[Arne]

Dear All,
The other day I was asked by a close friend & member of the MacWorld forums to check out a new utility, which came out for (not only) Mac OS X lately. This utility is Ciphire, which encrypts and/ or signs your outgoing eMail from any eMail Client (except LotusNotes and Webmail based services), and also decrypts it "on-the-fly". I have never really considered of encrypting my mail before, because I only heard/ read technical stuff about things like PGP and so on which more scared me away than attracting me.

But since I read Digital Fortress by Dan Brown over Christmas Holidays, I might got a little bit more sensitive with this issue and thought, "What the heck, just check it out!". And even though my trusty 500Mhz TiPowerBook is not listed as a recommended computer, Ciphere has been running without any problems for the last couple of hours.
I am no expert of any kind in this or similar fields, but I would like to ask the members of this forum if they care about eMail security, if they worry about and what they are doing about it. Is there any client you use/ recommend in OS X? Since most of us arrived in the time of OS X and its UNIX base, we all feel pretty secure about viruses and hacker attacks, but what about our eMails? Or is the discussion not that far, yet?
I can remember a discussion where signatures were thought to be one solution against SPAM as well, because you can easily proof if a mail was spoofed or not. But this, of course, needs again one common signature protocol for everybody, doesn't it?
What do you think?
Am I too paranoid?
Or will this, unfortunately, be the future of eMailing?
Thanks for your thoughts and opinions on this!
Cheers from Tokyo,
arne

[d00d]

Mail.app actually has its own digital signature and encryption protocols built-in, which are somewhat easy to enable once you know the procedure. I can dig up the instructions if you're interested.
However, for what I do with email, I'm not all that concerned. I don't email sensitive information like social security or credit card numbers. Online retailers rarely send that information back to you in receipts. Some passwords come through email, but few of any real importance. And the chances of someone being able to intercept that email in transit when that's the specific password they were looking for is slim.

[drmbb]

I agree with d00d - the contents of my emails are hardly such to give me concern. And it's not that easy to snatch an email off a network in transit, so there'd need to be some expectation of information return to make the effort. Plus, cipher, like PGP, which has been around for years and was ported to OS X quite awhile ago, needs to be used by both sender and receiver. Usually the hard part is making sure that the receiver has the same software, and is willing to use it. How many people use PGP? I don't know of any (lots who've checked it out, but who don't use it regularly), for that very reason - it just is too difficult to get everyone onboard. And ciphir is a beta release, for evalutation only (do they plan to charge for it later ?), so many people won't be willing to switch to it full time, at least not for business/professional use.

[car1son]

I use GPG with business colleagues when I work at home, but it's relatively easy because we've all agreed to use that program and have exchanged public keys.
There's not much sense sending it to anyone else, because they won't know what to do with it. Sadly, my words are not so interesting that anyone would install new software just read them.
I think universal encrypted mail is overdue, for the same reason postal mail is sent in envelopes. But it's not going to be used outside of a small niches until all the popular e-mail clients come with a standard, easy-to-use automatic encryption/decryption scheme, including easy to use access to a public library of public keys. And that probably won't happen until the market demands it. And right now, Nobody is demanding it.

[Arne]

Derik,
Mail.app has the ability of encrypting mails by themselves? Do I need any signature/ authentication from another party like PGP?
I tried to search on the Apple Support side, but all I could find was this.
Thanks again,
arne

[Arne]

drmbb,
Thanks for your comment. I agree the most difficult part is to have matching technologies on both (or more) sides for it to work. I can imagine that in the past encrypting software was just to technical/ expensive for the usual John Doe to use it, but maybe Ciphire can crack this nut. Even though still beta, it really works well for me: you install it, and the rest is done by the software. It checks if the recipient(s) also use Ciphire by itself, if not, it only signs the mail, otherwise encrypts it. And it deletes the signature from the mail as well, so if both parties using Ciphire or you forward a signed mail, the signature will not be shown.
And they claim it still will be free for private use, non-commercial organizations and the press after the beta phase.
Do I necessarily need the possibility to encrypt my (private) mails? No, I got along for the last 10 years without it, and I don't think I will be the target of any criminals to find anything of value in my mails. But that's mainly because I know I shouldn't send any information that could be misused via mail. But would I do it if I knew my mail would be safe? I guess so...
And I am sure there are a lot of users out there which don't really think about what they are actually sending. I bet if a hacker could get hold of a mail server and just search the terms "credit card no." or "PIN" he or she would have quite a lot of "hits"....
And lastly: better save than sorry ;-)
Cheers from Tokyo,
arne

[Arne]

In reply to:

---

I think universal encrypted mail is overdue, for the same reason postal mail is sent in envelopes. But it's not going to be used outside of a small niches until all the popular e-mail clients come with a standard, easy-to-use automatic encryption/decryption scheme, including easy to use access to a public library of public keys. And that probably won't happen until the market demands it. And right now, Nobody is demanding it.

---

I also think that universal encrypted mail is overdue. I mean, the internet community is always looking for securing things & "anonyminize" personalities. OS X is said to be the "most advanced OS", yet I only learn through Derik in his earlier post that Mail.app might have an encryption ability by itself? This really surprises me. /forums/ubbthreads/images/graemlins/confused.gif
But thanks for your comments!
Cheers,
arne

[car1son]

O'Reilly has an article . (Mail supports S/MIME as long as you have the certificates in your Keychain, so mostly the article is about how to obtain a 3rd-party certificate & load the certificate in the keychain.)
(The complexity of this is why no one is going to do it just to read my mail!)

[Arne]

car1son,
Thanks a lot for the interesting article! However, now I know already more about signatures & encrypted mailing as I always wanted to know /forums/ubbthreads/images/graemlins/wink.gif /forums/ubbthreads/images/graemlins/grin.gif and it shows me again, how easy Ciphire is to use!
Guess I will stick with it for a while and check it further out.
Cheers,
arne

[d00d]

The instructions I used were here. It was a piece of cake to follow and set up. It works great and is perfectly integrated.

[car1son]

I suppose that depends on your definition of a "piece of cake". (The instructions on the two sites are the same, O'Reilly simply goes into more soothing detail on navigating the Thawte certificate website.) I don't think anyone but paranoid geeks are going to step through the dozen pages needed to get a certificate. And the fact that you are limited to browser and mail client is also a drawback. But it is nice that Safari 1.2 now recognizes the certificate and automatically puts it on the keychain.
But what needs to happen for this to be used by the masses is for Mail to automagically utilize the information in the address book to automatically create your certificate (asking only if you have a previous certificate to import first). My definition of a "perfectly integrated" does not include having to re-enter a bunch of information the Mail app already knows into a third-party website ( and then opt out of receiving spam from them and their "Business Partners").
Once you get the certificates loaded, mail does to a easy job at making signing and encrypting trivial. But other eMail clients, such as Outlook and Entourage, and Mozilla Thunderbird (I'm almost surprised it doesn't already), need to be equally facile at encrypting and signing/verifying messages. I can't really send an encrypted message unless I know the person I'm sending to participates as well.
And integration with an automatic Web directory of Public keys would also be desirable; as is, in order to send you an encrypted message, I need to send you a message first stating "Send me a signed a message so I can get your certificate and send you an encrypted message". Or maybe that Exchange itself could be automated and built into Mail.

[d00d]

I don't remember going through Thawte to be all that bad and it's a one time thing anyway. Having better integration would be nice, but you said it yourself, the demand simply isn't there. I'd rather go through Thawte's website than use something like Ciphire which locks me in and doesn't use standard protocols.
Thunderbird actually has support for the same protocol I believe and makes it pretty accessible through the lock toolbar icon when you're writing new mail.

[car1son]

Agreed, better Thawte than a proprietary solution such as Ciphire.

[car1son]

Article about Ciphire in Wired online this week.