Mail in Mac OS X 10.4.3: Signed, encrypted, delivered
Posted by Pierre Igot in: Mail, TechnologyNovember 23rd, 2005 • 10:36 am
When it comes to e-mail communication, people, in general, are extremely careless. They use passwords for their POP accounts that anyone who knows even remotely them can easily guess. They don’t back up their archive of several years of e-mail messages. They don’t take basic precautions to protect their e-mail program from viruses, spam, etc. They frequently leave their office computer unattended and unprotected, so that any one can sit at their computer and get instant access to vast amounts of personal data, including their e-mail archive.
Really, the main reason why there isn’t more identity theft, privacy intrusions, etc. is that most people are fairly honest and trust each other and respect each other’s privacy.
One could also argue that the sheer number of daily e-mail transactions world-wide makes it particularly difficult for would-be criminals to extract crucial personal information from vast amounts of boring and useless text. But that would ignore the fact that anything that is computer-based can easily be automated and that today’s computer hardware is capable of processing huge amounts of data very efficiently.
The one key vulnerability of e-mail communication that has yet to even enter the public’s consciousness, as far as I can tell, is the fact that, unless e-mail is encrypted, its transmission from sender to recipient takes place without any kind of protection. E-mail messages are sent as clear text, and anyone with access to any of the computer systems through which e-mail messages travel can actually read those messages.
Of course, Internet service providers do take precautions to protect their mail servers from outside intrusions, but the fact remains that e-mail messages are, by default, pieces of information with very little protection.
As a Mac user, there’s not much you can do about reinforcing the security of on-line networks world-wide. On the other hand, there are things that you can do to increase the security of your own data, including your e-mail messages. E-mail encryption has been around for a while, but traditionally it has been a fairly complex process involving the use of “public keys” and “private keys” and third-party software to make it all work.
With recent versions of Mac OS X, however, Apple has taken steps to make encryption available to ordinary Mac users as well. And with the Mac OS X 10.4.3 update, Apple has introduced a key new feature that could very well be a significant step in the adoption of encryption on the Mac platform.
Mac OS X 10.4.3 actually introduces a feature that was initially promised for Mac OS X 10.4 itself. The feature is encrypted instant messaging in iChat. Right now, the feature only works for paying .Mac users. In order to use it, if you are a paying .Mac user, you just need to go to iChat’s “Preferences” dialog, check the settings for your @mac.com account, and click on the “Encrypt…” button in the “Security” tab to activate the feature.
From now on, whenever you chat with another .Mac user who also has turned the feature on, your instant messages will be encrypted, which will be indicated with a padlock icon in the corner of your chat window. This means that no one other than you and the person you are chatting with will be able to read your instant messages.
What does this have to do with e-mail? Well, it turns out that, behind the scenes, when you activate encryption in iChat, Apple actually delivers a certificate to you that is stored in your keychain. You can see this certificate by launching the Keychain Access utility and looking under “My Certificates” in your keychain. The certificate will bear the name of your @mac.com account (without the “@mac.com” part) and it will be listed as a certificate issued by “Apple .Mac Certificate Authority.”
It is a certificate issued by Apple’s servers that is stored on your machine and will remain valid for one year. iChat uses this certificate to encrypt your instant messages and uses Apple’s own servers to guarantee the security of your chats.
What’s interesting, if you look at the details for this certificate, is that you’ll find a section with a series of “purposes” listed for the certificate and one of these purposes is “Email protection.” And it turns out that, yes, in fact, this certificate issued by Apple for encryption in iChat can also be used for e-mail encryption in Mail.
All you have to do is go to Keychain Access’s “Preferences” dialog box and, in the “General” tab, check the box that reads “Search .Mac For Certificates.”
Once you have done that, when you go to Mail and try to compose a new message with your @mac.com e-mail account, you’ll see that the controls for encrypting and signing your e-mail message are now visible and enabled. These two controls appear at the right end of the message window’s toolbar, next to the “Signature” pop-up menu.
In other words, for .Mac users at least, e-mail encryption has suddenly become pretty straightforward. You no longer have to install third-party software. And you no longer have to go through an independent, third-party authority to obtain a certificate that can be used to encrypt and sign your messages.
If you are not a paying .Mac user, things are not as straightforward, but they are still reasonably simple. You just need to obtain a certificate from a third-party authority. Thawte is a company that specializes in this kind of thing, and they actually let you sign up to get a certificate for e-mail encryption free of charge. The process is not completely straightforward (I went through it myself a while back, and of course it refers to a variety of web browsers without including Safari, so there are some error messages that you have to ignore if you use Safari or another theoretically unsupported browser), but here is a tutorial that can help.
The bottom-line here is that e-mail encryption is now quite easy to achieve even for ordinary Mac users. It’s not as easy as it should be yet, but it’s reasonably easy, and it’s quite possible that the iChat encryption business is only a first step for Apple and that they will soon extend the service to explicitly include e-mail encryption as well, and maybe open it to Mac users who are not .Mac subscribers.
I personally have been testing e-mail encryption with Sven-S. Porst, a fellow Mac OS X user and Mac blogger, for some time now and, while we both agree that the interface for it could still use some work, we feel that it might be time to start promoting e-mail encryption to other Mac users. So I invite you to read Sven’s posts on the subject as well, including this one, and then start experimenting with it yourself.
I am not about to start using e-mail encryption systematically with all the people that I exchange e-mails with, of course, since most of them have no idea what this is, what it does, and how it works. But gradually, I just might start using it more and more, especially when I need to send sensitive information via e-mail.
Identity theft is one of these things that people tend to be unaware of until it actually hits them. With things like e-mail encryption and iChat encryption, you’ll be taking steps toward ensuring that it never happens to you.