If you want to get in touch with me, email is the best way. The address is I tried obfuscating the address, but the bots get it anyway from other places, so why bother making your life harder?

I do receive piles of spam, so I have uber-spamfilters on my email server. If you know how to use public keys, you might want to try signing and encrypting your message.

To evangilize a little, there are two major reasons why you should encrypt your email.

  1. Email is inherently an insecure method of communication. You should think of your email as sending a postcard – every person on the Internet between you and the recipient can read your email. Unlike a postcard, the people that handle your email are not always the professional people that work for the United States Postal Service. You can fix this by giving people a public key to encrypt a message to you (like the one above), and decrypt those messages with your private key.
  2. Email is easy to forge – it is easy to fake a mail header that says an email is from you, but really isn’t. It is also easy to alter email in-route so that the content of the message is changed, which is basically the same as forging it (think of all the advertisements that “free” email services put on the bottom of your mail). You can fix this by signing your email with a private key, and others can verify it is from you with your public key (though the ads still go on, but outside the “signed” portion, which is the content you sent).

Signing email is actually pretty easy – only you need to know how to sign your messages with your key, and if the other person doesn’t verify the signature, that’s their problem. If they try to hold a message to you that you didn’t send, and you ask for it, you can give them that smug, techno-superior look and say, “I didn’t send that – I sign my messages, and you can’t prove it was me otherwise.”

Signing your email is also a sign that you give a darn, especially to people that know how. Like signing a letter, it conveys a personal touch, even if your secretary typed up the letter and you signed it without looking away from your youtube. It also means you care about combating the flow of spam, though it won’t be long before spammers start encrypting their mail.

If you want information on using Public Keys to sign and/or encrypt mail, you should know six things up front:

  1. Encrypting your email is a giant pain in the… ankle (signing is easy).
  2. In order for encryption to work correctly, both users on either end need to know how to do it.
  3. There are two primary ways to do signing/encryption, PG keys and S/MIME, and while you only need to know one to use it, you practically need to know both.
  4. You can’t do it on webmail (unless you control your own web and email server, I mean really control, as in “in your house under lock and key so no one can physically access it” control). Some claim some webmail supporters support signing, because the signing happens on in the browser. If you are using the same computer to send your mail from (which you need to be to trust your keys and install the browser extensions), why aren’t you just using an email client? Beyond that, I don’t trust web browsers of any stripe anyway – they are attacked too often.
  5. Many email clients do not support it (the big four desktop clients, Outlook, Windows Mail/Outlook Express, Mac’s, and Thunderbird do, and support both with free extensions – beyond that, I do not know).
  6. You can’t rely on spam filters and, more importantly, anti-malware on your server when dealing with encrypted messages (signed messages with no encryption are still okay). If the point of encryption is to keep other people’s eyes out of your email, you have to recognize that “other people” includes your server-side spam and malware protection. You must do malware scanning on your client, and you must make sure that your malware scanner not only supports encryption, but also supports the type of encryption you use – if your software doesn’t, the scan will happen before the email is decrypted, instead of after, and the detector won’t be able to read the email and give you any security. Thus, encrypting email might become a security risk, but I have never received an encrypted email that infected my computer.

Perversely, it is easiest to use encryption on Linux, and hardest in Mac (with Windows in the middle, as always). Again though, if you think about Mac’s perverse learning curve, it makes sense. If you are still interested in trying it, I have provided a series of links below.

If you are primarily an Outlook, Thunderbird, or Mac user, might I suggest the S/MIME method – it requires you to either purchase or obtain a free certificate from a central authority like Verisign (pay $20) or Comodo (free).

If you are simply using the key for private email, the free version is sufficient. After a year with Comodo, I paid for the Verisign version because it has an online directory where you can look up people’s public keys to send them email, and people trust them a little more (credit card at the end of the rainbow). After the year, I went back to comodo because, well, did I mention the, “free” bit?

Both sites have very clear instructions on how to set up your keys in Outlook, Windows Mail, and Thunderbird. users on Macs will find excellent instructions on O’Reilly’s MacDevCenter site.

The “other white meat” is PG encryption, which relies on a “web of trust” for identity verification (as opposed to a credit card number for Verisign, or none at all for the free ones), and normally requires extending your email application to use. For this to work, you need GNUPG on your computer, and the plug-in for your email client. Linux users normally find both already installed, and I would direct you to your distribution’s documentation for support. Windows users are best served with gpg4win, but I understand Outlook 2007 support is still “beta” at best. Thunderbird on Windows users need gpg4win and the Enigmail extension. Mac users on Thunderbird need said extension, and MacGPG. Users of Mac’s will have the hardest time, but you need the MacGPG package, and the GPGMail extension. You can find the documentation online.

If you want the whole kit and caboodle, “easy”, and don’t mind shelling out for a little software, head to PGP Corporation. Their baseline product is $99, and has tons of bells and whistles for Outlook, Thunderbird, and Mac’s in an easy-to-use interface. For $164, you can purchase their Desktop Email product, which also encrypts IM’s and comes with a year of support. Since I took twenty minutes of a poor rep’s life, the least I could do is plug the product.

So that’s it, good luck with the encryption project.

  1. No comments yet.
  1. No trackbacks yet.