Keep your secrets with Mail

Sending something confidential via e-mail is the equivalent of writing it on the back of a postcard. Every e-mail message passes through dozens of servers, and it’s not difficult to intercept data anywhere along the line. If you want to keep messages private, you must encrypt them. Luckily, there’s a simple—and free—way to set up Apple’s Mail (in Mac OS X 10.3 and later) to encrypt and digitally sign messages.

E-mail protection basics

Most e-mail is not sensitive enough to require constant protection against snoops. If you occasionally need to e-mail a confidential file to someone who uses Mac OS X, just send an encrypted disk image (see Disk Utility’s Hidden Talents ). However, if you often send messages that contain important business information or top secret rendezvous instructions, digital signatures and encryption can help.

It’s relatively easy to forge the name and address in the From header of an e-mail, so how can you be sure that the messages you receive are coming from the right sender? And how can you make sure no one is altering messages en route? Digital certificates act as unique fingerprints to help prove senders’ authenticity and allow you to sign your e-mail messages digitally. You transmit your digital certificate—a secret key, comprising a series of seemingly random letters and numbers—along with your e-mail messages, and you receive others’ certificates along with theirs.

Digital certificates are issued by organizations that the broader Internet community considers reliable. These organizations guarantee their certificates’ trustworthiness. Valid certificates prove that senders actually own their e-mail addresses, but not necessarily that they are who they say they are (see “The Key to Security”). For that, you need something like Thawte Web of Trust certification, which requires a notary to validate the person’s identity.

To check certificates you receive, open Keychain Access (/Applications/Utilities). Click on Certificates in the Category pane, and then click on a certificate to see what organization appears in the Issued By line. If Keychain Access cannot verify the signer, it will display a warning in red.

Get certified

To use a digital signature in Mail, you need your own certificate. I recommend getting one from Thawte, a division of VeriSign that provides free personal e-mail certificates.

To begin, go to the company’s Personal E-Mail Certificates page. Getting the certificate involves filling out several forms, agreeing to Thawte’s terms and conditions, entering your name and e-mail address, setting up a password, and then selecting a number of questions and entering answers as security checks should you lose your password. Next, you’ll receive an e-mail message containing a Web link to confirm your e-mail address, along with two special “probe” and “ping” codes to copy and paste into the Web form.

You then log in to the Personal Certification System Home Page and request an X.509 certificate. A pop-up window lets you choose from a variety of Web browsers. If you use Safari (which isn’t on the list), choose the default Mozilla Firefox/Thunderbird format and then click on Request. Follow the instructions on the next few pages, accept the default extensions, select a level of protection (2,048 bits is the default), and click on the Finish button.

On the next page, click on the Certificate Manager link. You’ll see that your status reads “pending.” Click on View Certificate Status after a while, and when the status reads “issued,” click on the Navigator link. Now click on the Fetch button to obtain your certificate.

When Safari begins to download the certificate, you’ll see a security warning; allow the file to download. Once it does, Keychain Access automatically opens it and adds it to your list of certificates. (These instructions work with Tiger. If you’re using Panther, go to macworld.com/1665 to see how to add a certificate to your keychain.)

Back up your certificate, because you won’t be able to download it again. You can either store it in an encrypted disk image or, if you back up your keychains, use Keychain Access as a storage location.

Sign your Mail

To send digitally signed e-mails, you don’t need to do anything. Now that you have a certificate, Mail does this for you automatically. You can, however, turn off your digital signature. At the very right of Mail’s New Message window, you’ll see a star icon. Click on it to toggle the signature off and on.

Mail automatically sends your certificate information along with any messages you digitally sign and encrypt. Send a digitally signed message to another user who has Mail (in Mac OS X 10.3 or later), and your certificate is added automatically to that user’s Keychain. If your friend uses another e-mail client that supports such certificates (most modern e-mail programs do), it will most likely manage the certificate in a similar manner. If your friend uses a Web-based e-mail service, he or she will see this certificate as an attachment and won’t be able to use it within the Web interface. (See “Web Mail Protection” for one Web-based e-mail option.)

Receive Signed Messages Receiving signed messages is, like sending them, transparent in Mail—unless the message encounters a glitch along the way. Each message will contain a Security header that says whether it is signed or encrypted (see “Signed, Sealed, and Delivered”). If you receive a message that has been altered after it was sent, Mail displays a conspicuous message saying that it is unable to verify the message signature. That means either someone has fiddled with your message in transit or the message got corrupted. Your best bet is to contact the original sender to make sure that he or she sent the message.

Scramble your Mail

Encryption turns a message, and any attachments, into gobbledygook for people who don’t have the secret decoder ring—in this case, the digital certificate. (You can actually encrypt e-mail messages without having your own certificate. Senders use recipients’ certificates to encrypt e-mail and recipients use their own certificates to decrypt the messages.)

Encrypt Messages If you have another person’s certificate in your keychain, you can use Mail to send him or her an encrypted e-mail. (To make sure you’ve swapped certificates, first send a message to the person and ask for a reply.) Open a new message in Mail (File: New Message), address it to the person, and then click on the Encryption icon (a lock) at the right of the message window’s header. Compose your e-mail as you normally would and add any attachments you want (they will be encrypted as well).

When the recipient opens the message, he or she will be able to read its contents and save any files you sent without doing anything special. But if anyone else intercepts the message, that person will see gibberish. If there’s a problem with the recipient’s certificate, or if the message gets corrupted or changed in transit, he or she will see the message “Unable to decrypt message.” In that case, the recipient may need to check that he or she has an up-to-date copy of your certificate.

Webmail protection

Want protection when you use Web-based e-mail? A new service, Freenigma, offers just that, providing a simple encryption system for Gmail, Yahoo mail, Hotmail, and other services. All that’s required is Mozilla Firefox and a special Firefox extension (which means that you probably can’t use this encryption on a public terminal.) Freenigma is a simple way to harness security features for your Web-based e-mail accounts.

[ Kirk McElhearn is the author of many books, including How to Do Everything with Mac OS X Tiger (McGraw-Hill Osborne, 2005). Thanks to Michael Tennes for providing technical advice for this article. ]