Secure E-mail; a brief how-to...

   I'd never received a "signed" piece of email prior to this month. By "signed", I mean signed with a verified, secure certificate, guaranteeing the identity of the sender. Very few people you ask even know what certificate signed email is, and if you ask if folks have gone the next step, and made use of personally encrypted email, danged few will even know what you're talking about. The past few months I've made a point of reading and learning about validated/signed certificates, and their uses for secure web practices. This week I've been tackling e-mail applications.

   For an individual, there's two main uses for certificates with email: secure signing and encryption. Both of these require that you obtain a validated certificate to participate. At an entry level of use, the easiest way to participate and learn is to request for a key/certificate pair from a signing/validating authority which is offered at a low-level of security. A number of web security providers offer these. I've been learning and using with a group called StartCom, Ltd.

Want to give it a try?:

   Ok, let's begin, but with these cautions: read carefully as you go, and have a pen and pad handy to take notes on what you are doing, and at times record the information you are providing, as you go. Be scrupulously correct in filling out forms, and check input twice before you hit enter. It may not be possible to correct errors, and a "flawed" web-identity is as much a nuisance to you and others as having your name or address typed wrong on your passport or driver's licence. Get it right as you go, for simplicity's sake.

   1. Go to https://startssl.com . Notice that you've entered a secure web site, with a verified corporate owner, identified by the green bar (in firefox) on the address line. You can examine their secure certificate if you like by right-clicking on the green bar. Now, click where it says "StartSSL Free, No Kidding 100% Free". Click on "Sign-up".

   2. Carefully fill in your demographic information. Read all the instructions. Make very sure there are no errors or typos. Then click continue...

   3.StartCom, Ltd. then sends a verification code to your email account. This is how they verify that the subscriber (you!) is truly associated with that email. Don't close your browser window, or you will disrupt your registration!!!  Check your email, and put the code you receive into the box. Click continue then...

   4. Choose a 'High Grade' certificate. Click where it says 'Make Certificate'. When it's ready, click on 'Install'. StartCom then puts a certificate/key pair into your browser certificates folder. Now every time you visit www.startssl.com from the same computer, and you log in by clicking 'Authenticate',  they will know from the certificate (which your browser presents to StartCom) that you are the same person who presented that email address. Your identity, although not verified by credentials at least DOES connect to someone who has control over that e-mail box. That is what a Class 1 certificate is; a verification of the user with the email box, or it's associated web (if the certificate is being used for web identification).

   If, from the 'Tool Box' tab, you click the box on the right side of the page marked S/MIME Client, you should now see your email address, with a green check mark next to it. This indicates that you have succeeded with your email verification, at a class 1 level. Log out of startssl.com.

Now, you are going to export and back up your certificate/key in a secure way, and import it into your "keychain" or mail client, so as to be able to sign and encrypt email. 

   1. In Firefox, go to Tools, Options (or Preferences), Advanced, Encryption, and click the button: "View Certificates".

   2. Click on the tab, 'Your Certificates'. Click once to highlight the 'StartCom Free Certificate" line. Click on 'Back-up". Choose a name for the backup, and use PKCS12 Files for the file-type. Click save. Choose a secure password, write it down in your notes, and enter it twice in the dialogue box. Because you may very well save this back-up for use over some time on a usb-thumbdrive, it should be a secure and memorable password. You can now close Firefox. It's time to import the cert/key files into your mail client.

I'll outline how to import the key/cert pair for use in Windows XP and Thunderbird.  (In Linux or Mac, find and follow instructions on how to add the certificate/key file to your secure "keychain".)

   First understand that the certificate can only be used for the same mailbox which you gave to StartCom. It is specific to that mailbox and that mailbox only. Let's install it.

   1. In Windows XP, you may simply double-click the cert/key file icon, and follow the Import Wizard. Type in the password you created, enable strong key protection (highly recommended), and mark the key as exportable. Click next.

   2. Choose 'Place all certificates in the following store', and browse to select the 'Personal' store.
This should make the certificate available to XP programs, like Outlook Mail.

   3. Now open Thunderbird. Go to your account settings for your mailbox, and click the Security settings line (at the bottom of the list, to the left side of the box). Now click on 'View Certificates'. Now click on the 'Your Certificates', and click on 'Import'. Choose a good password here to secure the folder which holds your personal key/cert files. Now enter the  password which secures the cert/key file, so it can be imported into the folder. (See how important it is to safeguard these files! It's like keeping your passport in a safe...)  You should now see the information from your certificate/key set in the Thunderbird Certificate Manager. Click ok to close that box.

   4. Now, back in Account Settings, again on the Security tab, you can now select that certificate for digital signing and encryption. Click on 'Select', and choose your StartCom, Ltd cert for both Digital Signing, and Encryption.

Now you can try sending a signed e-mail, if you like:

   1. Start a new e-mail. At the top, where it says 'Security', click and choose 'Digitally Sign this Message' , then send it as normal. The recipient will see information in the header of the e-mail identifying the sender, and associating the certificate with StartCom, Ltd.

   2. To send encrypted email, both you and the sender must have exchanged signing certificates.  This happens automatically when you sign your email. The recipient's email client software will save the certificate, and can use it to handle encrypted email at a later date from the same sender. For you to send email, again, at the top of a new email, as you compose it, find the security tab, and in the drop down menu select both digital signing, AND encryption. It may be necessary to input the passwords which lock your certificates folder, and possibly the password locking the certificate key file, depending on how you've secured these on your computer. SO KEEP TRACK OF THOSE PASSWORDS!

   It's worth it to make those key/cert files secure, because if you lose control of them, you could be impersonated. Laptops and desk computers DO get stolen. Keep those files protected!

   3. If you are receiving encrypted email, your browser will pretty much automatically locate the keys, and present it in a readable form.  If you are getting email on a different computer, without having set it up for signing/encryption,  the email will have its content saved as an encrypted attachment, which can be made readable by resending it to a system set up for decryption.

   So that's pretty much it. I hope this has worked for you. Leave a comment if I've made any mistakes, and I'll try to improve these notes to correct it. Good luck!