I received a rather interesting email from a reputable insurance company, and felt this was an excellent topic to launch our new Security Notes. As you all know I take security very seriously (as I should since it's my business). Because of this, I have made it a standard policy for TRUE to digitally sign all outgoing messages and encrypt anything that is sensitive. In addition, I encourage all of our clients to adopt the same policy. The thing is that when I sent this insurance company an email, they bounced my email with a message stating:
THIS EMAIL HAS AN ATTACHMENT THAT IS NOT ALLOWED BY REPUTABLE INSURANCE COMPANY.
Interestingly, this insurance company blocked my email because it had an unidentified attachment. Obviously, in their effort to be secure, this company failed to use a system that could identify digital signature attachments. Thus, instead of creating a safe digital environment for their customers, the company created a site that was safe from their customers.
So what is a secure message anyway (i.e. digital signature)?
You have probably already received emails that were digitally signed by the sender. These messages may have a fancy little ribbon in the header (if you're using Outlook), a block of letters and numbers at the bottom of the message, or possibly an attachment that shows up as a ps7 file. When a signature is generated, a mathematical algorithm combines information from the key with the information in the message. The result is a random-looking string of letters and numbers, this information is actually a digital signature.
Why would you use one?
Because it is surprisingly easy to "spoof" email addresses. In other words, attackers and viruses can send unwanted email that appears to be from your account. Because these types of attacks are on the rise, it is increasingly difficult to identify legitimate messages. Authenticity is especially important for business correspondence - if you are relying on someone to provide or verify information, you want to be sure that the information is coming from the correct source.
A digitally signed message also indicates that the content of the email that you received was the same content that you were sent. Had any changes been made to the message after it was sent, those changes would have broken the digital signature.
The process for creating, obtaining, and using keys is fairly
1. You can obtain a FREE certificate at a participating Certificate
Authority, such as:
- Thawte: http://www.thawte.com/secure-email/web-of-trust-wot/index.html
- IPSCA: http://certs.ipsca.com/Products/SMIME.asp
2. Install your certificate in a S/MIME capable email client, such as:
- Microsoft's Outlook
- Mozilla's Thunderbird
3. Digitally sign your outgoing email messages.