Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Protect email with digital certificates Apps
In Macworld's July article on protecting email data they did not mention the easiest, free, and highly secure method of protecting email by using digital certificates. Apple's Mail tool, Entourage, Windows Outlook and many others, all allow you to use digital certificates to digitally sign and encrypt email. Thawte, a division of VeriSign, offers free personal email certificates. Their is no need to send a password by telephone, fax or iChat, all three being totally insecure unless you're using an encrypted iChat session with another dot Mac subscriber.

A digitally signed email accomplishes two things. One, it assures the recipient that the email is actually from the person owning the email address (not an email spoof or someone phishing). Two, it sends a public key contained in the digital certificate which allows the recipient to encrypt email sent to you. Once the two people exchange digitally signed emails, all email traffic between them can be encrypted without any effort at all.

Using Thawte's Web-of-Trust, or a similar service, you can get your email identity trusted, whereby a recipient can be assured that not only are you the owner of the email address, but that the email is actually from the person by name. If you receive a email that's a spoof, you it will know it right away because it won't be digitally signed, or the signature will be invalid. Even if you try to reply to the spoof's email, most likely the email client will inform you that it cannot encrypt the email to the untrusted email address.

[robg adds: We discussed Mail and self-created certificates in this hint.]
    •    
  • Currently 3.00 / 5
  You rated: 3 / 5 (4 votes cast)
 
[25,021 views]  

Protect email with digital certificates | 23 comments | Create New Account
Click here to return to the 'Protect email with digital certificates' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Protect email with digital certificates
Authored by: vancenase on Jun 23, '06 07:57:24AM

... so how exactly do you digitally sign an email using this method?



[ Reply to This | # ]
Protect email with digital certificates
Authored by: BobVB on Jun 23, '06 08:08:03AM

once you install the certificates two buttons show to the right of the signature an priority popups. One for signing, one for encryption. The encryption is only selectable if you have received signed mail from the person you are sending it to.

Yours and others email addresses that have certificates will show up in your address book with a security check icon to the left of the email's 'type' tag (home, work, etc)



[ Reply to This | # ]
Protect email with digital certificates
Authored by: systimax on Jun 23, '06 08:07:03AM
I would want to create my own using:

http://macgpg.sourceforge.net/


Google Macbreak .. Leo laporte and the gang run through a quick how to.



[ Reply to This | # ]
Protect email with digital certificates
Authored by: fungus on Jun 23, '06 11:13:51AM

macgpg uses PGP technology for encryption and signing. This is very different from the certificates mentioned in this article.

PGP isn't widely integrated into most email clients. Certificates are. Almost all mail clients already support security via certificates, but require external support for PGP.

Certificates require a third party to validate your identity and generate a certificate for you (usually at a price, but thawte is an exception). Yes, you can use a self-signed certificate but that defeats the purpose of confirming identity.



[ Reply to This | # ]
Protect email with digital certificates
Authored by: thelamecamel on Jun 23, '06 08:53:38AM

How amusing - I was trying to do this just a few hours ago, before I saw this hint. I couldn't get the encryption buttons in Mail to appear, using self-signed certificates (created with OS X's Certificate Assistant), even though I could get the ticked stamps appearing next to an email address using a self-signed certificate. Is there a way for Mail to accept self-signed certificates, or do I really need to give lots of personal data to Thawte to get a certificate? Is there a non-invasive free option? It doesn't matter if the people I'm conversing with need to check fingerprints manually.



[ Reply to This | # ]
Protect email with digital certificates
Authored by: IslandDan on Jun 23, '06 08:57:48AM
Here are two good tutorials on setting up Thawte with OS X and Mail:

[link:http://www.joar.com/certificates/body.html]

[link:http://www.macdevcenter.com/pub/a/mac/2003/01/20/mail.html]


[ Reply to This | # ]
Protect email with digital certificates
Authored by: gstarcher on Jun 23, '06 12:25:13PM
Aired this brief how-to back in Dec on In the Trenches podcast. Re-aired a week ago on Typical Mac User.

It's straight foward even if you use firefox for your browser.

http://itt.theintegrity.net/pmwiki.php?n=ITT.ThawtePersonalEmailCertificates


[ Reply to This | # ]
Protect email with digital certificates
Authored by: playdrums on Jun 23, '06 01:17:10PM

There is one pretty significant downside to this whole signing/encrypting thing. Windoze users that are using Microsoft's Outlook Express get the most inane messages when they receive a signed email. Also, they appear to them as annoying little attachments. In grand Windows style, if the users don't read the error messages they'll end up thinking they can't reply to your message and they won't know why. It has happened to me over and over again.

It is just another place where Microsoft thinks they have a better solution and they obfuscate the standard one. They don't make it impossible but they do make it difficult and if you don't understand the technology you probably won't be able to navigate the messages that pop up.

In other words, don't send your Windows using mother a signed email with a standard cert from thawte.

This is my experience using Mail.app to sign/encrypt.



[ Reply to This | # ]
Protect email with digital certificates
Authored by: Lutin on Jun 24, '06 05:31:51AM

It's exactly the reason who stoped me to use PGP.
Send a mail, and then get a phone call: "your mail is garbish, I can't read it. It must be you, Outlook works well all the time with me." Grrrrrrrrrrrrrrrrrrrr
With this method, is it the same problem?



[ Reply to This | # ]
digital certs with Outlook Express
Authored by: bigenchilada on Jun 25, '06 05:47:30PM

Your point regarding Outlook Express is on the money. I've had to repeatedly tutor recipients on what the attachment does, why nothing happens when they try to open it, why would I want something that screws up their email, etc, etc.

Even attaching a footer to the outgoing mail addressed to Outlook Express users frequently goes right by them.

Encryption also has its share of user un-friendliness behavior. Users with an understanding of encryption don't have problems, but most people seem to be happy with plaintext.



[ Reply to This | # ]
Protect email with digital certificates
Authored by: systimax on Jun 23, '06 01:24:45PM

all you have to do is compare it to the public key and there you go. You have confermation. Most programs do this.

Cant remeber the name but if you watch the video there is plug in for mail.app

as well as many other clients



[ Reply to This | # ]
Using Certificate Assistant
Authored by: axelfoo on Jun 23, '06 01:28:46PM

I like the idea of creating my own using the built-in certificate assistant in 10.4. Basically I would like to be able to exchange encrypted email/IM with a few people, so I don't really need to use Thawte for this.

I started to go through the process, using Certificate Assistant and it's quite straight forward until you get to the point where you have to select what features to allow for the certificate. I just want to be able to send and receive encrypted messages with a few people. After I do this for myself, i will set them up too. My question is, should I select all of them? Is there any reason to be judicious and select only the minimally necessary?

Thanks!
Alex



[ Reply to This | # ]
Protect email with digital certificates
Authored by: tonygoulding on Jun 24, '06 12:10:12PM

Digital signatures offer a strong trust mechanism for things like email messages and (as has been stated) validating the signature against the public key of the sender is a good security step to help ensure the integrity of the message (i.e. it hasn't been tampered with) and authenticity of the sender. However, there is a further step if you want to fully leverage this trust model.

If my private (signing) key has been compromised allowing a baddie to masquerade as me by signing mails with my private key, then I would want to revoke that certificate with the Certificate Authority (CA) that issued it. If your application (such as Mail) doesn't take the next step of performing a REVOCATION check of the certificate with the issuing CA, you might have a false sense of trust in the signature.

Some applications have this revocation checking ability built-in; some do not. Not sure about Apple Mail (although requirements for CRL/OCSP checking can be switched on/off I believe in the Keychain).

Agreed, that this might be an unlikely situation and overkill for Joe Average, but worth noting nontheless.

Tony.



[ Reply to This | # ]
Protect email with digital certificates
Authored by: AveryTimm on Jun 24, '06 12:27:29PM

I have used a Thawt cert with Apple Mail for about a year, but lately have had all kinds of problems. It basically seems to be a Windows UI problem. People have get a dialog that looks like a security 'warning' when a message with a cert arrives. It gives them the option to not open the message, which many times they do and then they don't get the message. I have had people say that the can't open the message and some that say they can't reply to the message. I have tried to get my name attached to the certificate through the web-of-trust but haven't been able to get ahold of any of the people listed in my area. I read somewhere recently that the Thawt certificates are good for a year and then you need to get a new cert, which everyone needs to have updated before it will work.

The Thawt style CA method is the best...it doesn't require any proprietary plug ins on either end. But it wont work for mail clients that have bad interfaces, and it wont work for webmail.

Two things I would like to see... If Apple Mail included (or someone made) a pref pane that would list everyone in your address book with 2 columns... 1 for "Send with Cert", and another for "Encrypt" which would be available if their cert was in my keychain. Some people I always want to send a certificate to, some people I never want to. If I know someone is using Yahoo! Mail...there is no point in sending a certificate...it's going to show up as an attachment, and I know that they are the type who are not going to DL it and check it.

Another thing would be for Google to become a certificate authority for their Gmail system, issuing certificate for gmail users. They wouldn't need to go all out and offer the other services that Thawt offers, just a free certificate to go along with Gmail. That way they could also make it work within gmail, and of course make the private key downloadable so I could add it to my keychain and use it with Mail. Otherwise the only way to make a cert work with a webmail system would be to hand over your private key to the webmail place...if Gmail was the CA they would already have it.

For the moment I have turned off the cert, and will not turn it on again unless needed.



[ Reply to This | # ]
Protect email with digital certificates
Authored by: DistantThunder on Jun 24, '06 10:02:46PM
I use certificates from Comodo (http://www.comodo.net/); they are also free. I have no problems sending messages between Mac (Entourage/Mail) and Windows (Outlook). However, I use certificates almost exclusively for sending email to myself between home and work machines. My experience is that most casual users find the whole certificate/encryption thing too daunting, so I don't even sign most messages.

Another place that offers free certificates is http://www.cacert.org/

[ Reply to This | # ]
Protect email with digital certificates
Authored by: legacyb4 on Jun 25, '06 11:01:49PM

As stated earlier, I believe the Windows-side issue is with Outlook Express and not Outlook. I would like to use Comodo but found that their certificate generation process requires Internet Explorer in order to generate the certs online...

---
lumine.net



[ Reply to This | # ]
Protect email with digital certificates
Authored by: pub3abn on Jun 26, '06 06:28:39AM

Yes, that is true. In my case, I used my handy Dell to do the dirty work.



[ Reply to This | # ]
Protect email with digital certificates
Authored by: axelfoo on Jun 26, '06 09:04:23AM

I used the Certificate Authority to create my own self-signed certificate. I logged out/in but I don't have an option to sign my emails (using mail.app). What am I missing?

Thanks!



[ Reply to This | # ]
Update: Not in X509 Anchor keychain?
Authored by: axelfoo on Jun 26, '06 09:18:52AM

I think the reason my self-signed certificate isn't working with mail.app is that the certificate is in my login keychain and NOT in my X509 Anchors keychain. I tried dragging the certificate into X509 anchors but it didn't accept my Keychain password. Hmmm... As the Admin of this computer, I guess my keychain password for login items is valid, but not for X509 Anchors. That makes sense, but then how do I get my certificate into the X509 Anchor Keychain so that it can provide some functionality?

Thanks again,
Alex



[ Reply to This | # ]
doesn't work w/ mail.app
Authored by: kami on Jun 26, '06 03:30:29PM

What you are missing is that this approach doesn't work with any Apple software; not Safari, not Mail.app. Works w/ Mozilla-based goodies, but not anything from Cupertino, as far as I can tell. That's why I rated this hint a 1, partly bc a zero is not an option.



[ Reply to This | # ]
WHAT? Doesn't work w/ mail.app...
Authored by: axelfoo on Jun 26, '06 04:57:55PM

What a surprising disconnect between Mail.app and OS X! I was refusing to believe that was the case. I guess I'll give it a rest and try not to be too annoyed. Thanks!



[ Reply to This | # ]
Thawte's free certs not so reliable
Authored by: buck on Jun 26, '06 06:57:38PM

Here's an example of how these free certs from Thawte, and possibly others, are not all that reliable. Examples are in both Outlook and Mail.app.



[ Reply to This | # ]
Use self-signed certificates with Mail
Authored by: Xris on Oct 10, '08 09:24:31AM

For all of those who are trying to use "self-signed" certificates...

I also tried in vain to get my self-signed certificates to work with Mail. I created and re-created them in the certificate assistant over and over, selecting all/none options, trying to get them to work.
I ended up thinking that maybe one would have to set some com.defaults thing to get mail to recognize/allow their use.

FINALLLY, after reading a comment about adding the certificate to the X.509 anchors list AND a post in another blog about something simmilar... got mine working.

The process is the following:

Create a self-signed certificate with the Certificate Assitant. Remember to select the "Key Usage Extension" as "This extension is critical". Also make sure you select at least the "Signature", "Key Encipherment" and "Data Encipherment" options.

When all done, open Keychain Access, go to the login keychain, select the Certificates category, select your certificate and export it (File->Export).
Make sure you select "Certificate (.cer)" file type.
I save it to my Desktop.
Double Click on the certificate file.
A dialog will appear asking you if you want to add the certificate to you keychain.
There is a pop up menu where you can select WHICH keychain to add it to. The default is "login". CHANGE it to "X.509Anchors".
You will have to authenticate yourself as an administrator.
DONE!!

Now your "self-signed" certificate is part of the "trusted" (completely, apparently) certificates AND can be used to sign and encrypt your mail messages.



[ Reply to This | # ]