Why is it that most computer users know so little about mail encryption? After all, we hear time and time again how emails can be intercepted and read by anybody. Yet no online or desktop mail client seems to offer a proper service to easily send safe and securely encrypted mails. The process is painful, discouraging and incredibly unintuitive. But I truly think it should be looked at more closely. If you have no clue what mail encryption is about or just want a little update on how it works than this post is for you.
Why you should encrypt your mail
The majority of the emails you send might not be particularly private, but you know there’s some times when you want to make sure only you and your receiver see the information. Think of credit card details, passport numbers, addresses or explanations as to where you’re hiding the house keys before going on holiday. Even though emails can take seconds to be sent and received, they actually go through all sorts of networks and servers before reaching their destination. And at those passage ways they leave a trace, just like Hansel & Gretel. Which means there’s plenty of places from where anybody can access and read what you’ve written. Encrypting (or authenticating) your mail can make sure only you and your receiver can see the contents of the message. It’s also a great way of reducing the flow of spam using your own email address.
How email encryption works
What makes you say email encryption is actually safe, you might ask me? It’s simply how it works. Let me explain. Email encryption works with public-key cryptography (also known as digitally signed certificates), the three most common standards being PGP, S/MIME and GnuPG. What you’re doing is digitally signing your mail, for which only the message’s recipient has the key. This means anybody else trying to get a peek at your mail only sees a scrambled nonsense of letters.
So how does it work? You first create a public key, which you distribute to your contacts. When somebody wants to send you a private email they’ll encrypt it using your public key. To read it you’ll have to unencrypt it using your private key, which you are the only one to know. The public key can be made public (as the name suggests) because it is only used to encrypt, the private key being the one that authenticates messages.
An example from Thawte:
1. Bob sends Alice a signed e-mail. A signed -email includes the person’s public key.
2. Alice saves Bob’s public key into her address book.
3. Alice uses Bob’s public key to send Bob an encrypted e-mail.
4. Bob decrypts this e-mail using his private key.
If you want to send a private message to a group of people you can use passphrase encryption. These are long passwords, generally around 20 to 30 characters. It’s easier to send to a group than with a public key and the catchphrase can be easier to remember. But you need to avoid transmitting the passphrase online and if somebody leaves the group you’ll need to create a new passphrase all over again. Also, passphrase encryption isn’t always available.
Where to get an email certificate
Now you know how encryption works. The next step is to get an email certificate. While you’ll generally have to pay a fee to get one of them, you can still use a few very good free services.
Where to get free email certificates:
- Thawte – This is the service that gave me the biggest sense of security. While the enrolment and certificate creation processes are a bit lengthy (takes about half an hour to create your keys), Thawte really takes you through it all with a step by step approach. It supports multiple languages and can detect browser settings. You can also choose between 1024 or 2048 bits long keys and whether you’ll be using Netscape (ie Firefox) or Outlook. The certificate is valid for a year.
- InstantSSL/ Comodo – Probably the easiest service to create certificates. Works with Outlook, Thunderbird and other S/MIME compatible software. There wasn’t any information as to the strength of the certificates or their validity period though.
- Ascertia – Only works with MS Outlook, but the creation process is easy and quick.
- TC TrustCenter – Also a fairly quick creation process, this service makes your keys available immediately and for a full year. You’ll also be able to choose between 1024 and 2048 grade security.
You can also create personally signed certificates using an external application or the Certificate Assistant in Mac’s KeyChain. The trouble with these is that they aren’t backed by any authority so generally not trusted by applications. The receiver will have to manually add the certificate to his list of authorized certificates.
If you’re using Firefox, you can view your certificates by clicking on Tools > Options > Advanced > Encryption and then pressing “View Certificates”. In Internet Explorer 7 click on Tools > Internet Options > Content> and choose “Certificate”.
Ways to encrypt your emails
Ok, so you’ve created your certificates, but how do you actually use them? This depends on the mail client you have:
- In Outlook/ Outlook Express – Open up a new message and type in your text as you would normally do; then click on Options > Security Settings and check “Add a digital signature to this message”. Press OK and finish sending your message.
- Using Thunderbird – Go to Tools > Account Settings > your account name > Security. You can set which certificates to use with each account for digital signing and/or encryption. You should also install the enigmail extension, provided by GnuPG.
- In Apple Mail – When using a Mac, always make sure you save all your certificates in your Keychain. This will ensure they’re kept in a safe place and accessible by all applications, whether Apple Mail, Firefox or Safari. In Apple Mail, open up a new message and type in your text as you would normally do. Then press the “sign” and “encrypt” buttons in the message window.
- Using webmail – The sad news is, if you use webmail, you won’t be able to encrypt email messages (and we’re in 2007!)… unless if you use Firefox. You can install the Encrypt This! extension, which allows both for public key and passphrase encryption. The site also provides you with a way to create your own keys. There’s also the FireGPG extension which can encrypt and decrypt any web page you work with and verify signatures for you.
To conclude, yes encrypting messages is a painful and lengthy process, and it really is astonishing that as of yet, nobody has come up with a simple way of incorporating it to any mail service. Outlook has had it for some time now, but it’s never really been clear to users how it actually works. The process in Apple Mail is the simplest, however the best would be for webmail services to finally integrate it. Why is it that they don’t offer encryption yet? Would it be a fear of actually letting their users finally have privacy over their messages? The other big question is when certificate services will finally partner up with mail services and software to streamline the process of creating and using certificates. With all the threats lurking out there on the internet, we should be able to protect our communications well.