Maclive.net:: A Mac Users Guide to Encrypted Email
A Mac Users Guide to Encrypted Email from Technology Posts
February 26, 2007
|
 Information has become a commodity. Insuring the information is private as well as authentic can be key in evaluating the worth of content. But one of the most overwhelming problems with encrypting email is the fact that most people don’t understand how to go about securing their messages. Encryption can be used to keep the contents of the email safe from prying eyes. It can also be used to certify that the message a person receives was actually issued by the individual listed in the messages from field. Email encryption is a complicated process that is simply convoluted for the average computer user. Mac users are no exception, so here’s a rundown on the ins and outs of encrypted email.
What is needed in order to send encrypted email?
Most web mail services lack the advanced features required to encrypt email messages beyond communication with people in the same domain. As a result, an email client application is required. Most mature email applications offer support for encrypted messages. On the Mac, the big names are Apple Mail and Microsoft Entourage. Since Entourage is my email client of choice (one that I regret on a weekly basis at times), we’ll mainly cover that. Its worth noting that Entourage is actually more complicated to configure for encryption than Apple Mail which in some ways makes the configuration process almost invisible.
With a bonafide email client selected, its time to generate the certificate that actually does the encryption. There are at least a half dozen reputable places that generate SSL certificates, but most charge for the service. Thawte.com is one institution with a long track record of offering free personal email encryption certificates. In order to generate a certificate, Thawte requires a fair amount of personal information. They are justified in this constraint as they make a reasonable effort to ensure you are who you claim to be prior to the issue of the certificate. Simply put, just fill out the forms requesting the email certificate and wait. Once the information is validated, an email is issued to the requested account to let the user know the certificate has been generated.
The certificate process is mildly painful, and can be thoroughly confusing. For Mac applications to use the Thawte encryption certificate, the cert must be resident in the Mac OS’s Keychain. Getting it there can be something of a problem unless you know the tricks. First of all, the browser you use when making the cert request is key. When I went through the process, I used Firefox 2.0. In making the request, its actually necessary to select which browser you are using to make the request. As Safari isn’t even an option on the list I recommend using Firefox.
Once the request has been completed, as mentioned before, its necessary to wait a period of time while your identity is validated. Once that is done, Thawte issues an email to the requesting email address to indicate that cert has been issued. When returning to Thawte, it is essential to once again use Firefox. Upon logging into the account created on the initial visit, there will be a message indicating that the certificate can be added to the browser by simply clicking a link. And once the link has been clicked, there is only a succinct message indicating that the browser now has the certificate installed. The problem here is that installing the cert in the browser does nothing to allow access to the cert from the email client software. That brings us to trick number two.
Select Preferences from the Firefox menu in Firefox. Then click the Advanced button at the top of the preferences window, and finally click View Certificates near the bottom of the window. Listed in the tab under Your Certificates are a series of certificates listed hierarchically under different issuing parties. Look for a list of certificates under the heading of Thawte Consulting (Pty) Ltd. Any and all certs generated by Thawte will be listed here. If there is more than one certificate listed, pay attention to the Expires on Date and make sure the most recently issues cert is selected. The expire date should be 1 year from that date the it was issued. Simply click once on the new certificate and then click the Backup button. Firefox will prompt for a password that will be used to protect the exported (or backed up) cert file. The password will keep the information secure should someone try to compromise the data in its exported form.
Now that the certificate has been exported, the next step is to import it into the Mac OS keychain so it can be made available to the email application. Simple open Keychain Access, found in /Applications/Utilities. Select Import from the file menu and browse for the file exported from Firefox. One the cert has been selected, Keychain will prompt for the password designated when the backup was made from Firefox. Once the password is supplied, the cert is added to the keychain. It can be found by selecting My Certificates on the left side of the main Keychain Access window.
Now we’re in the home stretch. Once the certificate has been imported into the keychain, the email application should have access to the file. Now we just need to make Entourage aware of the certificate. To do that, select Accounts from the Tools menu of Entourage. In the list of accounts, double click on the account that will be used to send and receive encrypted email. Select the Security tab at the top of the window the use each of the select buttons to designate your certificate in both the Signing Certificate and Encryption Certificate areas. Once this is done, Entourage is ready to send secure email.
It’s worth mentioning that Apple Mail seems to eliminate this intricacy. Once the cert is in the keychain, the OS and the Mail app seem to be smart enough to associate the cert with the email account in Mail and eliminate the need to manually select the certificate used to sign and encrypt messages. That being said, my experience with Apple Mail is more limited so I cannot be certain that this is always the case.
Now that we’re ready to send a secure message, there are some more intricacies to consider. In order for the message recipient to be able to read the message when its sent, the recipient must first receive a signed message. This gives the recipient the information needed to decrypt encrypted messages once receive. In order to send a sign message, simply create an email to the desired recipient then select Message > Security > Digitally Sign Message from the menu while in the message window. Depending on their email client, the recipient may need to manually add your digital signature to your entry in their address book in order for the email client to automatically decrypt future messages as the are received.
Once the signed email has been issued, it should be possible to send encrypted messages to that same contact by selecting Message > Security > Encrypt Message from the menu when within the message composition window. Now that we should be done and ready to exchange secure email messages with another individual, there is just one more stumbling point to consider. In my experience, at least with Entourage, I could not send a secure email to my intended recipient until they had gone though the same process of generating and installing a secure certificate in their email client. Apparently the users on either end of the conversation must each have a cert on file with each other before secure messages can be exchanged. As a result, before conversations can be secured, each recipient must first exchange a message with the other that has only been signed, thereby giving each individual the information needed to open the secured messages that will follow.
Now users simply need to remember to select the option to encrypt messages as they send them. In Entourage, this means selecting the encrypt option each time a message is issued to someone who is known to allow encrypted messages. I believe Mail makes this process more streamlined with more intelligent logic in the Mail client, but again I am not certain.
Problems
All of this brings us to the current problems with encrypted email. The entire process is entirely too convoluted and painful. In order to communicate securely with another individual, both parties must go through a lengthy configuration process. Once that’s done, assuming it can be completed without either individual simply giving up on the idea, then it becomes necessary to fight with the email client to the point where it can successfully fulfill its own requirements prior to sending secure messages. Then, finally, if the individual sending the first message is a thread forgets to manually select the option to encrypt the message, it will still be send unsecured and in the clear.
Users who routinely using both an email client and a web mail interface to access the same email account will find out that web mail is simply not equipped to deal with encryption at the level that an dedicated email client can. Opening an encrypted email via the web mail interface proves that the message is secure because the contents of the message simply can’t be read since the web mail interface has no way to interpret the email without a means with which to access the necessary certificate.
In summary
Encryption is a powerful way to secure communication sent over a very insecure system. Though many consider encryption only necessary when someone has something to hide, many people simply value their privacy. The current world wide implementation of email has been described as the equivalent of sending a postcard to a friend via the postal service. The contents of the message are exposed for all to see both while the message is in transit as well as while it is sitting in the recipients inbox. Encryption simply offers a means to wrap that message in an indestructible envelope that can only be opened by the designated recipient.
For all of its flaws, encrypted email has its place and a wide variety of uses. Unfortunately it cannot become main stream until the process is simplified making the technology available to those who are not technically proficient or infinitely patient.
Interested in more detailed information on the technical side of email encryption? Wikipedia has a great detailed explanation of the different means by which email can be secured. The method discussed above is described as S/MIME in the Wiki.
--
Steve
|
By smanke at 7:04 AM 
|
Comments: 21 |
|
By Anonymous on February 27, 2007 at 8:50 AM
Apple Mail does make the whole thing seamless, but how do I get it to choose a
particular cert? I have a few different ones in my Keychain, but it seems to have just
picked the first one I installed.
|
|
By smanke on February 27, 2007 at 10:05 AM
A great question. I did some testing in Apple mail. It did automatically see that
there was a cert in my keychain that corresponded with the email account i was using and I
was able to encrypt my mail by just clicking the lock icon in the email message. No
configuration was needed for Mail once the certs were in my keychain.
Unfortunately, as you pointed out, there doesn't seem to be a way to specify which cert
is used when encrypting the email. Hopefully this will be one of the many refinements
10.5's mail will offer.
As far as encryption goes, Mail is much easier to use
than MS Entourage.
|
|
By lemoose on February 27, 2007 at 11:47 AM
Well, Mail picks the certificate matching your accounts' email adresses...
|
|
By Anonymous on February 27, 2007 at 12:12 PM
Hi again (same anon),
Yeah, both my certs correspond to the same email
address. The ability to choose a cert would be a nice refinement for 10.5; I can
certainly envision situations where I would want to identify myself differently to
different groups of people.
|
|
By Anonymous Freak on February 27, 2007 at 12:56 PM
Yeah, Apple Mail does make it easier. And if you have multiple certs for one email
address, it does just pick the first one. (I think if you receive a message certified by
the second authority, it will use that one in the reply, but I can't confirm, as I haven't
actually sent a message using my second authority.)
If only it were easier to
GET a certification that works with Apple Mail. (aka: Thawte should support Safari,
because I imagine Safari would automatically insert the cert into the keychain for all
apps.)
|
|
By Anonymous Freak on February 27, 2007 at 1:08 PM
P.S. Here is a screenshot that shows how Apple Mail handles it.
http://web.rentageek.org/MailEnc.png
The first time you
try to send using your certificate, Keychain just asks if you want to allow this use. If
you say 'Always', it will never ask again. (You do have to follow all the steps to get
the cert in your keychain, though.) If Apple Mail detects a cert for your email address,
it simply shows those buttons. If it doesn't, you don't see the buttons.
|
|
By smanke on February 27, 2007 at 2:54 PM
Anonymous Freak,
Thanks for the clarification! The screen shot is
perfect.
If Apple Mail only had the ability to hide read messages in my
inbox, I would be willing to switch to Mail full time. As it is now, my workflows rely on
Entourage's ability to toggle any mail folder between show all and show unread with a
keystroke.
If anyone knows how to do the same in Mail, I'll dump the bloated
software that is Entourage!
|
|
By anon on February 27, 2007 at 11:48 PM
smanke: I don't know if this would cover your needs, but you can create a smart folder
in Mail that shows unread messages and another that shows read messages. It can't be
toggled with a keystroke that I know of, but it's just one mouse click.
|
|
By Anonymous on February 28, 2007 at 11:31 PM
I got the certificate generated and into the keychain. Woohoo! Apple Mail is now
showing that my messages are signed, but I can't encrypt them. Is this normal?
|
|
By smanke on March 1, 2007 at 8:14 AM
I'm not terribly experienced with Apple Mail, but i suspect you can't encrypt because
you haven't first sent a signed message to the recipient. Once they have a signed message
in their posession, they will have the info they need to decrypt the following messages.
I'm not sure that's the cause of the issue in Mail, but Entourage did something similar to
me. Sending a signed message first got me around the issue. Though I did need the person
on the other end to have their own encryption enabled before i could send to them as
well.
|
|
By Anonymous Freak on March 1, 2007 at 12:44 PM
In order to encrypt a message, you have to have the recipient's certificate, too. So
you would have to receive a signed message FROM the person you are sending to at least
once.
Then it doesn't matter if they have encryption enabled or not. For
example, in my linked-to screenshot, the lock button is available because I am sending to
myself, therefore I already have my own certificate.
If I go to send an email
to someone for the first time, and they have never sent me anything, I will be able to
'sign' my message, but not encrypt it. When they reply, and include their own
certificate, I will be able to encrypt it.
If I get a signed message from
someone else that I have never emailed, I WILL be able to sign and encrypt the return
message, because they sent their certificate with their message.
The way the
encryption works is by encrypting using BOTH certificates. The 'private' key of your own,
and the 'public' key of the recipient. To decrypt it requires the opposite. The private
key of the recipient, and the public key of the sender. This ensures that ONLY the person
you are sending to can open it. Even if someone in the middle has both of your public
keys, they can't decrypt it, it requires one public, and one private.
|
|
By Anonymous Freak on March 1, 2007 at 1:01 PM
P.S., if you want to send a test message, you can send it to "ed" at the domain my
example picture is hosted at. When you send to me, you will only be able to 'sign' your
message. But when I reply, you will get my certificate, and will then be able to encrypt
it. (I will reply unencrypted the first time, even though I would be able to reply
encrypted since you sent your certificate to me already in your first message.)
|
|
By smanke on March 1, 2007 at 2:33 PM
Anonymous Freak,
Thanks for the detailed explanation. I wasn't clear on
those details when I wrote the post. Your reply filled in the pieces I wasn't clear on.
The explanation was a perfect completion for the story!
|
|
By Anonymous on March 8, 2007 at 3:28 AM
Actually http://www.joar.com/certificates/ is a more detaild gude and has been
aroud for ages.
And you thawte users out there, dont forget to visit your local web
of trust persons, so yout certificate has your own name instead of "thawte freemail
member"
|
|
By smanke on March 8, 2007 at 8:35 AM
The joar.com post was very useful. Thanks!
|
|
By Anonymous on March 30, 2007 at 4:07 PM
Is this system compatible with GPG, or does it only work with other Thwaite
members?
|
|
By smanke on March 30, 2007 at 7:50 PM
This will work with anyone using certificates regardless of the vendor. I believe GPG
is a different technology entirely so they won't be compatible.
|
|
By lonewolf on April 5, 2007 at 8:24 AM
great article! I had a similar experience using the "Thawte process", but I was having
trouble getting the certs into Mail. Your detail explanation pushed me to finish my work.
Thanks again.
|
|
By Anonymous on April 16, 2007 at 4:27 PM
I found a document that goes over similar stuff for setting up thawte certs in
Entourage: http://orb-of-knowledge.blogspot.com/2007/04/setti...
|
|
By Anonymous on April 19, 2008 at 7:54 AM
I had an old expired certificate in my 10.5 address book for one of my addresses. I
sent my self the new certificate, and I imported the private key to keychain as well.
Address Book still shows the old expired certificate. Is this cosmetic? Or how can I fix
this?
|
|
By smanke on April 21, 2008 at 9:30 AM
The actual private part of the key should be stored ink your OS Keychain. You will
need to update the key there. Then it should be available to the Mail application.
|
Load Time:
0.109 seconds
|
