During the WWDC 2011 keynote, Apple announced that iOS 5 was going to have the capabilities of S/MIME. With that new feature announcement, it becomes a perfect topic to kick off my Foundations segments. In this article, I will describe what S/MIME is and why people should use it, interest everyone to use it now, and once iOS 5 comes out you will appreciate the fact that S/MIME email is now available.
From my two years of using S/MIME email, Iâve identified that there are two types of individuals who are using this feature: a) Government b) tech geeks. I can understand the lack of participation of S/MIME for general email usage as there are many hurdles to overcome to make S/MIME possible. But first the main question, what is S/MIME and Why should I be using it?!
Definition
S/MIME stands for Secure/Multipurpose Internet Mail Extensions and is a standard for public key encryption and signing of MIME data (an email message)1]. What it allows you to do is two things:
- Ensure to your email recipients that YOU actually sent the email
- Allows the possibility of sending and/or receiving email encrypted
Example Story of Bad Email
Everyone has experienced the email from a family member or friend where the subject line seems a little⌠odd. Upon opening the email you notice is SPAM (ARG! they got me to open SPAM!)! Somehow a spammer was able to use your friends email address (termed spoof) which, understandably, made you feel comfortable enough to open and read the message. There are worse scenarios other than spoofing an address such as a trojan or actually âhackingâ an account⌠but the concept is still the same; you opened an email that wasnât really from your friend or family member. This experience fostered the need for having a more secure form of email.
First Signing. I like to relate the process of signing an email to putting a wax seal on a letter back when email or a government operated post office didnât exist. Individuals would understand that a letter with a particular wax seal was the stamp of a sender, and thus knew it was authentic and should be trusted; same thing for sending a signed S/MIME email. If you donât see the âsignedâ icon in Appleâs Mail (or any other Mail application), then you would be concerned that the email wasnât from the sender.
So how do you encrypt email?
Question: If you send a letter through the post office do you simply print a piece of paper and drop off in a mailbox, or do you put it in an envelope. Why put it in an envelope? So people wonât read the contents of inside the envelope! If you are worried about people reading your letter, why do you send an email without a virtual âenvelopeâ? As an email passes through every router and switch⌠and from one mail server to another⌠without it being inside a virtual âenvelopeâ (thus encrypted), anyone could look at your letter. Yes itâs a little dramatic, but it is possible.
Now that I have piqued your interested in sending signed and/or encrypted email messages, how is it possible? Well, it first deals with certificates. Certificates donât have to be hard, but it takes a bit to get used to and there are several complications when dealing with certificates:
- Certificates must come from a âThird-Partyâ.
- Certificates must be shared in some fashion (Fortunately email makes this simple).
- Certificates expire.
- Certificates require a email application (not a browser).
So why do certificates have to come from a âThird-Partyâ? The easiest way to explain this is with another analogy. If you buy a used car do you trust the dealer or do you get a Car Fax or send the car to your own mechanic to check things out? A third-party performs the necessary process of checks and balance to ensure the person sending an email is the person who should own the certificate (e.g. make sure they are the one with the correct wax seal). The other issue is most certificates only last for one year, so you have just begun the never ending cycle of annually renewing your email certificate. An item to note, with something being an annual process (vs. monthly, weekly, or daily) you may have to re-learn each year how to obtain your certificate each year so I would suggest to take notes.
So what about the second bullet? It needs a little more description about certificates and how they are created with your third-party. When you make a request to get your email certificate, you need to send a âpasswordâ to generate two items: A Private Key and Public Key. Your Private Key should be kept private and safe! This is how you de-crypt messages from your family and friends, and is the only way you can read messages if someone send you an encrypted email. If you lose your private key, you will never be able to get it back, thus you will never be able to open any messages that are encrypted! The way you send an encrypted message is by using your Public Key which is automatically sent every time you âsignâ an email message.
Letâs put this exchange in a more real life scenario. I want to have my taxes done by a CPA thus I need to send all of my tax documents. Now I could FAX the documents or simply use USPS, but since this is 2011 letâs use email⌠secure email, via S/MIME! I would send a signed email to my CPA and simply state âPlease reply with a signed email message so I can send my tax informationâ. Upon my CPAâs reply, his Public Key is passed to me which I use to encrypt my next email that contains all of my tax information. The CPA has his Private Key which de-crypts my email automatically and is able to download my tax information.2
The nice thing is once you have your certificate, most email applications make the process of sending signed email and/or encrypted emails simple. Where doesnât S/MIME work? Any web-based platform such as Gmail, Hotmail, Yahoo, etc. Now you could configure your mail application to use their service via IMAP or POP, then S/MIME would work⌠you just cannot use the webmail version of their service. If someone sends you an encrypted mail to your email account and you are not using your Mail application⌠it will not open.
Footnotes
-
Most email applications allow you to encrypt an email message by a simple button. Screenshots of Mail and iOS pending on future posts. ↩
Comments are closed. If you have a question concerning the content of this page, please feel free to contact me.
Comments
Axel J Ambert
So!. How Can I Download a S/MIME?
prettygreenparrot
You can get an S/MIME certificate from instantssl and StartSSL among others.
Grischa Wolf
Idont thinbk you can download free S/MIME certs. As there is a vetting process included to ensure your identity, it might come at a cost. My personal favorite is GlobalSign, pricey, but fast and secure.
Isaias M Solorio Lopez
Hi i havenât been able to get on my Facebook Account because of the Login Code that i need and ive lost it because i have bought me a new phone and got a new number with it. I really need to get back into my account.
Diane Gagnon
Trying to send an email but will not allow to be sent as not encyrpted and needs S/MIME setting. How do I change from the lowest to this?
Justin
Hello Diane,
My guess is the person that you are trying to send an email has not sent a âsignedâ email. This would then provide you with their public key which would allow you to encrypt your email.
Dani
Is S/MIME a good thing to have of bad?
Justin
When security is a primary concern, S/MIME is a good thing. This article is pretty old as it was originally written in 2011, but it is still valid.
Iâm sure there are other options today that allow you to securely send data that may fit users needs better than generating certificate keys, but this still used.
Jeremy Easter
Iâm wondering if itâs possible to (not simply being nice when I can say you seem to be a smart guy withwell written, easily understood emails) just to ask whatâs the simplest way to have those settings (bar slidden on or off) in email?
GNBritt
So this would heavily cut down or eliminate on spam & junk mail? Sign me up if thatâs true.
Justin
Hello GNBritt,
I donât think this would reduce the spam, but it would recude the number of messages that you would need to focus on. If the message wasnât encrypted for you, you can assume that person is not a âknownâ person.
Alejandro Guerrero
Hello Justin,
I hope you are still reading these comments. I stumbled into this page because Iâm trying to understand what S/MIME offers over regular SSL/TLS. If you are already sending encrypted email with SSL/TLS, why would you use S/MIME? Doesnât SSL/TLS already ensures authentication, integrity and confidentiality?
Justin
Hello Alejandro,
Think of this the same way you are doing encryption. True encryption security of data being transferred from one party to the other requires two levels: encryption over the wire, and encryption at rest.
Encryption over the wire is your TLS connection. This establishes your Handshake so the two parties can pass data to each other in a secure fashion. However, once the file is on the server⌠a generic email will be in plain text. While an S/MIME email is going to be a bunch of text garbage unless it can be decrypted by your private S/MIME key.
Hope this helps.
Person A
*piqued, not peaked
Justin
Fixed. Thanks!
Ike
Can a PGP key generated for example by earthlink webmail be used as a certificate in S/MIME?
Justin
PGP/GPG is a different application than S/MIME, but functionally it does the same thing. What makes PGP/GPG different is you have to have that installed vs. only using certificates on your machine.
Justin
Have not researched this, but it does not look good for PGP & S/MIME. https://efail.de