Let's Practice What We Preach

Phishing, email scams...we’ve heard them all, right? And we’ve also heard many a security professional — including me, right here in this column — say we should be making better use of digital signatures to bring some authentication to our emails.

However, there’s a dirty little secret when it comes to digital signatures: Hardly anyone actually uses them, even many security professionals.

I say it’s time we start practicing what we preach and make it a practice to sign our emails — each and every one of them.

Now, perhaps you’re saying you already use digital signatures, and I’ll be the first to admit I’m making a rather broad generalization here. But do you sign all of your emails, even when sending them to the technologically challenged? Do you have signing set as a default setting in your email client? Let’s consider that a bit…

Way back in January 2005, I recommended using digital signatures in emails as a way of combating email-based attacks. Since then, I’ve really been paying extra attention to the email traffic that comes through my inbox and outbox, and I noticed almost none of the emails I receive (or send) were signed. Even more disturbing to me was the fact that very few of the security professionals I correspond with use them.

That’s right, we’re out there telling our customers that digital signatures are an important technology, but we’re (largely) not even making use of them ourselves. We’re truly the cobbler’s kids in worn-out shoes.

Do It Yourself

So I decided to do something about it, at least in a small local sense. About two months ago, I decided to conduct my own little — and highly informal — experiment. I took the leap and configured my Thunderbird and Kmail email clients to sign my outgoing emails as the default setting. Along the way, I made a couple of observations I feel are worthy of note.

First off, my tech-savvy friends didn’t blink an eye. A few of them verified my digital signatures were intact, but for the most part, I didn’t hear a peep from them with regard to the signatures.

Then came my less tech-inclined contacts. Some of them were quite confused by the additional “stuff” in my email messages. My business attorney, for example, was downright vexed. But, instead of snatching defeat from the jaws of victory, I used the confusion as an opportunity to educate. Not surprisingly, most of them didn’t care much, and I certainly don’t expect any of them actually went and verified my digital signatures. But small steps were made. I view the mere fact they are now aware of what this stuff is as a modest step forward.

In each case, I told my non-tech friends the digital signature adds a level of trust to the email that isn’t normally there in Internet-based messaging. I explained that, if they chose to, they could verify with a high degree of confidence the emails actually came from me.

On the technical front, I also noticed some interoperability burps here and there that were more than just mildly frustrating, but none were show-stoppers in my view. Some email servers/gateways would occasionally “adjust” the whitespace and such in my messages, which caused the signature verification to fail, for example. But very few people I corresponded with took note of this, and to some degree is beside my point — which is more about awareness than anything else.

You Can Make a Difference

So to my fellow security professionals reading this, I say please come join me. Let’s put some trust back in our email and sign each and every message — and continue to educate the masses of people that have no clue what all of this means. I believe it will make a difference if enough of us really do it in earnest.

Now, even if you agree with me, there are a couple of technology choices you’ll have to make. For starters, if your company doesn’t have a public key infrastructure (PKI) deployed, then your options are (pretty much) S/MIME or PGP. Either one (or both) should work just fine, since most email clients either come with or have easy plug-ins available to handle them.

You’ll also need to get or generate a public key (or certificate, depending on your technology choice and product’s nomenclature). Those can be generated for free in the case of PGP or quite inexpensively in the case of S/MIME. (Some S/MIME certificate providers offer low-grade certificates for free for a period of time, but most eventually charge for the authentication service.) In the case of PGP, you’ll also want to invest some time and effort in getting your key verified and signed by some colleagues, which is PGP’s basis of establishing trust.

Whatever your technology choice, the important thing is that you do it. Learn how your technology and dive right on in. Use it with every email, not just “the important ones.” Let’s show the world we believe in the stuff we tell our companies and customers to use.