Email Security and S/MIME

Information Security

As I wrote in one of my previous posts, emails are not a secure way to communicate and exchange confidential information but this is not all. In information security, the CIA triad (confidentiality, integrity and availability) is often cited alongside with other key elements such as authenticity and non-repudiation. It is important to keep in mind these elements in order to protect our information. Unfortunately, email structure is not designed to provide these concepts out of the box.

Often, we do not ask questions about an email received from a known contact. Nevertheless, the sender email address is not enough to authenticate the correspondent and the email address could be easily spoofed by someone else. There are technical measures available to prevent these situations often used by spammers and mainly to produce a phishing attack. Problem solved? Not quite. These preventive measures have to be implemented by the domain owner but are not mandatory for each domain. Popular email services have configured these protections but it is not the case with email addresses from many Internet service providers or organizations. However, these antispam measures only validate that an email was sent from a legitimate server. Nothing about authenticating the real person behind the email address. A malicious person could create anytime an email address looking just like yours with a free email service and try to send emails on your behalf. So we never can’t be sure that our correspondent is really the person that we think he is. In many ways, an email could also be intercepted and the content read by someone else than the receiver. Therefore it could be altered between the sender and original receiver. Same without encryption, your receiver should have the assurance that all information stays valid during transmission.

In order to fix these problems, a user could obtain an S/MIME certificate that works under the principle of public and private keys. Other than S/MIME, PGP is also a free alternative. Most users think that these technologies are only for encryption between sender and receiver but this is not the only advantage. In fact, a user will have the possibility to digitally sign all outgoing emails with an installed certificate. The objectives are to maintain integrity, authenticity and non-repudiation. Unlike encryption, the receiver doesn’t need a certificate to verify the digital signature. The receiver will be able to consult your public certificate with information validated by a Certification Authority (CA). Depending on your CA choice, your identity will be verified according to your email address (Class 1) or a complete verification with official IDs such as a license driver or passport (Class 2). Personally, I use the “Secure Email Digital Certificates” from Comodo which is a class 2 verification and only 12$ per year. In my case, when I send an email to someone, this person can look at my certificate and confirm that my identity was verified by Comodo.

Of course, there are some drawbacks with the use of S/MIME certificates. Some free webmail services such as or Gmail doesn’t recognize the signature and will simply attach a “smime.p7s” file. This file could be confusing for some users. However, most recent email softwares have this functionality embedded by default.