Sectigo may have just revived S/MIME

Sectigo may have just revived S/MIME

Email signing certificates just became easy to deploy. That changes everything.

S/MIME certificates have always been a great idea – in theory. They give organizations the ability to sign and encrypt email. Which, as we’ve covered before, is an invaluable tool for organizations trying to stop phishing and email attacks.

But email signing certificates’ Achilles heel has always been deployment.

Deploying them has always been a long, tedious process that many organizations just don’t feel like putting up with. That’s hamstrung their proliferation. At a recent event our VP Michael Ward was told by a heckler that S/MIME is dead.

But reports of its death have been greatly exaggerated. Also, who heckles at a business conference?

Let’s hash it out.

Sectigo just solved S/MIME’s deployment problem

The biggest issue with S/MIME has always been the fact that you had to have someone go to every single device and install the certificate manually. That’s a pain in the butt for a small company. Our prodigious IT manager (and regular Hashed Out contributor) Ross Thomas had to do this a few months ago. Every. Single. Device. Seriously, we had to nail the windows in his office shut to keep him from leaping out of one.

Until recently, every time a new employee was hired Ross had to slog through the installation process again. And he had to revoke any certificate that belonged to departing employees. It’s a process he knows by heart, but a tedious one. Let’s be honest, constantly being asked to perform the same tedious task at work over and over and over gets to you after a while.

Then Sectigo unveiled its new Zero-Touch S/MIME solution. Full disclosure, we work very closely with Sectigo. We get a sneak peek at what’s coming. We knew about the new name before they even announced it to the rest of their partners. The point is, it may have been announced at the end of February, but we’ve been working with Sectigo’s Zero-Touch S/MIME solution for a few months so we could figure it out ourselves.

Let’s put it this way: Ross no longer swears at the mere mention of S/MIME. 95% of the tedious work that used to come with email signing has been alleviated because deployment is now automated. Sectigo’s Zero-Touch S/MIME solution integrates with your Active Directory and gives you the ability to manage everything via a single interface.

When new employees sign on, as we had with our new office manager just last week, deployment is a simple, straightforward process. When employees leave, their certificate can be revoked, but their email will still be decryptable.

All of the pain points have been alleviated.

This is how S/MIME was supposed to work

The biggest reason that S/MIME certificates aren’t more popular is that – given the workload involved – IT admins are loathe to tell management that they even exist. I’m kidding. Mostly. Anyway, as we’ve discussed, the real issue has always been deployment. End users had to acquire their own certificate and install it themselves. And part of that is our fault as an industry.

That’s partially because companies and organizations perceive digital certificates and PKI as costly and time-consuming. Security is nice, but not at the expense of productivity and budgeting for other projects.

That’s why S/MIME hasn’t been more widely adopted until now. It’s been difficult to convince most organizations that deploying and managing all those certificates is worth the hassle.

Zero-Touch S/MIME could change that. It will also help organizations with compliance by providing a means to encrypt and sign email.

Having the issuance and deployment of S/MIME certificates automated, saves a lot of time AND money. And Zero-Touch is a part of Sectigo’s larger Certificate Manager, which means it further consolidates your digital certificate management. As we’ve discussed many times, the certificate management presents a major problem for many organizations – especially larger ones.

Having the ability to manage all of your certificates, including S/MIME – which can now be rapidly issued and deployed – through a single interface could save your organization millions in the long run. Literally millions.

Scenario Extrapolated Cost
Cost of unplanned outages due to certificate expiry $11,122,100
Cost of failed audits/compliance due to undocumented or poor key management $14,411,500
Cost of server certificate and key misuse $13,423,250
Cost of Code Signing certificate and key misuse $15,025,150
Cost of CA compromise or rogue CA for MITM and/or phishing attacks $13,219,850
Total Cost $67,201,850

Look, I’ve been writing Hashed Out for nearly three years now and in that time I’ve never openly pitched anything to you. I may have hinted at one of our solutions a few times but Hashed Out operates with a degree of autonomy and we try to be objective, never sales-y.

And that’s not what I’m doing here, either. At least not directly. I’m simply pointing out that since we started using this Zero-Touch S/MIME solution, our IT manager, Ross, enjoys coming to work again, we can once again trust him around open windows and, perhaps more relevantly, our S/MIME certificates work seamlessly in the background.

Now every email is signed. The important ones are encrypted. And, most importantly, it’s no longer a burden. It’s just a quick glance at the dashboard a few times a week to ensure everything is running smoothly.

S/MIME certificates used to be a big pain in the ass.

They’re not anymore. We know that first-hand.

As always leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.
  • Very informative and super helpful product.
    Also, that Ross Thomas guy sounds like a people’s champion.

  • Zero Touch probably means that the Sectigo certificates are used through a mail gateway. When this assumption is correct, hoe does Sectigo Zero Touch help protect mail on the end-points which classically do the encryption/decryption?

    Another major hurdle is that the recipient of an email also needs an S/MIME certificate and key-pair in order to be able to receive it S/MIME encrypted. How does the Zero Touch solution solve this problem in the case you want to send an encrypted email using S/MIME to a target outside your organization?

    And vice-versa, when someone outside your organization wants to email someone in your organization, how will they easily learn about the public S/MIME details in order to send the encrypted message using Zero Touch?

  • Unfortunately, Sectigo followed this up 6 weeks later by effectively eliminating free S/MIME certificates for individuals. At $20/year or $50 for 3 years, a classic chicken-and-egg scenario applies. Few people will pay that much until adoption hits critical mass, and it will never hit critical mass as a result.

    While S/MIME may find limited use for supply-chais, consortium communication, and government contractors, without SOHO adoption it will be a solution for use within walled gardens. As such, it will compete with other in-place solutions for stage time on the security theatre.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.