The protocols for authenticating the sender of an email have always been very weak. For the most part its an “honor” system, which is why spammers have such an easy time sending email with forged “from” addresses. We’ve needed effective email security for two decades now and one of the impediments to this has been the availability of digital certificates for email at an affordable price (e.g. free). In addition to providing us with the ability to authenticate a message’s sender, certificates also afford us confidentiality and integrity because they can be used to encrypt our message’s content and ensure that those same contents are not altered during transport.

Recently StartSSL began offering free trusted certificates which can be used for email and other purposes. The following set of instructions will show you how to get one of these certificates and configure Outlook 2007 to digitally sign your outgoing email.

NOTE: At this time, only Windows 7 will trust these certificates out-of-the-box; however, recipients who are running on Vista or XP can install the update for Windows Root Certificates (http://support.microsoft.com/kb/931125) to gain the same trust capability.

  1. Use a web browser other than IE8… (I used Mozilla Firefox v3.5).  IE8 on Windows 7 wouldn’t allow me to create the certificate.
  2. Go to the StartSSL website at http://www.startssl.com/?app=1 (this is not an advertisement for these folks… you can get your certificate from any certificate provider, but this firm is currently offering them for free).
  3. Click on the Sign-Up button
  4. Accurately provide your name, address, country, phone number and email. StartSSL may invalidate your certificate if you don’t answer all the questions accurately. This is for everyone’s protection!
  5. Click on continue
  6. Receive a verification code via email; copy and past it into the verification form.
  7. Select a “High Grade” certificate.
  8. After the certificate has been generated, press “Install”.
  9. From the Mozilla Tools menu select Options to get this dialog:

    image 

  10. From the Mozilla Options dialog, select the Advanced Toolbar ribbon item.
  11. From the Advanced Toolbar ribbon item, select the Encryption tab.
  12. Click on “View Certificates” button to get the Certificate Manager dialog:

    image
  13. Find and highlight the SmartCom Free Certificate Member under SmartCom Ltd.
  14. Click on the “Backup…” button.

    image

  15. Provide a password to protect your certificate file with. IMPORTANT: You will need to remember this password as you will not be able to use your exported certificate without it and there is no “recover password” capability. 
  16. WARNING: You should safeguard the certificate backup file by copying it off to a memory stick or DVD then storing it in a safe place and deleting the file from your computer’s hard drive. Anyone possessing this certificate file could potentially forge electronic correspondences in your name! You should not delete this file from your hard drive until after completing the rest of these instructions.
  17. Run Outlook 2007.
  18. Select Tools / Trust Center from the menu.
  19. Select the E-Mail Security tab.
  20. Check the Add digital signature to outgoing messages and the Send clear text signed messages when sending signed messages.
  21. Click the Import/Export Digital ID button to get the Import/Export Digital ID dialog:

    image 

  22. Click the “Browse” button and locate the digital signature file that you previously exported from the browser.
  23. Provide the password that you used for exporting the digital signature and a friendly Digital ID name to identify it with (I suggest your email address or your name).

    image

  24. Press OK on the Import/Export Digital ID Dialog and you will be returned to the Trust Center Dialog. Press the “Settings…” button:

    image

  25. You will be taken to the “Change Security Settings” Dialog. Click on the “Choose” button to select a signing certificate:

    image

  26. Select the appropriate certificate from the “Windows Security” dialog box.

    image

  27. OPTIONAL: If you have more than one certificate, you can press on the “Click here to view certificate” link. Look for the “Subject” property on the Details tab of the Certificate Details dialog:

    image

  28. Press OK and you will receive the Importing a new private exchange key dialog:

    image

  29. I suggest keeping the default of Medium security; however, you can move the security up to High and this will require you to type in a password for each email that you want to digitally sign… this can be a pain, but it does help to reduce the likelihood that your digital signature might be used without your permission by a person at your keyboard or by a piece of malware. Press OK after you have made your selection, and them press OK again to close the Trust Center dialog.
  30. Now that the configuration has been complete, you may send emails just as you normally used to. The only difference is that they will now be digitally signed:

    image 

  31. When an email that has been digitally signed arrives, it will have a small icon just to the left of the paperclip (attachment) icon:

    image 

  32. When you open a digitally signed email, you can see the certificate marker

    image 

  33. To see an authentication of the certificate dialog, click on the certificate icon (circled). If the certificate is valid, this dialog will show you the message “Valid and Trusted” and the name of the person that sent the email to you. The actual certificate can be further inspected by clicking on the “Details…” button. You should keep the “Warn me about errors in digitally signed email before message opens” checkbox checked.

    image

  34. The details button will display the following dialog:

    image

  35. By making use of digital signatures in our emails we can significantly improve the trustworthiness of emails received through the Internet. Ultimately (assuming an eventual widespread adoption) this will significantly reduce spam and phishing attacks.