cancel
Showing results for 
Search instead for 
Did you mean: 

dot net email address security

shermans
Aspiring Pro
Posts: 1,063
Thanks: 31
Fixes: 2
Registered: 07-09-2007

dot net email address security

Please can anyone confirm whether a .net email address is any more secure generically than a .co, .co.uk or most other domains ?
The reason I ask is quite simply that I am a volunteer within the NHS, and I am being asked to use a *@nhs.net email address for security when corresponding.  Now frankly, I do not want the inconvenience of having to log into an @nhs.net email system regularly when I am only a volunteer, but prefer to just use my Plusnet email address.  No doubt I could use my Outlook  email client to autoforward / autoretrieve emails from @nhs.net, but that would not work so easily on my tablet or smartphone, and I can see absolutely no benefit from using @nhs.net as my correspondence is not exactly confidential or a security risk !
The answer which I get is that @nhs.net is more secure than Plusnet, which I find hard to believe.  For one thing it occurs to me that there are probably more @nhs.net subscribers than Plusnet has, which makes @nhs.net a more obvious target for cyber attack.  But secondly I have to ask myself why a .net email address should be intrinsically more secure than a .com or any other email address (excluding pergaps Gmail and Hotmail which are always being targeted).  Or am I being naive, is there some cryptic special security firewall that @nhs.net might use that someone like Plusnet does / can not ?
7 REPLIES
Community Gaffer
Community Gaffer
Posts: 5,100
Thanks: 425
Fixes: 5
Registered: 04-04-2007

Re: dot net email address security

It isn't, but means you will be using their infrastructure which they can control, instead of someone else's infrastructure which they can't.
Kelly Dorset
Broadband Service Manager
Community Veteran
Posts: 3,380
Thanks: 4
Registered: 18-01-2013

Re: dot net email address security

It could just be that they know what all of the nhs.net email server IP addresses are so can verify the mail has come through one of their servers with an authorised login / password vs a possible hijacked gmail or hotmail address. In the case of a compromised nhs.net address, the account can be deactivated at their end and the user reissued with alternative credentials.
There is no such thing as a .co.uk or .net being intrinsically more secure - the security is down to the mail servers and users being able to retain control of their accounts.
Community Veteran
Posts: 3,380
Thanks: 4
Registered: 18-01-2013

Re: dot net email address security

You may also find that for security and auditing purposes, all .nhs.net emails *could* be monitored, recorded, bcc'd etc etc.
A bit like sending emails through the eBay system - not only are your emails recorded on your own machine but a copy of them is taken by eBay for both your benefit and eBay's records.
Community Veteran
Posts: 26,656
Thanks: 883
Fixes: 10
Registered: 10-04-2007

Re: dot net email address security

You've asked the wrong question. It should be "is nhs.net more secure?" (not is .net more secure). Anybody can register a .net domain and a very high percentage of those domains will be far less secure than Plusnet (if not completely open). As others have said nhs.net will be fully controlled by them and will be more secure. For example if you set up direct connection from your email client to them do you have to use security such as SSL/TLS?
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
shermans
Aspiring Pro
Posts: 1,063
Thanks: 31
Fixes: 2
Registered: 07-09-2007

Re: dot net email address security

Thanks for the various replies which are interesting.  I had not thought of the infrastructure control.
It is interesting that two nhs email addresses are available - nhs.gov.uk and nhs.net.  All staff usually have nhs.gov.uk   email addresses as standard, and others have  nhs.net  email addresses also.  As my  nhs.net email address has not yet been activated, I do not know how it will work.  It may be that email communication is restricted to people who have a nhs.net account - a bit like an intranet but accessible over the internet by logging in.  In other words, perhaps to send an email to a  nhs.net email address, one has to be logged in to the nhs.net system as an authorised sender, whereas to send an email to a nhs.gov.uk   address, anyone can send an email without restriction.  Is that likely to be the way it works ?
If that is the case, then I am hoping at least that the  nhs.net system will have some automated facility which will notify my private email address that a message is waiting for me, which will meanI only need to log in when it is necessaey.  My internet banking system works like that.
Superuser
Superuser
Posts: 11,263
Thanks: 2,699
Fixes: 22
Registered: 22-08-2007

Re: dot net email address security

As someone who worked as an IT supplier to governmental organisations, I found some of the "more secure" claims somewhat nefarious.  Often the real risks were not properly understood and the claimed benefits of the security measures were often over stated, whilst obvious security measures were sometimes absent.  There were claims that, because the network over which such email addresses were transmitted was completely secure (had no egress to the public internet), then there was no risk of interception / hacking of the email by Joe Public during its transmission.  This claim only holds any value if in reality Joe Public actually had the means of intercepting and decoding communications over the public internet backbones.
That argument does hold true to communications between two gov.uk / nhs.net email accounts, as a communication from one such email address to another such email address does not egress from the gov.uk or NHS N3 private network.  However the security claim completely fails inspection if the communication is either from or to Joe Public having any old email address.  Also anyone can make it look (to the uninitiated) like an email came from a nhs.gov.uk or nhs.net email address, so there is no sense of "better" security there in respect of the sender being (or appearing to be) authentic.
The only situation where there is "better" security in using such addresses is when one government department needs to be assured that the recipient is who the say they are.  I know of one government department who regularly communicates with many NHS people (hospital consultants / specialists and GPs) and to be assured they are who they claim to be and that they are looking at the correspondence in a secure environment, that government department will only use nhs.gov.uk or nhs.net email addresses for email recipients.
Irrespective of the security debate, you ought not to be using your private email service either at "work" or for the purposes of your "employment".  They ought to be kept distinct.
shermans
Aspiring Pro
Posts: 1,063
Thanks: 31
Fixes: 2
Registered: 07-09-2007

Re: dot net email address security

Townman
Thanks.  That is indeed very helpful and pretty well answers it all.  Certainly the nhs.gov.uk addresses receive emails from public email servers without problem.  I do not know about the nhs.net system yet, but I am assuming , as you say, that it will limit correspondence to only other nhs.net subscribers.  I will have to wait and see.
With regard to separating personal from work email accounts, I am retired and so I do not have a work email account.  The nhs.net account would be the equivalent, but then it would mean logging in several times a day in case there just happened to be a message for me, which is fairly rare as I am an unpaid volunteer and not a clinician.  If I were to be asked to do something suddenly I would be unaware of it unless I logged in several times a day - all that for something that might happen once a fortnight !  It is too much hastle for me, whereas as things stand, they just send me an email to my private email address if they want to get in touch.  It is security over-kill, because it is just not relevant in the context.
Thanks again for the explanation.