In the last InfoTech I introduced you to Cryptography – the art of encoding things so they cannot be read by strangers. This week’s article is a bit more practical. I will show you what you need to secure your own email, and prevent other people from sending emails in your name.
The Tools – Email Software
If you use email software like Outlook Express or Thunderbird securing your email is very simple. You must obtain what is known as a certificate – this allows you to digitally sign your mail with a public key. Recipients of such signed mail will then be able to store your signature and send you encrypted mail, which you decode with your private key. Free certificates can be requested from Thawte.
Do not do this in an internet café. This does not work for Hotmail or Yahoo users. See the end of this article for suggestions for users of Internet Cafes.
To register you must give some personal information – this includes a national identification number, such as found on your passport, drivers license or id card. You will also need to choose a password – make sure not to forget it, or make it too easy to guess. You must then select five security questions and give corresponding answers – these will be used if you forget your password. Once enrolled you can change the questions. After going through all this you will be sent an email with further instructions – this confirms that you are the person who collects email at the address you gave. Follow these instructions to complete your enrolment with Thawte.
Once enrolled you can request certificates. Login to your Thawte account at https://www.thawte.com/cgi/personal/contents.exe with your email address and password. This page allows you to request a new certificate – you can also add other email addresses (you must use a different certificate for each one). For now, click on the Request button. Follow the instructions and you will soon be sent an email. Click on the link in the email to install your certificate. Phew!
Now you are certified you can sign messages. In Outlook Express create a new email. Before sending it click on the Tools menu and select Digitally Sign. Send the email as normal. If you have received a signed message from someone else you will be able to send them encrypted messages by selecting Encrypt message in the Tools menu. Messages sent in this way cannot be read on transit, and only by the person with the original certificate/private key.
You will be warned if you receive a message that has been tampered with in any way, or if a message is signed with the wrong certificate. Since certificates are stored on the computer you use, it is not a good idea to set up email software for secure mail in an internet café – the next person would be able to sign emails and pretend to be you – isn’t it bad enough when you forget to sign out of Messenger and the next person fools your friend for a while?
Encryption for Internet Café Users
Unfortunately convenient secure email is not really available for those who do not have their own computer on which to store certificates. Two webmail providers, Hushmail and Cryptomail, offer secure email, but only between users of the same system (eg firstname.lastname@example.org to email@example.com.) If you feel the need to secure your email, you had better encourage your friends to get a free account with one of these providers. Hushmail is the easiest to set up, while CryptoMail promises to allow secure email with users of some other systems in the near future.
Do you need encryption?
Most people do not currently feel the need to encrypt their email. However, with governments increasingly wanting to keep tabs on their citizens, and a huge rise in the number of hackers out there spying on our personal details I believe that in ten years time everyone will want to secure their emails most of the time. Remember, unencrypted email is more like sending a postcard than a letter! Privacy is not the same thing as secrecy – we all have the right to avoid snoopers!
- www.thawte.com – provider of free email certificates
- www.hushmail.com – encrypted web mail, simple, but limited.
- www.cryptomail.org – another encrypted web mail system â€“ complex.
- www.schneier.com/crypto-gram.html – Bruce Schneier’s monthly security newsletter – fascinating reading on cryptography and security in general.