Saturday, June 6, 2009

Signed Email, Encrypted Email

The Problem:

The other day, I installed the latest nightly of Thunderbird, code named: Shredder. I am not a big email person I guess, and I only receive a couple of emails a week. Most are bills, invoices and junk. To me, there are a lot of things wrong with email, but mainly... i don't receive a lot of email from people i wish would email me.

Lets talk about scams. I have at least on one occasion received an email scam -- one spoofed up to be my very own bank. I knew from the start it was a scam, but i decided "why not play along". After all, Firefox (and some others) have a built in filter to try and catch phishing sites, and Thunderbird marked the email as a scam anyway. How far can one go? I visited the site, and it was very easy to tell that this was indeed a scam with the big red warning screen. But I wonder, not everyone uses these products/features and sometimes, they blatantly fail.

How do we create a "safe and secure" email system that lets people know that "what we receive is from who and what they say they are from". What can be done to beef up email Identity when all it takes is 5 minutes to create an email address?

The Answer:

SSL.

Think about it, we should be able to send email (and receive email) that we can trust our confidential data on. I get emails from Bank Of America, telling me i have messages to check on my account... Literally: an email, about an email. Second, if we receive email, Which is unsigned, we can build a case that its junk. If it IS signed, we can reasonably assume its someone we know or, We are getting SIGNED spam... Clearly it will be easier to filter mail that's from a known signed Spammer? And lastly, No one but the people we send mail to should be able to access our mail... Its like that with snail mail, it NEEDS to be like that with email. Piss off admins, this doesn't concern you.

And the ability to do this is already here, and luckily.... its free or pretty cheap at a minimum.

Step 1:
Get a Security Certificate.

Just like banks, brokers and other important institutions have obtained a certificate, you should too. While the better ones cost money, you can get a basic one... Free. Just Google around. I found Comodo offers free ones (at the bottom), and some that cost too much.

Obviously, a degree of trust can be formed by the certificate in use. The new EV certificates are clearly better and go through a more rigorous verification, but for general email, that's not needed.

Using Comodo, I simply provided some personal information, received an email with a verification code/password, and then had to visit a link. After that, the certificate was installed in my browser. Finding/Backing up the cert is as easy as going to (in Firefox) Tools > Options, Advanced Tab, Encryption Tab, "View Certificates" Button. Or you can go to Control Panel > Internet Options, Content Tab, "Certificates".

Too easy... Click "Backup"

Note: If you have the tor button add-on installed, you need to disable it otherwise you won't be able to export properly.

Step 2:
Configure Your Client:

While everyone uses different email providers, and different email clients, they all stem from the same basic concept. I use Thunderbird, and Gmail -- a match made in heaven. The new Thunderbird makes configuring your client with Gmail a snap, and includes the IMAP Protocol, N00b proof. Gmail provides a huge amount of space, is typically pretty reliable, and offers free IMAP, POP, and SMTP access... while other typically cost something (yahoo). I use the Nightly version of Thunderbird 3, and have had no major problems using it as my main client, but this is not for everyone.

Importing your certificate into Thunderbird is just as easy as it was exporting it in Firefox by going to Tools > Account Settings, then the "Security" section on the left -- View Certificates.

This looks familiar:



After clicking "Import", Browse to your certificate and that's it...

Considerations:

I recommend SIGNING all emails by default... Anyone that does NOT have the capacity to view signed emails, will simply get the attachment used for signing a message and wonder what it is... Anyone that does have the capacity, gets a notifications somewhere. However, encrypted messages work a little bit different: The message gets sent AS an attachment. Which means if the receiver does NOT have the capabilities to receive encrypted emails (Using web pages, most clients can handle the protocol) then they get a blank email with a (literally) Unusable/Unreadable attachment and wonder "what did he send me?". In Thunderbird, either a lock appears, and/or a sealed envelop appears depicting that the message is signed, encrypted, or both. Double clicking either one displays this message:


A lot can learn from this signed & encrypted message:

1) The message is "verified" by a third party (although a weak "verification").

2) The message has a hash function built into it, which means it could not have been altered in transit.

3) Its encrypted, which means only the receiver should be able to receive it, since it could not have been modified. [Citation needed]
Posted by at

1 comment:

  1. TheParadox2June 6, 2009 at 10:32 AM

    Feel free to email me if you would like to test your certs, encrypts, etc.

    ReplyDelete

Subscribe to: Post Comments (Atom)