November 30, 2012 by Daniel
PGP, GnuPG, OpenPG – it goes by lot’s of names these days. The first time I read about it in the excellent Code Book by Simon Singh it was PGP.
If you’ve no idea what I’m talking about already it’s worth reading this overview by the author of PGP, Phillip Zimmerman as to why he created a tool for people to use encryption (after all that’s what computers were invented for, kind of).
There’s plenty of tools to use it with now, but what struck me as odd was Outlook 2010’s lack of support for it. There’s really only the OutlookPrivacyPlguin that works with it and even then it doesn’t support PGP/MIME which is a shame. Outlook natively works with S/MIME quite well.
So it’s over to Thunderbird and Enigmail. It’ll even put email headers in telling people where to get your public key (mine’s here by the way!)
They’ll be some more to come from me on this. PGP is still pretty handy for encrypting your own files. The tools to do it with X.509 Certificates as described recently by me aren’t as easy to use. Personally I find I want to be sure I can decrypt a file some time down the line and PGP has been doing the job for quite some time now. Of course – longevity is useful if someone breaks the encyption methods!
Category email | Tags: | No Comments
November 2, 2012 by Daniel
I’ve been discovering lots about sending emails with digital signatures in the past couple of days and for lack of a better place I’ll write some things up here.
You can get a free certificate from Comodo (and probably other places). It lasts a year so you will need to get a new one after that. If you try to get a new one before the old one has expired you need to revoke the original one.
Outlook’s support for S/MIME signing is quite good and works without hassle. You install the certificate with the Import/Export button in Trust Center -> Email Security. There’s an option there to Publish to GAL. It says it did it, but I’m not sure how to verify the fact. If you’ve done it right then you get a little ribbon in the icon for messages you’ve sent (and of course encrypted messages are displayed, unencrypted!)
You can select whether you want to sign or encrypt by default or per message (Create a new message and click Options, it’s there in Permission whether to sign or encrypt). To Encrypt, as usual you need to have been sent a message by the person you are sending to with a digital signature.
iOS Mail supports S/MIME albeit a little strangely but it does work which is the main thing. The best way to get the certificate onto the device is attach the .p12 file in an email to yourself. There’s lots of ways to export the certificate, easiest is probably find your certificates from your web browser settings.
You need to turn on S/MIME in the account under Advanced and select Sign and Encrypt according to your preferences. Then it will let you select the certificate you just installed. There’s no way to change these settings on a per email basis so I’ve left Signing on and intend to use Encryption when necesseary.
iOS does some odd checking to see whether it is able to Encrypt a message. If it’s an Exchange account it will check the GAL first with no fall back if it’s not there, which is an issue for GMail accounts set up through Exchange. I’ve swapped mine from Exchange to the standard Gmail connector. So S/MIME works but push email no longer will. I will see what I prefer on that one – I hope it’s something Apple and Google fix between them although I suspect it probably won’t get fixed due to the GMail solution being a nonstandard Exchange install (I suspect).
If all is set up correctly signed emails have a little tick next to the sender with a little lock if it’s encrypted.
Outlook Web Access does support it, but only on Internet Explorer 7 or 8. Which is a little disappointing if you use OWA when you’re not using something that is IE7/8. You probably need to have your certificates with you too so sending signed email on the move is probably best done from your mobile.
It’s a good idea to keep your certificates somewhere safe too, otherwise if something happens and they got deleted then you will be unable to read encrypted mail anymore.
I did also set up DKIM signing for my domain using Google Apps for your Domain but it’s kind of trivial to write up, just involves pasting in an SPF record in DNS that get’s generated for you.
Some useful links:
Despite both of these pages decribing iOS5, iOS6 is much the same process.
Category email, university, work | Tags: | No Comments