Jason Palmer, CPA, CITP

Cyber Insurance Auditing

You are here: Home / Archives for Email Encryption

Securing your Email – Digital Certificate for Secure Email

By Leave a Comment

HTTPS SSL Computer CubeA Digital Certificate for Secure Email enables you to digitally sign your email and authenticate that the message was actually sent from your email account.  Optionally, you can also encrypt the email message to secure it against unauthorized viewing.  (Encryption of email will be discussed in a future article.)

A Digital Certificate for Secure Email is issued by one of the well-known Certificate Authorities, the same group of companies that issue SSL (Secure Socket Layer) Certificates that encrypt web browser communications.  (The “lock” in your browser when connected over HTTPS:// )

A Class 1 Certificate requires only that you enter your First Name, Last Name, Email Address and a pass-phrase which secures the Certificate itself from unauthorized use or for revocation if the Certificate is compromised or lost.  The only Authentication performed is that the email address submitted is valid and that you have access to that email account to retrieve the Certificate.  It is important to note that the Certificate is ONLY validating the existence of the email address.  Anyone who has access to the specific email account can request a Certificate and can most likely use it to authenticate a message sent from that specific email account.  This is critical to understand if you share your email account with others.

For many non-business users, a Class 1 Certificate is adequate and available at no cost from a Comodo, a Certificate Authority Provider.  (There are a few other free providers but none as quick or as easy to use as Comodo.)   Most people have an email account that they do not share and that is properly secured with a strong password.  (Well at least they have an email account they do not share.  Not everyone follows good password creation guidelines.)  The point being that if you send an email message to jason@palmer.net  confidence is high that I am the only one sending and receiving mail from that account.  In fact, the entire point of using a Digital Certificate for Secure Email is that you as the recipient could immediately tell if the message was sent from the real jason@palmer.net email account (most likely me if a Class 1 Certificate and definitely me if a Class 2 Certificate) or if it was spoofed.  (There are other ways of determining a Spoofed email, specifically by reviewing the Full Headers of the Message and spotting inconsistencies in the email addresses and Servers.)

For added assurance, you may want to consider a Class 2 Certificate whereby you need to provide the Certificate Authority with proof of identity, such as a Government issued ID (Driver’s License, Passport, Passport Card, Birth Certificate, or similar).  A Class 2 Certificate validates both the email address and that you are its’ owner and a real person.  Email signed with a Class 2 Certificate is similar sending over a notarized document.  An independent third party has verified your identity so when you use the Certificate a certain level assurance can be assumed by the recipient that you are the actual, legitimate sender of the message.

Class 2 Digital Certificates for Secure Email come in two flavors:  “Personal”, that specifically identify you as an individual and “Business”, that specifically identify you and that you are a legitimate employee of a specific company.

You may be wondering, “Wow, this sounds great!  Why isn’t everyone using a Digital Certificate for Secure Email on every message?”  The answer would be because it is a little cumbersome to setup and use.  First both you and everyone you want to send and receive mail from need to obtain his or her own Digital Certificate for Secure Email.  Next, you need to configure your email client to work with the Digital Certificate for Secure Email.  This is relatively straightforward in Microsoft Outlook, Mozilla Thunderbird, or Lotus Notes.  Not quite as easy for Web Mail Users of Gmail, AOL, Hotmail, Yahoo, and similar services as it requires a plug-in or extension installed in the web browser. (A plug-in or extension is a specialized helper application that enables additional features and capabilities in your web browser.)

If the recipients’ email client is properly configured to understand a Digitally Signed email message, when you send a Digitally Signed Message, the recipient will see a notation on the email that the message was Digitally Signed.  However, if the recipients email client is not setup properly, the recipient will see an additional text attachment to your message that is meaningless and contains the Digital Signature Information.  This can become very annoying to your recipients as every message would you send them would have an attachment.

Securing your email all starts with either a Class 1 or Class 2 Digital Certificate for Secure Email.  At least visit Comodo below and start with a FREE Class 1 Digital Certificate for Secure Email, and then tell all of your friends to do the same.  A Class 1 Digital Certificate for Secure Email takes only minutes to request and install, they are valid for one year, and are available free of charge

Stay tuned and read my future articles on how to implement Secure Email Communication for transmission of sensitive and confidential information over the wild Internet through Email.

Important Technical Note:  Make sure that you use the same computer and web browser to request and access the retrieval of Digital Certificate for Secure Email.  You will also need to make sure that Java is enabled and that your web browser accepts Cookies to complete the process successfully.  The Certificate is actually being created and added to your web browser’s certificate store, and then you have to export it for your specific email client.  Microsoft Internet Explorer and Microsoft Outlook do not require this step as they both can access the same Certificate Store in Windows.  Firefox and the Thunderbird Email client or Lotus Notes might require some additional steps to configure properly.  Instructions are provided by both the Certificate Authority and your Email Client Vendor.

Digital Certificate for Secure Email Authority Vendors:

Free Class 1

Comodo – FREE AND RECOMMENDED CHOICE
http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

Symantec TrustCenter – FREE (Not as fast or easy as Comodo.)
https://www.trustcenter.de/RetailStore/cid/CustomerData!input.action

StartSSL – Free but cumbersome to apply for and install
https://www.startssl.com/?app=1

CACert – Free and very cumbersome to apply for and install
https://www.cacert.org/

Paid Class 1 and 2 Personal and Business
NOTE:  There is no reason to pay for a Class 1 Certificate.  Use the Free options above.

Comodo – Business Class 2 Certificates – Value Priced Leader
http://www.enterprisessl.com/ssl-certificate-products/addsupport/secure-email-certificates.html

*Prices and Features vary widely with Vendors listed below – Read Carefully before purchasing.

GlobalSign – Personal and Business Class 1 and 2
https://www.globalsign.com/personalsign/comparison.html

IdenTrust – Personal and Business Class 2
http://www.identrust.com/certificates/trustid.html

Symantec TrustCenter – Personal Class 2
http://www.trustcenter.de/en/products/tc_personal_id.htm

Symantec TrustCenter – Business Class 2
http://www.trustcenter.de/en/products/tc_business_id.htm

Symantec/Verisign – Personal Class 1
http://www.symantec.com/verisign/digital-id

Internet Email is NOT Secure even with SSL/TLS Engaged

By Leave a Comment

WebMailThe first rule of using email is to NEVER put anything in an email message that you would not want published on the cover of the New York Times or for the entire world to know.

Many Web Mail providers make a big deal of giving you the option of using HTTPS (Secure HTTP Web Access) instead of HTTP (Standard Web Access) to your email account.  When you type HTTPS://mail.some-provider.com, if properly supported, you definitely engage an SSL (Secure Socket Layer) Certificate that fully encrypts every keystroke you type and every thing that you view.  It is a secure connection between your computer and the web email provider.

The problem and major misunderstanding is that only thing “secure” is the connection between your computer and your email provider.  Once you type an email message and press the SEND button, your message goes out in to the wild Internet in “clear text” just like the text on this web page.  A message sent in clear text can be read at any point during its’ journey from your email provider to the recipients email provider.  From a practical standpoint, even though your email message may pass through a number of Mail Servers on its’ way to the recipient, the likelihood that it will be intercepted is remote.  Most email messages “travel time” from sender to recipient is a matter of seconds.

You may be thinking, “But I am sending from my Gmail account to another user on Gmail.  Why is that message not secure?”  Again, even though both the sender (you) and the recipient may have a secure HTTPS:// connection to Gmail, the message will be transported in “clear text” as it moves either between the various Gmail Servers and Mail Accounts.

The exposure to prying eyes is significantly reduced when sending to and from the SAME domain name such as user1@gmail.com to user2@gmail.com as the message never leaves the Internet Providers Network.  However, remember the message is still in “clear text” and can be easily read by a System Administrator or anyone else who may have access to the message during its’ journey.  Realize extremely large Internet Providers have many email servers in many locations and most have secure connections between their locations but some use the Public Internet instead.

There is an exception to the above:  If you are using a Corporate Email Server such as Microsoft Exchange or Lotus Notes and are sending intra-company mail, that is mail that is to and from other users in your organization with the SAME domain name, i.e. user1@palmer.net and user2@palmer.net, then all mail will be 100% secure.  This is because there is either a secure HTTPS:// (SSL) or TLS (Transport Layer Security) protocol engaged between your email client, Microsoft Outlook, and the Microsoft Exchange Mail Server and all email is stored in encrypted format in the Microsoft Exchange Mail Database.  The same holds true for Lotus Notes.  (Caveat:  Although usually configured to be “secure” by default, in some cases, Microsoft Outlook or Outlook Web Access may have been configured to use a standard non-encrypted connection instead of a secure one.  Check with your Corporate IT person to confirm.)

Keep in mind that both the Government and Criminals may have “sniffers” setup at various points on the Internet.  This allows the snooper to view every single data packet, like the ones containing your email message, and read it.

With the trillions and trillions of data packets and email messages moving across the global Internet daily, the risk that your specific email message containing sensitive or confidential information will be intercepted is remote but the potential is very real.

Using a secure connection to your email provider is not enough.  If you or your Company are the specific target of a Government Agency or Hacker, the only solution is to properly encrypt your message.  Otherwise, the contents of that document or the photo attached might just make the cover of the New York Times.

[A future article will discuss options for encrypting email messages.]