bit Encryption: The effectiveness (or level of security) of encryption depends on several conditions. An important condition is measured in terms of how long the key is -- the longer the key, the longer it would take for someone without the correct "decoder" to break the code. The key size is measured in bits, and depends both on the server as well as on your browser. The ZSentry server is capable of supporting 128-bit encryption, which is the level of encryption recommended for use with email, online business applications and ecommerce.
- Check Encryption and Key Size: You can check for yourself to verify the encryption and key size that
your browser is using with ZSentry, for example, when you see the ZSentry page where you enter your registration
information. Usually, the status bar (the status bar is at the very end of the browser window, ordinarily with
a gray color) shows a closed padlock icon to indicate that SSL is active for that page. Additional information
is also readily available. If you are using the MSFT Internet Explorer browser, place the mouse cursor over the padlock
icon in the status bar .
You should read the words "SSL Secured" and "256 bit" or at least "128 bit", with your encryption strength in terms of
key size. If you are using another browser, such as Netscape, Mozilla or FireFox, place the mouse cursor
over the padlock icon in the status bar and double-click. You should see
a window with the words "RC4" or "AES-256" and "256 bit" or at least "128 bit", showing the encryption strength in terms of key size.
- Data Vulnerability: ZSentry does not have your login data or keys. You are the only holder of the login data that grants access to your account and allows your emails to be encrypted or decrypted. Your user keys literally do not exist until you log in again. Unless you login, no one can decrypt your encrypted data.
- ZSentry PREMIUM Seal: ZSentry solves the problem of authenticating the sender's email address, both for PREMIUM and BASIC users. For PREMIUM users, ZSentry Mail goes a step further and identifies messages sent by PREMIUM users with an encrypted PREMIUM Seal, visible to recipients after the message is decrypted. The PREMIUM SEAL links to additional security information about the sender when the recipient clicks on the PREMIUM Seal, helping the recipient verify the authenticity of the email received.
- Password: Try to make your password as unique as possible, but memorable to you. We suggest that your password should have at least 8 but no more than 20 characters, and must include at least one upper case letter, one lower case letter, one numeric digit, and one symbol found on the keyboard (any keyboard character not defined as a letter or numeral). Research shows that users chose passwords with control characters only 1.4% of the time, and punctuation and space characters less than 6% of the time. It is a good idea to write down your password and keep it somewhere safe, possibly in two different safe locations, not near your computer.
- ZSentry Password and Login Security: ZSentry is not as dependent on password quality for login security, as
conventional systems. However, it is recommended that ZSentry passwords should include at least one control or punctuation
character. All of the characters !@#$%^&*()_-+=|\;:"?/,.< >`~' and space can be used in ZSentry passwords (space
cannot be used at the beginning or end of a password) and can be pre-verified using the ZSentry function Password Peek (during signup and login).
With ZSentry technology, passwords are not at risk anywhere (not even encrypted or in
digest form) and they are paired with an unpredictable ZSentry Usercode that is also not at risk anywhere. Therefore, a
ZSentry password cannot be cracked by itself (unlike passwords in conventional systems) and would have to be guessed at the
same time as the corresponding and extremely-hard-to-guess ZSentry Usercode. We encourage you to use a new password rather
than one used for other accounts, that could be easily broken and then compromise your ZSentry password.
PASSWORD USE: Using ANSI codes from #32 to #255 (keyboard ALT-number, no space at the start or end of a password) enables
more than 132 bits of entropy with just 13 ZSentry Password characters (and the Usercode).
The conventional difficulty for using ANSI
codes in passwords is solved by the ZSentry function Password Peek (during signup and login). You can easily see and verify what
you typed before you submit, even for ANSI CODES such as ALT-0159 for Ÿ (Latin Capital Letter Y With Diaeresis).
- No phishing. No spoofing. No spam. With its unique login technology, ZSentry prevents spoofing of web sites, including spoofing of
the web site zsentry.com. The ZSentry login looks like the usual username and password login, but in two screens. You do
not have to give your password unless you have a first proof that the website you reached is
allowed to process it. The first proof is provided by the Return Code (RC), a three-letter combination
(such as "BTP") that you receive when you register. When you verify that the three letters calculated by the website
the three letters of your RC, which you have not disclosed, you have the first proof that the
website is legitimate and can be trusted to process your ZSentry Password in order to authenticate you.
Matching the RC prevents spoofing, phishing and pharming, which
SSL alone cannot provide. Additional values that you have not disclosed are provided as proofs for your verification
after you log in, including your name and email
address that must be correct on top of each page. In addition, every message, every sender and every recipient are
authenticated every time. These are important and unique advantages of using ZSentry, both for sending and receiving
email, closing major channels for spam and preventing spoofing and phishing emails.
- Java, ActiveX controls: ZSentry does not require Java or ActiveX controls stored in your computer by the server. Be careful with sites that use downloaded Java or ActiveX controls.
- How to Further Protect Yourself Online: There are simple steps you can take to further protect yourself from
fraud while online. Verify the URL (web address) of the sites you visit. If you're on a secure site,
it should start with https (the "s" indicates it is secured by SSL.) A padlock image also should appear at the bottom
of your browser window. Install a firewall -- there are good free firewalls available for personal use.
Install anti-virus software and update it regularly with the most current version. Use separate passwords and
PINs for your Internet accounts and make them difficult for others to guess. To further protect your privacy,
exit your browser after you logoff. Be careful when opening email messages, even if apparently sent by people you know;
it is very easy to fake a sender's address in an email. Use email authentication and encryption with ZSentry.
Never send personal or financial information by email unless it is encrypted and authenticated (ZSentry).
Be careful when clicking on a link in an email, and prefer to copy-and-paste the link, unless
the email is authenticated with spoof-prevention (ZSentry);
otherwise it is very easy to be spoofed (a phishing email, for example).
ZSentry Spoofing, Phishing, Pharming and Spam FAQ
Email Security Begins With The Login...
The contents of this entire site and domains zsentry.com are © Copyright, NMA Inc., 2006.
All rights reserved, worldwide. Titles and product names are trademarks
of NMA, Inc., including NMA, ZSENTRY, Return Code and ZMAIL. Patent