Encryption tutorial for Mail.app
Melvin Rivera has written a nice tutorial 
for Mail users explaining how to get a digital certificate from Thawte and how to use Mail.app’s digital signature and encryption features.
He outlines the process for creating an account at Thawte and requesting a certificate and then installing it.
Further sections follow on the difference between a digitally signed and an encrypted message, and how to use them.
It’s interesting to compare Melvin’s take on secure email in Mail.app with Matt Haughey’s experience , which wasn’t so positive.
Melvin thinks it works well and is a good tool to have in your email armoury:
Other than the process of going though an external website for obtaining a certificate, Mail’s integration of signed and encrypted messages is seamless. It’s a great feature that is just hidden until needed. Making the user experience simple and clean. And there’s nothing like discovering a great new feature on an App you’ve been using for a long time now.
Joar Winfor has also produced a more detailed walkthrough for secure email in Mail.app, but more detail is not always good for everyone.
Similar Posts:
- .Mac emails get more secure?
- The frustrations of encrypted mail in Mail.app
- Safari 2.0 and Thawte Certificates
- More on the .Mac/iChat certificate
- Chibi Ninja: Cross-platform encrypted messages
Tags: Apple Mail, certificate, digital signatures, encryption, mail.app, secure email, security, thawte, X.509
March 9th, 2007 at 1:53 am
One thing I’ll warn people about if they really get into using (S/MIME) encrypted e-mail is a “bug” in Tiger. In order to check the revocation information of the certificate, Tiger downloads CRLs into a local database for caching. Only problem is that it doesn’t clear this cache, and after a year (or so) of using certificates, it will appear that Mail is crawling. The solution to this is to run
/usr/bin/crlrefresh r p
on a “regular” basis. I have it in my /etc/weekly.local file because I use certificates so much, but it could probably go in monthly.local just as easily (or run manually from time to time).
March 9th, 2007 at 11:02 am
I used just such a setup for some time, but found that some servers — notably, I believe, some Exchange configurations (all of Nokia, for example) — filtered the 100% of Mail.app S/MIME-signed messages as likely virus/spam. In a time when it’s already worrying enough, wondering if your messages are ever arriving at the intended recipient, having unexpected per-recipient (rather than per-message) black holes is much worse, still.
Has anyone had any better luck or noticed if this issue has generally been resolved?
March 10th, 2007 at 6:06 am
My only problem using encryption is that some of my correspondents have mail systems that don’t know S/MIME from a hole in the ground, and in some case are openly hostile to them – treating them as potential malware.
In other cases, posting a ‘signed’ message to some mailing lists will munge the message so the recipient sees a warning about a possible man in the middle attack, which is perfectly justified – it’s doing exactly what a signed message is intended to do – let the user know the message has been tampered with en route to the destination.
So, given the current technological reality, it would be great if Apple Mail would allow you to specify signature and encryption preferences on a per user basis. Currently Mail defaults to the setting for your most recent email sent. That way if I’m sending an email to a Yahoo Group or a Google Group mailing list it will be sent unsigned. To recipients whose certificates I have it would automatically encrypt those messages, etc.
IF I know that so and so uses a particularly brain-dead version of some mail program that doesn’t recognize them, or folks who don’t understand the technology and think it is suspicious, I can elect not to sign messages to them – but I’d like to be able to make that determination once and not have to remember to change my encryption settings with each email I send.
March 15th, 2007 at 4:20 am
I went ahead and wrote a short write up on installing GnuPG and all its other goodies in Mail.app… I personally prefer GnuPG for my email encryption… since its based on PGP a lot of people are familiar with it. In any case my short write up is here.
March 18th, 2007 at 9:15 pm
PGP is another nice option, but it won’t interface it with Mail. Sente’s have written a plugin:
http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html
But, as they say, it taps into a “private internal API”, so it’s not an ideal solution.
There’s also a little more for the user to do in setting up PGP; and there’s a passphrase to remember. I don’t know that the latter is too great a handicap, since if you follow one recommendation and make up a “shocking nonsense” phrase -
http://www.informationweek.com/management/showArticle.jhtml?articleID=164303537&pgno=2&queryText=
- you can have a very long but quite memorable passphrase. Lines out of Lewis Caroll or Lear are probably memorable partly _because_ they’re nonsensical. Similarly, you’re not likely to forget a silly sentence you make up (not that you shouldn’t write it down and lock it away somewhere).
May 17th, 2007 at 5:59 am
I’ve read that the certificate is only good for the computer it was issued on. Does this mean that I can’t use it on another Mac with the same user profile and settings? I was able to sync my keychain between 2 Macs using .Mac and see my public/private keys on the other Mac’s keychain. Should it still be able to work on the other Mac? I would like to be able to encrypt/sign email from a portable Mac when I’m away from home. Thanks!
November 3rd, 2009 at 7:10 am
Thawte no longer offers free email certificates. However, Comodo offers free SSL and email certificates through http://www.instantssl.com. However, I’ve been having difficulty convincing Mail in Snow Leopard to take the certificate, not sure why.
Usually, this is a very, very simple procedure and Mail.app has made it fairly simple. More people should be using it!