Sign and encrypt your email
Add extra layers of security and privacy to your email conversations
It’s one of the internet’s worstkept secrets that email is an inherently insecure medium.
Security and privacy weren’t part of its original design, and no matter how careful you and your recipient are to ensure no one is peeking when you read messages, the fact is it’s still vulnerable.
One of the easiest ways in which email is hijacked is through email spoofing. It’s very easy to fake an email address when sending a message, which is used to trick people into thinking a message is genuine when it’s not. One way to counter this problem is to digitally sign your emails. If your recipients are forewarned – why not put a warning in your email signature? – they’ll know to treat any unsigned emails purporting to be from you with a suitable level of suspicion.
It’s possible to go further and digitally encrypt email using a signature too – but this requires cooperation between you and each individual contact. Both you and your email partner require digital signatures configured to encrypt as well as digitally sign messages.
Make use of Keychain Access
While it’s possible to provide digital signatures through third parties, these either cost money or come with strings attached – typically a single year’s use before the certificate expires. Luckily, the tools to create a signature that can identify you and encrypt mail are built in to OS X’s Keychain Access utility.
The process involves setting up your own self-signed Certificate Authority (CA), which acts like a master certificate maker. Once created, you use this to generate a single certificate designed specifically for a single email address. If you have multiple email addresses, you can set up separate certificates for each of them. The walkthrough opposite details the process you need to follow.
Use your certificates
The first time you open Mail and compose a new message from the email address you’ve digitally signed, you’ll see a blue check mark alongside a dimmed padlock. The first task is to send an email to your recipient informing them you’ve set up a digital signature.
As your certificate is a self-signed one, it requires manual verification by the recipient; this process varies from app to app, but in the case of fellow Mail users, they’ll need to click the Show Details button next to the warning, then Show Certificate. At this point it’s a case of putting a check mark next to ‘Messages from <email> are valid if signed by <certificate name>’ and clicking OK. This places your certificate in their keychain – open Keychain Access to review it – and future signed messages from you are marked as such.
If they then reply to the message with their own signed certificate, and you verify it, future messages between the two of you should see the padlock become available – just click this to lock it and future conversations will be encrypted and private. Also keep an eye out for incoming messages, which should also clearly be labelled as signed and/or encrypted when appropriate.
You and your recipient will need to follow a few easy steps to tell Mail that a received certificate should be trusted.
After exchanging certificates, messages can be encrypted.