The protocols for authenticating the sender of an email have always been very weak. For the most part its an “honor” system, which is why spammers have such an easy time sending email with forged “from” addresses. We’ve needed effective email security for two decades now and one of the impediments to this has been the availability of digital certificates for email at an affordable price (e.g. free). In addition to providing us with the ability to authenticate a message’s sender, certificates also afford us confidentiality and integrity because they can be used to encrypt our message’s content and ensure that those same contents are not altered during transport.
Recently StartSSL began offering free trusted certificates which can be used for email and other purposes. The following set of instructions will show you how to get one of these certificates and configure Outlook 2007 to digitally sign your outgoing email.
NOTE: At this time, only Windows 7 will trust these certificates out-of-the-box; however, recipients who are running on Vista or XP can install the update for Windows Root Certificates (http://support.microsoft.com/kb/931125) to gain the same trust capability.
- Use a web browser other than IE8… (I used Mozilla Firefox v3.5). IE8 on Windows 7 wouldn’t allow me to create the certificate.
- Go to the StartSSL website at http://www.startssl.com/?app=1 (this is not an advertisement for these folks… you can get your certificate from any certificate provider, but this firm is currently offering them for free).
- Click on the Sign-Up button
- Accurately provide your name, address, country, phone number and email. StartSSL may invalidate your certificate if you don’t answer all the questions accurately. This is for everyone’s protection!
- Click on continue
- Receive a verification code via email; copy and past it into the verification form.
- Select a “High Grade” certificate.
- After the certificate has been generated, press “Install”.
- From the Mozilla Tools menu select Options to get this dialog:
- From the Mozilla Options dialog, select the Advanced Toolbar ribbon item.
- From the Advanced Toolbar ribbon item, select the Encryption tab.
- Click on “View Certificates” button to get the Certificate Manager dialog:
- Find and highlight the SmartCom Free Certificate Member under SmartCom Ltd.
- Click on the “Backup…” button.
- Provide a password to protect your certificate file with. IMPORTANT: You will need to remember this password as you will not be able to use your exported certificate without it and there is no “recover password” capability.
- WARNING: You should safeguard the certificate backup file by copying it off to a memory stick or DVD then storing it in a safe place and deleting the file from your computer’s hard drive. Anyone possessing this certificate file could potentially forge electronic correspondences in your name! You should not delete this file from your hard drive until after completing the rest of these instructions.
- Run Outlook 2007.
- Select Tools / Trust Center from the menu.
- Select the E-Mail Security tab.
- Check the Add digital signature to outgoing messages and the Send clear text signed messages when sending signed messages.
- Click the Import/Export Digital ID button to get the Import/Export Digital ID dialog:
- Click the “Browse” button and locate the digital signature file that you previously exported from the browser.
- Provide the password that you used for exporting the digital signature and a friendly Digital ID name to identify it with (I suggest your email address or your name).
- Press OK on the Import/Export Digital ID Dialog and you will be returned to the Trust Center Dialog. Press the “Settings…” button:
- You will be taken to the “Change Security Settings” Dialog. Click on the “Choose” button to select a signing certificate:
- Select the appropriate certificate from the “Windows Security” dialog box.
- OPTIONAL: If you have more than one certificate, you can press on the “Click here to view certificate” link. Look for the “Subject” property on the Details tab of the Certificate Details dialog:
- Press OK and you will receive the Importing a new private exchange key dialog:
- I suggest keeping the default of Medium security; however, you can move the security up to High and this will require you to type in a password for each email that you want to digitally sign… this can be a pain, but it does help to reduce the likelihood that your digital signature might be used without your permission by a person at your keyboard or by a piece of malware. Press OK after you have made your selection, and them press OK again to close the Trust Center dialog.
- Now that the configuration has been complete, you may send emails just as you normally used to. The only difference is that they will now be digitally signed:
- When an email that has been digitally signed arrives, it will have a small icon just to the left of the paperclip (attachment) icon:
- When you open a digitally signed email, you can see the certificate marker
- To see an authentication of the certificate dialog, click on the certificate icon (circled). If the certificate is valid, this dialog will show you the message “Valid and Trusted” and the name of the person that sent the email to you. The actual certificate can be further inspected by clicking on the “Details…” button. You should keep the “Warn me about errors in digitally signed email before message opens” checkbox checked.
- The details button will display the following dialog:
- By making use of digital signatures in our emails we can significantly improve the trustworthiness of emails received through the Internet. Ultimately (assuming an eventual widespread adoption) this will significantly reduce spam and phishing attacks.