How and why to install an email signing certificate
Long before Twitter or even SMS (Short Message Service), email was a dominant force in communication spanning from global business reach to the next cubicle over. It still is a highly utilized method of communication, but it brings many complications with it.
For example, the junk-mail game of the traditional stamp and drop method of the postal service was easily carried over into the digital space and renamed as spam. Some of this spam could be confusing to wade through. While some spam is as obvious as African royalty in a financial conundrum, some spam may be sourced as slight variances of trusted domain names. Does Amazon have a Customer Tracking and Assistance department and why are they asking for password verification through a poorly worded and logo-less email?
Conversely, how can one ensure that their legitimate outbound email communication is not flagged or mistaken as something insidious? In a 2015 study, Return Path reported that only 79% of (legitimate) commercial emails actually make it to the intended destination. 1 in 5 commercial emails gets filtered out or flagged one way or another. There are many ways in which this can happen and many points in an email’s lifecycle of WHERE filtering/flagging can happen.
We are going to kick off my venture into the world of commercial blogging with a series about email security. Not only will we be reviewing methods to identify bad emails coming in and how to protect oneself, but we will also be looking into methods to successfully delivering emails and establishing a trusted and reputable brand.
Will Anyone Vouch For This Person?!
Verification of identity can be seen all over the world:
Police officer? “Let me see your badge number so I can phone it in.”
Knock on the door? Let’s have a look through the peephole to see if it is someone recognizable. Don’t recognize them? “Who are you?… Show me your girl scout license number so I can phone it in.”
Technical support for your account? “Would you confirm your mother’s maiden shoe size?”
Besides intuition, there are no basic human sense cues that can help verify the origins of an email so it is a little more of a challenge. The display name, source email address and writing style would be the best indications as to whether the email is legitimate or was composed by a spoofer. One could also follow the cumbersome mail headers and follow the route the email took to see if it makes some sense. However, the email sender is able to make this scrutinization a little laxer.
Coupled with intuition, signing certificates via S/MIME (Secure/Multipurpose Internet Mail Extensions) assist in establishing trust between sender and receiver. The little red Outlook ribbon (green check in Gmail) on a signed email carries with it a hierarchy of root certificates from whichever issuing authority.
In a sense, a signing certificate tells the receiver, “I went out of my way to get a CA (certificate authority) to vouch for me. Also, I paid for it…..” For a recipient that one might be in frequent contact with, this can bring peace of mind at a glance.
Let’s Certify Some Emails
Now that we have gone over the generic overview of email certificates, let’s apply a certificate in practice. Despite the fact that it only accounts for a smallish percentage of total mail origination, this tutorial will go over the application of email certificates to Outlook 2016 on a Windows-based machine.
- Windows 7+
- Outlook 2016
- Possession of a proper security certificate file (.crt)
- Open Outlook 2016
- ‘File’->’Options’->’Trust Center’->’Trust Center Settings’
- Trust Center window will appear
- Select ‘Email Security’ in the left menu options
- Select ‘Import/Export’ and the window will appear
- Browse to certificate and enter appropriate password (if applicable)
- Select ‘OK’ and the certificate will import
- Select ‘Publish to GAL’
- NOTE: The Global Address List is a list that is tied to some domain management, such, as an LDAP, that will have the certificates available that should be ready for encryption. Otherwise, a sender would need to send a signed certificate to a recipient prior to sending an encrypted message so the recipient will get the certificate to decrypt.
- There will be notification that this has completed
Configure certificate for email client
- Open Outlook 2016
- Go to the trust center settings outlined in the previous section
- There is an optional checkbox for ‘Add Digital Signature for Outgoing Messages’
- This will sign every email generated for that particular email domain
- Select ‘Settings’
- Under ‘Security Settings Name’, make sure the correct email domain is selected
- In the ‘Certificates and Algorithms’ section, make sure the ‘Hash Algorithm’ is higher than ‘SHA1’ (selected by default). ‘SHA256’ is acceptable by most mail services/exchangers so that should be suffice.
- Select ‘OK’
- Select ‘OK’ to close the Trust Center.
In order to turn on/off certificate signing or encryption per email, pop the email out and click ‘Options’ up top and select ‘Signing’ or ‘Encrypt’ to enable/disable.
Are the signing certificates enough? Maybe not but that is where intuition comes into play. We’ll discuss that next time.
Make sure to check out the rest of the Email Security series:
- Email Security – Part 2: Phishing and Other Falseness
- Email Security – Part 3: Sender Policy Framework (SPF)
- Email Security – Part 4: DKIM (DomainKeys Identified Mail)
- Email Security – Part 5: DMARC, Reporting and Email
Check back every Monday for a new article.