I am dealing with a local web consulting firm that is giving me answers that conflict with my (albeit limited) knowledge of SSL.
Customer wants to setup secured email (required by a vendor they deal with).
As I understand it:
Order cert from verisign or whomever
apply to security settings in outlook
once installed you can digitally sign/encrypt emails by making appropriate selections in outlook.
The web consulting firm is telling me they need multiple keys and such to do this or as soon as it hits their servers it will “strip away” any encryption and send the email in clear text.
I have never really dealt with this before and good info on this method of application is evading my google-fu.
Hi. You need to post more information on what the consulting firm is telling you and what exactly you are trying to accomplish.
It sounds like you are partly talking about digital identify certificates. These are meant to prove your identity through a procedure the issuer follows before granting you a certificate. You can then use this certificate to sign emails. This digital signature can be verified by a third party to show that the email content (or whatever was wrapped in the digital signature) hasn’t been tampered with or to prove that it was signed and sent by you.
The majority of your post is unclear though. The signing of email is separate to SSL which is to secure network traffic. You may use SSL in this situation if you need to secure the connection between your mail client and the mail server. This ensures that nobody can easily read your email in transit to the mail server, but it doesn’t necessarily protect the email after it’s left your mail server en route to the destination. Because that part of the journey may be through unencrypted channels, you’d use encryption on the mail itself. You then have the problem of the recipient decrypting the email and they can’t use your certificate for that. You’d have to encrypt the email with their certificate. Which raises the obvious problem of how you obtain their certificate.
If you can provide some more details I can hopefully fill the holes in your understanding. Relevant topics to look up are SMIME, Public Key Infrastructure aka PKI and digital signing in Outlook.
SSL for client email encryption? Typically that would be used for the server to secure http, ftp, etc.
For client side email you would probably want to use something like S/MIME as its supported natively:
>The web consulting firm is telling me they need multiple keys and such to do this or as soon as it hits their servers it will “strip away” any encryption and send the email in clear text.
I dont understand the latter, but in the former they mean that they need a public key infrastructure to keep track of all those X.509v3 certs. Perhaps they mean that they have a security policy to block encryption. Or if they cant find a cert for the recipient they just do plain text.
ttmatthe is correct: an SSL connection to your mail server will not guarantee an encrypted path all the way to the recipient.
If all you care about is encrypted messages between one or more particular recipients/senders and yourself, you’re better off installing some kind of asymmetric encryption on the message level - this will ensure that the content of the mail can only be read by the recipient and/or (depending on the settings of the encryption software) a guarantee that any recieved email was actually sent by the signer. You need some kind of way to verify each other’s public key once, usually using a hash key/“fingerprint”, which you might do over the phone if you can recognize each other’s voice or you can exchange complete keys in person, or you can have some trusted intermediary verify both your keys*.
Note that that sort of encryption does not protect any snooping on where messages are coming from or where they’re going - it really is “content only” - but that’s pretty much the only real guarantee you can get anyway.
Gnu GPG is a widespread and relatively easy to set up scheme to do asymmetrict encryption on UNIX style machines. There probably are packages available for outlook too (I know of a few packages that make it fairly easy to use GPG on windows, but none of them integrate with outlook directly).
this sort of key verification is what verisign et al provide for SSL. As far as I know there’s no such service for GPG, but those kind of services aren’t exactly 100% reliable anyway.
I am 90% sure this is all they need but I am dealing with users who don’t understand any of this and the web host that handles their email keeps sidestepping any questions about digital identity certificates).
Some more detail.
Customer uses a web mail portal
Mail provider is a local company who provides email/web hosting/internet services to small businesses.
They say they can set this up but that it will cost several hundred dollars a year to apply to one email address.
As I understand it, all I need to do is install a pop3 mail client like outlook, configure it to pull mail to outlook, and apply the digital signature to outlook…done, costs the customer like $20/year. They seem to be trying to sell them something completely different and much larger.
Yes, you can do this, but you still have to obtain the certificate, install the private key into your mail client, and distribute your public key to your recipients. The couple hundred dollars a year per email address is probably to cover the cost of purchasing a certificate from a certificate authority on your behalf, plugging the private key into the web portal for the account, importing public keys into the web portal from your intended recipients (if necessary), and generally get things working smoothly. And a markup to make it worth the mail hosting company’s time, of course.