How to Protect E-Mail From Prying Eyes

Illustration: Harry Campbell
E-mail is an incredible communications tool, but it isn't very private. As it travels between sender and recipient across the Internet, snoops can intercept and scan it at many points along the way. That anyone would bother to do so for everyday e-mail is highly unlikely, but if you want genuinely private communication, you need to encrypt your messages.

The problem is, e-mail encryption can be a real pain. First you have to create a digital ID, in the form of a certificate from a third party. Then you must exchange IDs with every person to whom you might want to send a protected message.

And you'll need to back up your certificate religiously. Lose it (after a hard-drive crash, for instance), and you'll lose not only the ability to send or receive new encrypted e-mail, but also any chance of reading previously sent protected e-mail.

But with a little guidance and care, you can send business secrets (or sweet nothings) that only the intended recipient can read.

I worked with two e-mail programs, Microsoft's Outlook 2003 and Mozilla's Thunderbird. To use the built-in support for certificates in either program, first head to Comodo or Thawte, which both provide free certificates for secure e-mail.

I found Thawte's process smoother and more thorough, but neither site had especially simple instructions, particularly for finding your certificate after going through the online application. And in my testing, there were times when the process seemed to go fine, but the certificate never showed up.

That elusive new ID hides in the tucked-away "certificate store" of the Web browser you used to obtain it. IE and Outlook share a store, but Firefox and Thunderbird each use their own. Check the store for your ID, and export it for a backup right away.

To do so with IE, head to Tools, Internet Options, and click the Content tab. Once there, click the Certificates button. You should see your new certificate under the Personal tab; select it and click Export. In the resulting Export Wizard, choose to export the private key, keep the defaults for Export File Format, and come up with a password and file name.

For Firefox, go to Tools, Options, and choose the Advanced tab. Click the View Certificates button. In the Certificates Manager, select your new e-mail certificate under the Your Certificates tab and click the Backup button.

Save the exported certificate to a USB drive, a trusted online storage service, or some other safe place. Fortunately, IE and Outlook share the certificate store, so you don't need to import it to that mail program. For Thunderbird, go through the same steps listed above for Firefox, but click the Import button instead of Backup, and browse to your exported certificate. If you're using a combination of Firefox and Outlook, go to Tools, Options in Outlook and select the Security tab; then click the Import/Export button at the bottom.

Now you're ready to swap certificates with other people so you can send them encrypted e-mail. In Outlook, bring up a new window for composing e-mail, fill in the address of the recipient, and then click the button in the toolbar showing a yellow envelope with a red spot; doing so digitally signs the message and sends your certificate to the addressee. For someone to add your new ID certificate to their version of Outlook, they must open your digitally signed message and then add you as one of their contacts.

In Thunderbird, select Security, Digitally Sign This Message as you type an e-mail. Thunderbird automatically adds newly received certificates from digital signatures.

Now, at long last, you're ready to send encrypted e-mail. While composing a message in Outlook, click the Encrypt button, a yellow envelope with a blue lock, on the second toolbar. In Thunderbird, select Security, Encrypt This Message. If you don't have the recipient's certificate, you'll see an error when you try to send. But if you've set everything up correctly, your e-mail will be safe from snoops.

Marc Philips, a network administrator based in St. Louis, contributed to this article.

Subscribe to the Security Watch Newsletter

Comments