Establishing Digital Trust: Don't Sacrifice Security for Convenience
However, theres a dirty little secret when it comes to digital signatures: Hardly anyone actually uses them, even many security professionals.
I say its time we start practicing what we preach and make it a practice to sign our emails each and every one of them.
Now, perhaps youre saying you already use digital signatures, and Ill be the first to admit Im making a rather broad generalization here. But do you sign all of your emails, even when sending them to the technologically challenged? Do you have signing set as a default setting in your email client? Lets consider that a bithttps://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iWay back in January 2005, I recommended using digital signatures in emails as a way of combating email-based attacks. Since then, Ive really been paying extra attention to the email traffic that comes through my inbox and outbox, and I noticed almost none of the emails I receive (or send) were signed. Even more disturbing to me was the fact that very few of the security professionals I correspond with use them.
Thats right, were out there telling our customers that digital signatures are an important technology, but were (largely) not even making use of them ourselves. Were truly the cobblers kids in worn-out shoes.
Do It Yourself
So I decided to do something about it, at least in a small local sense. About two months ago, I decided to conduct my own little and highly informal experiment. I took the leap and configured my Thunderbird and Kmail email clients to sign my outgoing emails as the default setting. Along the way, I made a couple of observations I feel are worthy of note.
First off, my tech-savvy friends didnt blink an eye. A few of them verified my digital signatures were intact, but for the most part, I didnt hear a peep from them with regard to the signatures.
Then came my less tech-inclined contacts. Some of them were quite confused by the additional stuff in my email messages. My business attorney, for example, was downright vexed. But, instead of snatching defeat from the jaws of victory, I used the confusion as an opportunity to educate. Not surprisingly, most of them didnt care much, and I certainly dont expect any of them actually went and verified my digital signatures. But small steps were made. I view the mere fact they are now aware of what this stuff is as a modest step forward.
In each case, I told my non-tech friends the digital signature adds a level of trust to the email that isnt normally there in Internet-based messaging. I explained that, if they chose to, they could verify with a high degree of confidence the emails actually came from me.
On the technical front, I also noticed some interoperability burps here and there that were more than just mildly frustrating, but none were show-stoppers in my view. Some email servers/gateways would occasionally adjust the whitespace and such in my messages, which caused the signature verification to fail, for example. But very few people I corresponded with took note of this, and to some degree is beside my point which is more about awareness than anything else.
You Can Make a Difference
So to my fellow security professionals reading this, I say please come join me. Lets put some trust back in our email and sign each and every message and continue to educate the masses of people that have no clue what all of this means. I believe it will make a difference if enough of us really do it in earnest.
Now, even if you agree with me, there are a couple of technology choices youll have to make. For starters, if your company doesnt have a public key infrastructure (PKI) deployed, then your options are (pretty much) S/MIME or PGP. Either one (or both) should work just fine, since most email clients either come with or have easy plug-ins available to handle them.
Youll also need to get or generate a public key (or certificate, depending on your technology choice and products nomenclature). Those can be generated for free in the case of PGP or quite inexpensively in the case of S/MIME. (Some S/MIME certificate providers offer low-grade certificates for free for a period of time, but most eventually charge for the authentication service.) In the case of PGP, youll also want to invest some time and effort in getting your key verified and signed by some colleagues, which is PGPs basis of establishing trust.
Whatever your technology choice, the important thing is that you do it. Learn how your technology and dive right on in. Use it with every email, not just the important ones. Lets show the world we believe in the stuff we tell our companies and customers to use.