Email is usually harmless. It is often simple, everyday conversation about something interesting, a daily event, or a possible contract. However, there are still many people using the Internet that continue to send passwords, credit card information, and personal information in unencrypted public email messages. The reality of the dangers that exist within email are not apparent to them. Even with the multiple problems exposed with major e-commerce sites, too few people consider email a danger. With the potential for identity theft and fraudulent account access, email encryption should be as ubiquitous as email itself but email encryption has not yet significantly penetrated the home and small business. When was the last time you received an encrypted email? Did you even know it was possible to do so without expensive software and support?

Email content security is typically done through one of two methods, personal email certificates or PGP. Each has their pros and cons. Each has capabilities for single user, manual implementation or enterprise, centralized, automated control.

The problem with Email Certificates and S/MIME

Certificate aware email applications supporting S/MIME can digitally sign an email you send to someone, allowing a recipient to prove that an email came from you and has not been modified in transit by someone else (aka non-repudiation). Another person, also with a certificate aware email program, can use your public key and send an encrypted email to you that only you can decrypt with your private key. S/MIME relies on the multipart/signed MIME type that is described in RFC 1847 for moving signed messages over the Internet. The signature is created using the entire body of the email message. It is common today for companies and free email providers to modify an email message as it passes through their email servers by adding disclaimers or ads to the end of the email. This modification invalidates the email’s digital signature making the use of email certificate digital signatures and MIME in general an ineffective non-repudiation method. (*Note, this is also a problem with PGP/MIME and OpenPGP/MIME for the same reasons). But the encryption function when using email certificates still works, right? It sure does but can you trust an encryption key you received from someone who’s identity you cannot validate? Opinions vary.

If you would like to learn more about how to use email certificates and get some practical personal experience using one, try a personal email certificate from Thawte.com. You’ll have to convince a colleague to do it too so you can practice sending signed and encrypted email messages back and forth between each other.

Pretty Good Privacy for Email

There are two types of PGP use in email:

1. Inline-PGP
2. PGP/MIME

Unlike email certificates, PGP can be used in-line as well as through MIME. The in-line method is usually manual but allows support of all email clients including webmail. In other words, the email client can have no awareness of PGP at all. The in-line method allows the PGP application to copy the text that is to be secured to the clipboard, encrypt and/or sign it, and then paste the cipher text back into the email window. To the email client the PGP cipher text is nothing special; it is just a long string of text in the body of the email (but your spellchecker will not like it-DO NOT modify PGP cipher text). Other text and objects can be added before or after the in-line PGP text and they do not tamper with or invalidate the PGP security. In other words, inline-PGP allows only part of an email body to be signed and/or encrypted without affecting or being affected by any other part of the email body.

A Few PGP Implementations to Try

• Mozilla Thunderbird for Windows and Enigmail OpenPGP add-on

Don’t use Thunderbird? Try these:

• PGP Desktop Trial Software (Client Only). My personal favorite for free inline-PGP.
• GnuPG and Gpg4win. Not as fancy but they work. (Gpg4win works with Microsoft Outlook)

Don’t Give Up

If you’re not familiar with public key encryption, certificates, or PGP then your first attempt at using them can be challenging. It may take a period of trial and error before you have all the options and capabilities working and configured exactly how you want them. Press on, and reply to this post with any questions or comments.