E-mail Security, Part 2: Speed Bumps

February 2001

In last month's column, I discussed e-mail security and ended by writing this: "start signing your e-mail messages with your digital certificate (the software gets you started on this). Test it with others in the organization. Use it when confidentiality is important (which is a good deal of the time, is it not?). Start asking people for their digital certificate so you can send them confidential e-mail. Just start using it."

Fellow consultant and friend David Strom took me at my word. And he had some troubles. Dave wrote about his experience in his "WebInformant" newsletter (http://strom.com/awards/227.html).

Dave is no slouch. He's a very smart guy, and knows his way around the Internet and e-mail. He's the co-author of a book entitled *Internet Messaging: From the Desktop to the Enterprise* (ISBN 0139786104), so you'd think he'd be one of the last people to be challenged by the technology. I will not recap his experiences (you can read them yourself), but I do want to briefly respond to the problems he had, and then follow up with practical and specific "get started" recommendations.

Observations

Dave's real speed bump was not in the usability of the product. He used Outlook which has S/MIME built in and had no problem, once he had retrieved his digital certificate. A digital certificate is what digitally ties an identity, for example a name or e-mail address, with a public key. A public key is the unique, very large integer used in encryption. Dave had a digital certificate... he just couldn't find it. So, the problem he really had was trying to retrieve his digital certificate from the digital certificate provider that he used. This coupled with problems and errors with Outlook 2000 led to, what we used to call in the product business "an unsatisfactory user experience." Once he had his digital certificate, we had no problems exchanging encrypted and signed e-mail.

Various Solutions

S/MIME

If you are using Outlook or Netscape, you'll probably want to try using the secure mail solution that is built in. Both are already set up to use a standard called S/MIME for Secure MIME (and MIME is Multi-purpose Internet Mail Extension -- the thing that allows us to include attachments in e-mail). Instructions for the built-in S/MIME support can be found at Verisign at http://digitalid.verisign.com/client/help/send_receive.htm. To get a certificate, when using Netscape Messenger, go to Communicator, Tools. Security Info. Under "Certificates," click on "Yours" and then "Get Certificate."

Netscape then presents you with the names of certificate authorities, with descriptions of each. Pick one and get a certificate. Thawte Consulting has a free service. You can also go to http://www.black-helicopter.org/bh and get a Black Helicopter Certificate. It's experimental at this point, but it's free.

To start sending secure e-mail, create an e-mail message and then click on the "Security" button. If you do not have the recipient's digital certificate, you'll not be able to encrypt e-mail to him ... yet. But you can sign a message, and when you do you will be sending them your certificate with your public key. When someone does the same to you, and you verify the message (by clicking on the "Signed" box on the e-mail), Messenger will store her certificate in your local key store. Now you can send her encrypted e-mail.

If you are using Netscape, hurry. I understand they are removing direct S/MIME support from the next major release. It is something about time to market.

S/MIME would work with Eudora or other e-mail packages, except I can find no one who has a product to sell. WorldTalk used to, but they are now part of Tumbleweed, and their reference S/MIME software is now only for developers. Baltimore Technologies has a product called MailSecure. You may download an evaluation copy that works only with Outlook. I was willing to purchase a version that works with Eudora (they claim to have one), but was unable to. After 2 weeks -- a Very Long Time in Internet Time -- and after dealing with 2 sales people, 2 people in public relations, and a person in support, I still don't have the product. I was told 1) yes they had a product, 2) yes it was for sale, 3) it would cost about $180, and 4) they would ship it from Dublin. I don't count that as being for sale and suspect that they really want to sell PKI solutions to large companies, not 1 and 2 copy licenses to me. In any event, they need to enter the Internet age. I told them "no thanks." I looked far and wide for another S/MIME product that did not require Netscape or Outlook and could not find one.

PGP

Which brings us to PGP. It has been around for ages and works with Netscape, Outlook, and Eudora. While it does not support S/MIME certificates, it does support PGP certificates. CERT (the Computer Emergency Response Team at www.cert.org) and Microsoft both use PGP certificates and PGP to digitally sign important security-related e-mail.

There are free versions, but I like the commercial version of PGP Personal Privacy you can buy from store.mcafee.com. It also comes with disk encryption software (which I use to safeguard my notebook PC's data, as discussed in http://www.avolio.com/columns/pcencryptlesson.html). Once installed, it will walk you through the process of generating a digital certificate. You can then use it to sign and decrypt e-mail. The PGPkeys tool allows you to import the certificates of others, either included in their e-mail or pulled from one of the Internet PGP certificate servers. And you can send your certificate to one of those servers or copy and paste it into an e-mail message you send to another PGP user.

I use PGP as do most of my clients who want to send me confidential information across the Internet.

ZixMail

Zixmail (http://www.zixmail.com/) has a free (for now) client that works in conjunction with whatever e-mail user agent you use. When you want to send or read encrypted and signed e-mail, you must use the Zixmail application. Also, all certificates are stored on the Zixmail server. If you are searching for solutions for personal or corporate use, don't ignore this one. Zixmail also supports sending encrypted and signed e-mail to people who do not have the Zixmail program. Recipients will get an e-mail message pointing them to the securedelivery.com web site where they will be asked to register and then be able to decrypt and read the message you sent (and be able to send and receive secure e-mail).

Just Use It

E-mail security is still not in wide or common use. You may hit some speed bumps, as Dave did. But they will be speed bumps, not roadblocks. I still strongly recommend: just start using it.


Links of interest:

Help with Outlook and Netscape, http://digitalid.verisign.com/client/help/send_receive.htm

The November 15, 2000 "Crypto-Gram" from Bruce Schneier has a very interesting article entitled, "Why Digital Signatures Are Not Signatures." Highly recommended. http://www.counterpane.com/crypto-gram-0011.html

Self-promotions:

I apologize for not letting you know that I took part in an on-line discussion entitled "Digital certificates and signatures: What are they, how are they used -- who do you trust?" It was on December 8th at 18:00 GMT. The transcript can be found at: http://searchsecurity.techtarget.com/Online_Events/searchSecurity_Online_Events_Transcript_Page/0,287095,522021,00.html