Securing Your Email with Certificates

Earlier this year I read about Tim Bray upgrading his email environment, specifically with regard to digitally signing all his messages. Just as SSL certificates on the web help you verify that a website is who it claims to be, email certificates tell your recipients that your message was really sent by you.

Any extra bit of email-related trust is a good thing, especially when spam and viruses will happily hijack your email address in the hopes of bypassing your spam filters or just to be generally nefarious. In the past few days I've gotten a lot of spam with my name and or email in the "From:" line. No need to twist my arm— I'm jumping on the S/MIME bandwagon.

"S/MIME" is part of the jargon of email certificates. You can get all the details from the Internet Mail Consortium. I opted for S/MIME over PGP because it's more readily supported by email clients. I'm also not going hardcore with all this. It's more an experiment. From Tim Bray's post, S/MIME seemed like an easy-enough first step.

Tim Bray writes about getting his certificate from Thawte. I looked around there for a while, and their "web of trust" idea sounded too complicated for my purposes. It's a point system. The more points you acquire from other people with certificates, the more trust-worthy you become. I didn't stick around long enough to figure it all out.

The world of SSL is bigger than just Verisign and Thawte, though. I went with InstantSSL, a service of a company called Comodo. Best of all, their office is literally next door.

Here's a rough outline of what I did:

1. Signed up for a certificate. Accepted the default security options. The site didn't work right with Mozilla, I had to go in with Internet Explorer (on a PC).
2. Received confirmation email, clicked it's special link back to site (again with IE).
3. InstantSSL's site embedded my certificate inside IE. If I was an Outlook or Outlook Express user, this would have been dandy. But I'm not. To export the certificate to my hard drive, I went to Tools->Internet Options->Content->SSL Certificates and followed the prompts. Eventually I ended up with a PFX file.
4. I use Mozilla for email and web browsing, so I needed to import the PFX file. That was fairly straightforward: Edit->Preferences->Privacy & Security->Certificates->Manage Certificates. Mozilla's built-in help files were helpful here.
5. Although Mozilla had the certificate at this point, I still needed to tell it to use it. From Mozilla Mail, I went to Edit->Mail & Newsgroup Account Settings->Security.

And that was pretty much it. I'm not saying I have the creme-de-la-creme of email certificate implementations, but it's a whole lot better than what I had before, which was nothing. When I sign an outgoing message, the recipient's email program display's a little icon or flag indicating that the message's sender (me) is true. I could also encrypt my message if I was communicating with someone else who used a certificate, but that's overkill at this point.

If you're considering getting your own certificate and you're on OS X, you might want to also read MacInTouch's Mail Certificates Report, as reported on donnunn.com.