Information has become a commodity.  Insuring the information is private as well as authentic can be key in evaluating the worth of content.  But one of the most overwhelming problems with encrypting email is the fact that most people don’t understand how to go about securing their messages.  Encryption can be used to keep the contents of the email safe from prying eyes.  It can also be used to certify that the message a person receives was actually issued by the individual listed in the messages from field.  Email encryption is a complicated process that is simply convoluted for the average computer user.  Mac users are no exception, so here’s a rundown on the ins and outs of encrypted email.

What is needed in order to send encrypted email?
Most web mail services lack the advanced features required to encrypt email messages beyond communication with people in the same domain.  As a result, an email client application is required.  Most mature email applications offer support for encrypted messages.  On the Mac, the big names are Apple Mail and Microsoft Entourage.  Since Entourage is my email client of choice (one that I regret on a weekly basis at times), we’ll mainly cover that.  Its worth noting that Entourage is actually more complicated to configure for encryption than Apple Mail which in some ways makes the configuration process almost invisible.

With a bonafide email client selected, its time to generate the certificate that actually does the encryption.  There are at least a half dozen reputable places that generate SSL certificates, but most charge for the service.   Thawte.com is one institution with a  long track record of offering free personal email encryption certificates.  In order to generate a certificate, Thawte requires a fair amount of personal information.  They are justified in this constraint as they make a reasonable effort to ensure you are who you claim to be prior to the issue of the certificate.  Simply put, just fill out the forms requesting the email certificate and wait.  Once the information is validated, an email is issued to the requested account to let the user know the certificate has been generated.

The certificate process is mildly painful, and can be thoroughly confusing.  For Mac applications to use the Thawte encryption certificate, the cert must be resident in the Mac OS’s Keychain.  Getting it there can be something of a problem unless you know the tricks.  First of all, the browser you use when making the cert request is key.  When I went through the process, I used Firefox 2.0.  In making the request, its actually necessary to select which browser you are using to make the request.  As Safari isn’t even an option on the list I recommend using Firefox.


Once the request has been completed, as mentioned before, its necessary to wait a period of time while your identity is validated.  Once that is done, Thawte issues an email to the requesting email address to indicate that cert has been issued.  When returning to Thawte, it is essential to once again use Firefox.  Upon logging into the account created on the initial visit, there will be a message indicating that the certificate can be added to the browser by simply clicking a link.  And once the link has been clicked, there is only a succinct message indicating that the browser now has the certificate installed.  The problem here is that installing the cert in the browser does nothing to allow access to the cert from the email client software.  That brings us to trick number two.

Select Preferences from the Firefox menu in Firefox.  Then click the Advanced button at the top of the preferences window, and finally click View Certificates near the bottom of the window.  Listed in the tab under Your Certificates are a series of certificates listed hierarchically under different issuing parties.  Look for a list of certificates under the heading of Thawte Consulting (Pty) Ltd.  Any and all certs generated by Thawte will be listed here.  If there is more than one certificate listed, pay attention to the Expires on Date and make sure the most recently issues cert is selected.  The expire date should be 1 year from that date the it was issued.  Simply click once on the new certificate and then click the Backup button.  Firefox will prompt for a password that will be used to protect the exported (or backed up) cert file.  The password will keep the information secure should someone try to compromise the data in its exported form.


Now that the certificate has been exported, the next step is to import it into the Mac OS keychain so it can be made available to the email application.  Simple open Keychain Access, found in /Applications/Utilities.  Select Import from the file menu and browse for the file exported from Firefox.  One the cert has been selected, Keychain will prompt for the password designated when the backup was made from Firefox.  Once the password is supplied, the cert is added to the keychain.  It can be found by selecting My Certificates on the left side of the main Keychain Access window.

Now we’re in the home stretch.  Once the certificate has been imported into the keychain, the email application should have access to the file.  Now we just need to make Entourage aware of the certificate.  To do that, select Accounts from the Tools menu of Entourage.  In the list of accounts, double click on the account that will be used to send and receive encrypted email.  Select the Security tab at the top of the window the use each of the select buttons to designate your certificate in both the Signing Certificate and Encryption Certificate areas.  Once this is done, Entourage is ready to send secure email.


It’s worth mentioning that Apple Mail seems to eliminate this intricacy.  Once the cert is in the keychain, the OS and the Mail app seem to be smart enough to associate the cert with the email account in Mail and eliminate the need to manually select the certificate used to sign and encrypt messages.  That being said, my experience with Apple Mail is more limited so I cannot be certain that this is always the case.

Now that we’re ready to send a secure message, there are some more intricacies to consider.  In order for the message recipient to be able to read the message when its sent, the recipient must first receive a signed message.  This gives the recipient the information needed to decrypt encrypted messages once receive.  In order to send a sign message, simply create an email to the desired recipient then select Message > Security > Digitally Sign Message from the menu while in the message window.  Depending on their email client, the recipient may need to manually add your digital signature to your entry in their address book in order for the email client to automatically decrypt future messages as the are received.

Once the signed email has been issued, it should be possible to send encrypted messages to that same contact by selecting Message > Security > Encrypt Message from the menu when within the message composition window.  Now that we should be done and ready to exchange secure email messages with another individual, there is just one more stumbling point to consider.  In my experience, at least with Entourage, I could not send a secure email to my intended recipient until they had gone though the same process of generating and installing a secure certificate in their email client.  Apparently the users on either end of the conversation must each have a cert on file with each other before secure messages can be exchanged.  As a result, before conversations can be secured, each recipient must first exchange a message with the other that has only been signed, thereby giving each individual the information needed to open the secured messages that will follow.

Now users simply need to remember to select the option to encrypt messages as they send them.  In Entourage, this means selecting the encrypt option each time a message is issued to someone who is known to allow encrypted messages.  I believe Mail makes this process more streamlined with more intelligent logic in the Mail client, but again I am not certain.

Problems
All of this brings us to the current problems with encrypted email.  The entire process is entirely too convoluted and painful.  In order to communicate securely with another individual, both parties must go through a lengthy configuration process.  Once that’s done, assuming it can be completed without either individual simply giving up on the idea, then it becomes necessary to fight with the email client to the point where it can successfully fulfill its own requirements prior to sending secure messages.  Then, finally, if the individual sending the first message is a thread forgets to manually select the option to encrypt the message, it will still be send unsecured and in the clear.

Users who routinely using both an email client and a web mail interface to access the same email account will find out that web mail is simply not equipped to deal with encryption at the level that an dedicated email client can.  Opening an encrypted email via the web mail interface proves that the message is secure because the contents of the message simply can’t be read since the web mail interface has no way to interpret the email without a means with which to access the necessary certificate.

In summary
Encryption is a powerful way to secure communication sent over a very insecure system.  Though many consider encryption only necessary when someone has something to hide, many people simply value their privacy.  The current world wide implementation of email has been described as the equivalent of sending a postcard to a friend via the postal service.  The contents of the message are exposed for all to see both while the message is in transit as well as while it is sitting in the recipients inbox.  Encryption simply offers a means to wrap that message in an indestructible envelope that can only be opened by the designated recipient.

For all of its flaws, encrypted email has its place and a wide variety of uses.  Unfortunately it cannot become main stream until the process is simplified making the technology available to those who are not technically proficient or infinitely patient.

Interested in more detailed information on the technical side of email encryption?  Wikipedia has a great detailed explanation of the different means by which email can be secured.  The method discussed above is described as S/MIME in the Wiki.

--
Steve

Comments: 21