Secure E-Mail
If you don't like the thought of people reading your e-mail whilst it's bouncing across the Internet, then you need to do something about it. That means securing it with encryption. You can use PGP (or GPG) and/or S/MIME.S/MIME
To do S/MIME you need a certificate. This is something that identifies who you are, and contains the information required for someone to send you an encrypted message. It's very simple to do S/MIME if you are using common e-mail programs such as Outlook Express, Netscape Messenger, or a Mozilla based package.If you would like a FREE certificate, then you can enroll for one at Thawte by clicking on their links for personal certificates. The enrollment process is quite rightly thorough, and once you are registered you can create yourself as many certificates as you like. When a certificate is ready for collection, you are sent its location, and you collect it with your browser. If you use Netscape or Outlook, you're ready to start. If you use another email package, then you may need to export your certificate from your browser, including the private key. This will create a PKCS#12 file (.p12 or .pfx file extension). This can then be imported into your email client of choice (usually).
The next stage is to send your certificate to your contact. All you need to do is create a message, and select the options to "sign" that message. If you are using Outlook, it will help if you send a "clear signed" or "detached" signature, as it will be understood by more email tools. If you'd like to put your certificate onto a website, then that's a little more involved, but can be done
Your contact should then send you a signed message, and depending upon your email client, it will probably install the certificate for you. Or you can import their certificate from a file or website. Now you have their certificate, you can encrypt your next message, and no-one else apart from you and the recipient can read it. If your mail tool is sensible, then it will automatically choose the option to encrypt a reply to an encrypted mail you receive. Very handy.
- More information on Certificates, including Thawte's Web Of Trust.
- Putting your certificate onto your web page
At this time, I don't have my X.509 certificate available for download, if you want to contact me to request my cert, then please do so.
PGP and GPG
PGP is a slightly different method of doing the same thing. However, PGP can also be used to encrypt files and discs. A number of email clients can hook into PGP through various means. If you use Outlook and install PGP 6 or 7, then you have the option of installing a plug-in at the same time. Other email packages require 3rd party plug-ins and in this case it's better to install PGP 6.5.8 (the last of the version 6 releases), as NAI haven't yet released the source code for PGP 7, therefore the plug-in authors have a hard job making their plug-in work with it. Or the GNU version, called GPG, which offers a command line interface that the plug-in can interact with.Once installed PGP will generate a key pair for you, and this is usually identified by your email address. Once created, you can send your key to other people, or to public key servers. People can then install that key into their system, and from that point can encrypt emails or even files to send to you.
With a persons key installed, and a plug-in that interacts well with your email client, PGP is fairly easy to use, it's just getting set up in the first place that can be confusing for the beginner.
To obtain a copy of PGP or GPG itself it's probably best to take a look at the The International PGP Home Page. There may be various legal issues depending on which country you live in. This web site holds a lot more than just the PGP installation, and is a fine resource for all things PGP.