Melvin Rivera has written a nice tutorial for Mail users explaining how to get a digital certificate from Thawte and how to use Mail.app’s digital signature and encryption features.

He outlines the process for creating an account at Thawte and requesting a certificate and then installing it.

Further sections follow on the difference between a digitally signed and an encrypted message, and how to use them.

It’s interesting to compare Melvin’s take on secure email in Mail.app with Matt Haughey’s experience , which wasn’t so positive.

Melvin thinks it works well and is a good tool to have in your email armoury:

Other than the process of going though an external website for obtaining a certificate, Mail’s integration of signed and encrypted messages is seamless. It’s a great feature that is just hidden until needed. Making the user experience simple and clean. And there’s nothing like discovering a great new feature on an App you’ve been using for a long time now.

Joar Winfor has also produced a more detailed walkthrough for secure email in Mail.app, but more detail is not always good for everyone.thawte, certificate, X.509, digital signatures, encryption, secure email, security, mail.app, apple mail

GPGMail plugin users take note. According to a Hawk Wings reader, emails signed with the GPGMail plugin may not be as safe as you think.

He writes,

I thought you might like to know that there is a serious security flaw in the gpgmail plugin. I discovered the vulnerability a few weeks ago, though I’m not the first to do so.

The problem is that if gpgmail detects a valid signature for part of a message, it displays a notice to say that the message is signed, even if parts of it are not. As a result, it is possible for an attacker to add arbitrary data (extra text, attachments, etc) to a signed message and it will appear to the user that the whole message is signed.

There is more detailed discussion in the mailing list archives:

http://www.sente.ch/Lists/gpgmail-users/List.html

The username and password required to view the archives are “sente” and “sente”.

[Thanks, Nicholas]privacy, digital signatures, security, mail.app, apple mail, plugins, GPGMail

I feel a theme for the day developing!

First, a friend emails to say that his copy of Outlook does a weird thing with my Apple Mail digital signatures.

It seems to understand them OK, but displays them as an attachment. I wonder if all Windows email clients do that, or if it is just a feature of Outlook.

Secondly, the latest beta release of Outlook 12 has arrived. Since it is the most popular widely-used email client on the planet, that’s news even on Hawk Wings.

Looking at a screenshot of its RSS capability and yet more screenshots, it is hard — despite one’s better self — not to hanker after something more integrated, but something that is not Entourage.

[Thanks, Dan]