Email Security – Part 1: Certificate Signed Emails
How and why to install an email signing certificate
Long before Twitter or even SMS (Short Message Service), email was a dominant force in communication spanning from global business reach to the next cubicle over. It still is a highly utilized method of communication, but it brings many complications with it.
For example, the junk-mail game of the traditional stamp and drop method of the postal service was easily carried over into the digital space and renamed as spam. Some of this spam could be confusing to wade through. While some spam is as obvious as African royalty in a financial conundrum, some spam may be sourced as slight variances of trusted domain names. Does Amazon have a Customer Tracking and Assistance department and why are they asking for password verification through a poorly worded and logo-less email?
Conversely, how can one ensure that their legitimate outbound email communication is not flagged or mistaken as something insidious? In a 2015 study, Return Path reported that only 79% of (legitimate) commercial emails actually make it to the intended destination. 1 in 5 commercial emails gets filtered out or flagged one way or another. There are many ways in which this can happen and many points in an email’s lifecycle of WHERE filtering/flagging can happen.
We are going to kick off my venture into the world of commercial blogging with a series about email security. Not only will we be reviewing methods to identify bad emails coming in and how to protect oneself, but we will also be looking into methods to successfully delivering emails and establishing a trusted and reputable brand.
Will Anyone Vouch For This Person?!
Verification of identity can be seen all over the world:
Police officer? “Let me see your badge number so I can phone it in.”
Knock on the door? Let’s have a look through the peephole to see if it is someone recognizable. Don’t recognize them? “Who are you?… Show me your girl scout license number so I can phone it in.”
Technical support for your account? “Would you confirm your mother’s maiden shoe size?”
Besides intuition, there are no basic human sense cues that can help verify the origins of an email so it is a little more of a challenge. The display name, source email address and writing style would be the best indications as to whether the email is legitimate or was composed by a spoofer. One could also follow the cumbersome mail headers and follow the route the email took to see if it makes some sense. However, the email sender is able to make this scrutinization a little laxer.
Coupled with intuition, signing certificates via S/MIME (Secure/Multipurpose Internet Mail Extensions) assist in establishing trust between sender and receiver. The little red Outlook ribbon (green check in Gmail) on a signed email carries with it a hierarchy of root certificates from whichever issuing authority.
In a sense, a signing certificate tells the receiver, “I went out of my way to get a CA (certificate authority) to vouch for me. Also, I paid for it…..” For a recipient that one might be in frequent contact with, this can bring peace of mind at a glance.
Let’s Certify Some Emails
Now that we have gone over the generic overview of email certificates, let’s apply a certificate in practice. Despite the fact that it only accounts for a smallish percentage of total mail origination, this tutorial will go over the application of email certificates to Outlook 2016 on a Windows-based machine.
- Windows 7+
- Outlook 2016
- Possession of a proper security certificate file (.crt)
- Open Outlook 2016
- ‘File’->’Options’->’Trust Center’->’Trust Center Settings’
- Trust Center window will appear
- Select ‘Email Security’ in the left menu options
- Select ‘Import/Export’ and the window will appear
- Browse to certificate and enter appropriate password (if applicable)
- Select ‘OK’ and the certificate will import
- Select ‘Publish to GAL’
- NOTE: The Global Address List is a list that is tied to some domain management, such, as an LDAP, that will have the certificates available that should be ready for encryption. Otherwise, a sender would need to send a signed certificate to a recipient prior to sending an encrypted message so the recipient will get the certificate to decrypt.
- There will be notification that this has completed
Configure certificate for email client
- Open Outlook 2016
- Go to the trust center settings outlined in the previous section
- There is an optional checkbox for ‘Add Digital Signature for Outgoing Messages’
- This will sign every email generated for that particular email domain
- Select ‘Settings’
- Under ‘Security Settings Name’, make sure the correct email domain is selected
- In the ‘Certificates and Algorithms’ section, make sure the ‘Hash Algorithm’ is higher than ‘SHA1’ (selected by default). ‘SHA256’ is acceptable by most mail services/exchangers so that should be suffice.
- Select ‘OK’
- Select ‘OK’ to close the Trust Center.
In order to turn on/off certificate signing or encryption per email, pop the email out and click ‘Options’ up top and select ‘Signing’ or ‘Encrypt’ to enable/disable.
Are the signing certificates enough? Maybe not but that is where intuition comes into play. We’ll discuss that next time.
Make sure to check out the rest of the Email Security series:
- Email Security – Part 2: Phishing and Other Falseness
- Email Security – Part 3: Sender Policy Framework (SPF)
- Email Security – Part 4: DKIM (DomainKeys Identified Mail)
- Email Security – Part 5: DMARC, Reporting and Email
Check back every Monday for a new article.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown