Email encryption and signing

with 2 Comments

People who want to email me are encouraged to sign and/or encrypt their emails.

What is email signing?

Email signing adds a cryptographic signature to your email. Using that signature, the recipient of a message can be certain that the message has not been tampered with or changed since sending. Any change in the message will automatically result in the signature becoming invalid. Depending on the trust given to a signature, the signature may also be used to authenticate the sender of the message, even if you never met them in person! This is done by independent verification of the senders credentials by a Certificate Authority (in the case of S/MIME certificates), or by looking up the key used for the signature (in the case of a PGP/GPG signature) in the “web of trust”.

What is email encryption?

Email encryption ensures that your email cannot be read by anyone but the intended recipient. This is done by changing your email text from normal text to coded text. Only the intended recipient can read your email as only they have the key needed to decrypt the coded form.

Why do you wish to receive signed and encrypted emails?

The internet is a great platform for everyone around the world to communicate and share their thoughts freely. Unfortunately, this freedom is abused by many to spew filth, knowing that they are anonymous and no one knows who they are. Many groups and forums have been destroyed because of this. I believe this anonymity is abused too frequently and that people do not take responsibility for what they say or write. By signing your email you take ownership of what you write, and as a result, I’ll take your message more seriously than a message written by an anonymous person I never heard of.

Furthermore, receiving a signed email from a trusted contact who advises me to install or upgrade software on my computer has more credibility than an unsigned email. Just think how many less phishing attempts there would be if banks would sign their messages to all of their customers!

Everyone has a right to privacy. Unfortunately, more and more governments and institutions disagree with this and have put policies and legislation into place to monitor and/or log all communications. And think about possibly bad behaved employees at your ISP that have access to your email box without you even being aware of their snooping. It is not about having things to hide that I prefer encrypted email, but about having the right to privacy and sticking to that right!

Great! I’m convinced! Now…. How do I sign / encrypt my email?

There are two ways to sign and encrypt emails. One uses certificates issued by a Certificate Authority, such as StartSSL, where you can get either a free certificate (where only your email address is verified), or a paid one if you want the certificate to also certify your identity. The other option is to use PGP (Pretty Good Privacy) or GPG (GNU Privacy Guard). These products allow you to create your own keys. PGP is a commercial offering, GPG is free to use and copy and most common keys of these two tools are compatible with each other so users of one tool can securely exchange emails with users of the other tool.

S/MIME certificates are mostly used internally at organisations and more email clients provide support for them “out of the box”. GPG can often be used together with your email client of choice either out of the box or using a plugin.

Further learning

If you want to learn more about GPG, I recommend the GPG Privacy Handbook.

Key

If you use GPG or PGP, you can find my current key here.

2 Responses

  1. jade
    |

    that just sounds like too much work 🙂

  2. Remmy
    |

    Perhaps so Jade… but most of it is a one time effort that you can use for many years afterwards. What happened in the other article, where people make up entire online identities would not be possible if more people would use signed keys by default.

    I also think that banks should sign their mails by default, instead of sending out emails saying not to trust phishing mails.

    There are many reasons other than paranoia which make signing and encrypting mail a good idea!

Leave a Reply