Nanoman.ca

Nanoman's Company Support

Guides

Secure Email Using S/MIME

Email Security

Sending an email message is as secure as sending a postcard. Anyone can intercept, read, and modify a message if they gain access to any of the following:

  • your computer
  • your local network
  • the Internet routers between your network and your outgoing mail server
  • your outgoing mail server
  • the servers and/or Internet routers between your outgoing mail server and the destination mail server
  • the destination mail server
  • the servers and/or routers between the destination mail server and the recipient's computer
  • the recipient's computer
  • anything that is used to connect any of the above (wires, radio waves, et cetera)

S/MIME Digital Signatures

S/MIME digital signatures provide a method for recipients to know whether or not a message was altered after it was sent. When a message is sent, the sender's email client creates a cryptographic signature of the message and attaches it as a file called "smime.p7s". If the recipient's email client supports S/MIME, a little icon or other indicator will show whether or not the message arrived precisely as it was sent. If the recipient's email client doesn't support S/MIME, they will notice a file attached called "smime.p7s" (the message's S/MIME digital signature file).

Digitally signing your messages is very important for ensuring the integrity of your correspondence. Examples:

  • A technical problem occurs during transmission that corrupts your message.
  • A malicious attacker intercepts one of your messages. They alter the message to include false or inflammatory information, and then relay the modified version to the recipient.

In the case of these examples, without a digital signature, the recipient may have no way of knowing whether or not your message arrived intact. This can cause problems for both you and the recipient.

CAcert.org Account

Before you can digitally sign your email messages, you will first need an S/MIME certificate. Most certificate authorities charge absurd amounts of money for S/MIME certificates, but some certificate authorities like CAcert.org will issue certificates for free.

To create your CAcert.org account, follow these steps:

  1. Open Mozilla Firefox.
  2. Go here: https://www.cacert.org/
  3. On the right side of the CAcert.org homepage, click "Join".
  4. Fill out the form and follow the instructions to create your CAcert.org account.

Create S/MIME Certificate

To create your S/MIME certificate, follow these steps:

  1. Open Mozilla Firefox.
  2. Go here: https://www.cacert.org/
  3. On the right side of the CAcert.org homepage, click "Password Login".
  4. Login to your CAcert.org account.
  5. On the right side of the CAcert.org "Account" page, go to "Client Certificates" -> "New".
  6. Beside your email address, put a check in the "Add" checkbox.
  7. Click "Next".
  8. Set "Key Size" to the highest grade available.
  9. Click the "Create Certificate Request" button.
  10. Wait while your private key and S/MIME certificate are generated.
  11. Click the "Click here to install your certificate" link.
  12. Click "OK" to close the "Your personal certificate has been installed" window.
  13. Open the "Firefox Preferences" window (see this website's "Mozilla Firefox" page if you don't know how to open it).
  14. Go to "Advanced" tab -> "Encryption".
  15. Click the "View Certificates" button.
  16. Go to the "Your Certificates" tab.
  17. Select your certificate from the list (it will probably be the only one).
  18. Click the "Backup" button.
  19. Save the S/MIME backup file to your Desktop, and give it an appropriate name like "smime.p12".
  20. Create a good password to encrypt your S/MIME backup file.
  21. Logout of your CAcert.org account by clicking the "Logout" link on the right side of the page.

Install S/MIME Certificate

To install your S/MIME certificate, follow these steps:

  1. Open Mozilla Thunderbird.
  2. Open the "Account Settings" window (see this website's "Mozilla Thunderbird" page if you don't know how to open it).
  3. Under your email address on the left side of the "Account Settings" window, select "Security".
  4. Click the "View Certificates" button.
  5. Go to the "Your Certificates" tab.
  6. Click the "Import" button.
  7. Open the "smime.p12" S/MIME backup file that you saved to your Desktop.
  8. Enter the password that you used to encrypt your S/MIME backup file.
  9. Click "OK" to close the "Certificate Manager" window.
  10. Under "Digital Signing", click the "Select" button.
  11. Select your certificate and click "OK".
  12. When asked "Do you want to use the same certificate to encrypt & decrypt messages sent to you?", click "Yes".
  13. Put a check in the checkbox beside "Digitally sign messages (by default)".
  14. Click "OK" to close the "Account Settings" window.

S/MIME Encrypted Messages

Having an S/MIME certificate allows people to send you digitally encrypted messages. Like all email messages, a digitally encrypted message is easy to intercept and view while it is in transit or storage, but the content of the message is encrypted. This can be very useful if someone needs to send you private information using email.

To send someone an encrypted email message, they'll first need to send you a digitally signed message. Their S/MIME signature includes their S/MIME certificate, which will be added to Mozilla Thunderbird automatically (provided it's signed by a certificate authority you trust). After that, you may choose to communicate with that person via encrypted email exclusively.