Email Security
Posted on Friday, March 2nd, 2007 at 5:53 am under Tutorials.
Sometimes sensitive data needs to be sent via email and as it travels to its destination it can be intercepted by hackers, isps, the office i.t. geek or even a nosy government. In this tutorial, we’ll discuss how to use Apple’s Mail application to send secure emails that are signed and encrypted.
How does it work? Both parties get a free personal certificate from a trusted source and then we let Mail do the rest.
This tutorial is based on using Apple Mail on Mac OS X 10.4 (Tiger).
Step 1: Create a free Thawte account
From your browser, go to thawte.com and click on the Join button to create a free account. Follow the instructions to sign up and once completed, confirm your account through the email received.
Step 2: Request a Personal Email Certificate
Once your Thawte account is created and confirmed, you need to request a personal email certificate. Login to the Thawte website though your browser and click on the “Request a Certificate” link from the Certificates section of the menu. From there, select the X.509 format certificate and choose the default settings on the next screens. Note that you will be asked to choose what browser you are using, if you are on safari, you can just select the Firefox option and proceed to the next screen until finished.
Step 3: Install Certificate
Once the certificate request form is completed, you will receive a confirmation email that should have a link to download the certificate. If by any chance your email is lost, you can download it from the “View Certificate Status” section of the Thawte site. Keep note that a certificate is good for the computer that it was issued from. Double clicking the downloaded file called “deliver.exe” should open it up in the Keychain Access Application and install automatically. You can quit Keychain access now since it’s not required to be open to use the certificate.
Step 4: Test Certificate
To test the certificate just open a New Message window in Mail. As long as the email you certified is the one selected in the Account pulldown menu you will notice that there are now two new buttons on the right side of the window, a lock and a check-mark.
Signed Email
A signed email allows your recipient to verify your identity as the sender and also ensures that the message or it’s attachments have not been tampered with during transit. As long as your personal certificate is installed in your computer, you can send a signed email.
Encrypted Email
An encrypted message offers a higher level of security since the contents of the email are encrypted and can only be viewed when certificates for both the sender and the recipient are present. To send an encrypted message you must first send a signed email so that the recipient receives your certificate. The recipient then needs to send you an email so that both of you now have each other’s certificates, assuming the recipient has a personal email certificate.
When the email is received, Mail will show that it’s signed and encrypted by displaying it’s appropriate icon. For an encrypted message, if the recipient does not have the sender’s key, Mail will NOT display the message content. For example, if somebody sends me an encrypted email and I read it through my webmail, I will not be able to read it’s contents because it is an encrypted email. But if I read it through the Mail application and I have the sender’s key from a previews signed message then it will display properly.
Conclusion
Other than the process of going though an external website for obtaining a certificate, Mail’s integration of signed and encrypted messages is seamless. It’s a great feature that is just hidden until needed. Making the user experience simple and clean. And there’s nothing like discovering a great new feature on an App you’ve been using for a long time now.
UPDATE:
For those of you having problems getting it to work, Lisa seems to have found a workaround using Firefox. Here’s the exerpt from her comment.
- Fetch your certificate from Thawte’s site in Firefox (or another browser that will backup/export certificates). The certificate should be automatically installed.
- In Firefox (if that’s what you used), go to Preferences > Advanced > Encryption > View Certificates.
- Highlight your certificate and click the Backup button, save your p12 file, and choose a password for it.
- Go to Keychain Access and choose File > Import…, open the saved p12 file, and type your password when prompted.
- Your certificate should now appear in the ‘My Certificates’ section in Keychain. Then open Mail and give it another try — the buttons should be there, provided you have the correct account selected.
Mar 3rd, 2007 at 1:06 am
Nice article, thanks for explaining it so clearly.
Mar 3rd, 2007 at 7:28 pm
Thanks so much :) I have been wondering how to get my emails signed for a while now :)
Jeff
Mar 4th, 2007 at 2:17 am
Top post, thanks Melvin!
Mar 7th, 2007 at 10:17 pm
I’ve seen this before. As an added bonus, you can actually create your own certificates. OpenSSL can handle the whole process, and it’s built right in to OS X. :)
Mar 7th, 2007 at 10:19 pm
Oh, one more thing about this. I’ve had Windows users complain that signed messages will come through as an unreadable attachment in Outlook. So, if you decide to start signing every message, be prepared for some complaints. If only M$ could stick to established standards…
Mar 8th, 2007 at 12:08 am
Great instructions. Will use
Mar 8th, 2007 at 1:28 am
Really useful! Thanks!
Mar 8th, 2007 at 1:39 am
http://www.joar.com/certificates/ is actually a nicer guide.
But you both forget to visit a local web of trust, so your certificate is not really yours but “Thawte freemail member” to get your real name you need to see at least two wot people.
Mar 8th, 2007 at 3:38 am
This is a great article Melvin. Thanks.
Mar 8th, 2007 at 8:40 am
can someone explain how thawte works? this seems like the whole process rests on the trustworthiness of thawte. who are they and why should they be trusted? if thawte was hacked, wouldn’t everyone’s encrypted certificates be in jeopardy?
i really liked the instructions - thank you. i’ve always wanted to do this but stumbled when i get to the public certification process (thawte).
thanks!
Mar 8th, 2007 at 9:05 am
nice one, i’ve seen that in emails i’ve received at work before but never knew how to do it. as always i really enjoy the tutorials/hints!
Mar 8th, 2007 at 10:56 am
thanks. It is wonderful entry. I had a question though. I followed the direction, and now I have the certificate. I installed the certificate and it is active. I can see it in my Address book, but when I compose new message, there is no check mark box in the window. Can anyone tell me what is going on? Please let me know. Thanks
Mar 8th, 2007 at 11:30 am
After I finish this tutorial. Can I exchange encripted messages with Hushmail.com users?
Mar 8th, 2007 at 1:46 pm
Thanks for the clear directions. Like Jinesh, I’ve gone through the whole process and have checkmarks showing up in my Address Book entry next to me email addresses with certificates, but when I open Mail and compose a message, the sign and encrypt options aren’t there. Any suggestions welcome. Thanks.
Mar 8th, 2007 at 5:03 pm
If you’re in the Newark/NYC metro area, please visit my Thawte WOT page . . . we can notarize your Thawte certificates for free.
Mar 8th, 2007 at 8:26 pm
I’m with Drew and Jinesh - I’ve got it installed , OS 10.4, Mail 2.1.1 and no sign and encrypt options in Mail
Mar 8th, 2007 at 9:41 pm
I use Camino and when I get my email with the “deliever.exe” file, Keychain will not open and the certificate only gets installed in Camino. How do I get it into Keychain?
Mar 9th, 2007 at 10:00 am
I have tried this procedure before, i.e. obtained certificate, etc. but mail still insists on NOT allowing me to send signed emails. The options are still greyed out for the email address for which I obtained certification.
However, on another of my email addresses I have a certificate which was issued by the government and when using this email address to send mails I can sign them.
Any suggestions anyone ?
Mar 10th, 2007 at 1:36 am
Q: I have a certificate for my email address in my Keychain, why doesn’t Mail allow me to sign or encrypt email?
A: Verify that the email address in the certificate, and the one configured for the account in Mail, are typed exactly the same - including case. Even though the two addresses “John.Doe@mail.com” and “john.doe@mail.com” would most often be delivered to the same email account, Mail still treats them as separate identities while trying to match a certificate to an account (In order to comply with section 2.4 of RFC 2821 for SMTP).
Mar 10th, 2007 at 8:10 am
I followed all the instructions and Thawte and my browser (Firefox 2.0.0.2) tells me the certificate is installed.
But I find no sign of it in my keychain and my Mail.app doesn’t show any new buttons on new emails.
I never did get to the point of having a file “deliver.exe” on my desktop.
Did I miss something?
Thanks for your help.
Mar 10th, 2007 at 5:21 pm
Thanks for the Tutorial and for permitting me to post a link to it on my blog.
I’d like to ask two questions:
Q1 : I have a dotMac account and I have an encryption certificate for iChat, what happens if I do create one with Thawte too?
Q2: If I back up my Keychain and switch to another computer, will I lose the Certificate?
Thanks
Mar 13th, 2007 at 12:34 am
If things look right in Address Book but the buttons aren’t showing up in Mail for you, try this (sorry if I’m a bit off somewhere; I just figured this out yesterday and only went through it once):
- Fetch your certificate from Thawte’s site in Firefox (or another browser that will backup/export certificates). The certificate should be automatically installed.
- In Firefox (if that’s what you used), go to Preferences > Advanced > Encryption > View Certificates.
- Highlight your certificate and click the Backup button, save your p12 file, and choose a password for it.
- Go to Keychain Access and choose File > Import…, open the saved p12 file, and type your password when prompted.
- Your certificate should now appear in the ‘My Certificates’ section in Keychain. Then open Mail and give it another try — the buttons should be there, provided you have the correct account selected.
Mar 16th, 2007 at 8:14 am
Lisa: Thanks, that did the trick!
Mar 20th, 2007 at 8:28 am
Great tutorial. I ended up having to use the procedure from lisa since I am using firefox 2.0. I would also recommend putting in the opt-out link http://www.thawte.com/ucgi/gothawte.cgi?a=w179750802002000
Mar 20th, 2007 at 4:22 pm
Thank you very much Lisa, I’ve been trying for hours to get my 2nd addresses to work with this. Doing it the way you discribed finally did it.
Apr 11th, 2007 at 5:59 am
Brilliant tutorial Melvin, thank you very much. My certificate only appeared in Mail after following Lisa’s instructions, so thanks to you too Lisa!
Apr 14th, 2007 at 5:10 am
Actually, Lisa’s procedure works, but not always.
In my case it did not.
How to see whether a certificate can be used in your Mail.app:
it has to appear in Keychain Access not just under “Certificates” but under “My certificates”.
If it does not, then do the following:
1. back up the Thawte certificate you obtained;
2. from the Finder click twice the backup file;
3. supply the backup password.
After these steps, I guarantee it will appear in Keychain Access” under “My certificates”.
From then on, no problem whatsoever.
This applies to Mac OS X 10.4 (Tiger) only.
Aug 23rd, 2007 at 12:10 pm
When I double click on deliver.exe, it opens in TextMate rather than Keychain Access. Can anyone tell me how to get around that?
Sep 24th, 2007 at 7:42 am
[...] Email Security All Forces How to use Apple’s Mail application to send secure emails that are signed and encrypted. (tags: apple email howto mac macosx encryption mail.app mail osx security) Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages. [...]
Oct 2nd, 2007 at 4:25 pm
[...] Email Security All Forces How to add a secure certificate to your .mac account (tags: security email osx mac encryption mail.app howto privacy dotmac) [...]
Nov 21st, 2007 at 2:02 pm
I’ve got things working, but with one problem. I can’t view encrypted items I have sent in my sent box (they are there but can’t be decrypted). I understand that I don’t have the recipients private key, but I would think that it would encrypt a copy with my public key for local storage. This seems to be what Entourage does on my work computer.
Any workaround?
Feb 9th, 2008 at 1:44 pm
This was a very helpful article. Thanks for it!
Feb 19th, 2008 at 1:33 am
It’s worth noting that if you follow the default options on the Thawte site then you can use your cert ofr signing but not for encryption.
After findind this out, I logged back into the Thawte site and requested a new certificate. This time I customised it to have the ‘Key Encypherment’ and ‘Data Encypherment’ options as well that the defualt ‘Digital Signature’. Aslo be sure to select ‘S/MIME’ as it’s not ticked by default.
Then when I went through the motions and imported my new cert (I don’t think you have to delete the old cert from the key chain, I did, but if you do you won’t be able to decrypt old emails sent to you). Then I was able to send encrypted emails in Mail.app on Leopard.
Mar 4th, 2008 at 5:07 am
[...] Email Security » All Forces - How to use Apple’s Mail application to send secure emails that are signed and encrypted [...]
Jun 7th, 2008 at 2:02 am
Great article, but if you run into problems be sure to read the posts other left behind for troubleshooting.
Also make sure your contact name in the Address Book application has the correct email displaying.
Be sure to read Lisa’s comments above, it solved my problem…thanks Lisa
Jul 4th, 2008 at 11:51 pm
A very well explanation of step by step procedure to get a free personal email certificate…now that emails have become the most powerful way of communicating,its always a better idea to get it secured…great post…thank you for sharing it with all of us.
Aug 11th, 2008 at 2:58 pm
[...] da GMail . . . - Age - Per visualizzare l’età dei contatti nella rubrica . . . - Email Security - Permette di inviare Mail [...]
Sep 11th, 2008 at 2:35 am
[...] da GMail . . . - Age - Per visualizzare l’età dei contatti nella rubrica . . . - Email Security - Permette di inviare Mail [...]