January 6th, 2010


Getting Serious About Security: Email and You

In the beginning of this series on security, "The Privacy Mandate", I talked about why one should worry about their privacy and security online as well as some tools to use to make your experience that much more secure and private. In "Getting Serious About Security", I discussed how to make your browsing and IM experience as anonymous as possible. Today I would like to discuss email security with you.

For as long as email has been around, it's always been seen as an open, non-private means of communicating with others. Passwords are generally transferred in plain text for both sending and retrieval (smtp and pop3) or without an encrypted connection (https) to the net (in the olden days at least, now-a-days most if not all good providers use https for their web login). So how can you secure your email communications? First, you can start by changing your password on a regular basis (once every six months should suffice) or have a sufficiently strong password (if allowed, such would included mixed case, punctuation, and numbers) to change once a year.

If you are on a multi-user computer and you value your password enough not to share with other users of the computer, why would you share your email password with every server on the net that your data passes through? The answer is you probably wouldn't, and you shouldn't. If you have a decent mail host you should able to connect via SSL or TLS. Both are accepted means of transmitting your user name and password and email (at least to your mail server) in a secure manner. If you're mail host doesn't provide such connections, I urge you to petition them to do so or find another mail host. There are plenty of them out there that respect your privacy enough to provide such secure options (disclosure: My own web host, Blue Host, provides TLS connections).

Now that is all well and good for getting your email to and from your mail host, but what about around the rest of the web? How do you let people know that the mail is from who it says it is? How do you provide them with the security that there isn't someone else intercepting your email?

That is where tools like GnuPG come in. Coupled with a good MUA such as Mozilla Thunderbird with a plugin like Enigmail (GnuPG is a pre-requisite for using Enigmail) to digitally sign your email. Of course that's only the last step in this process. There are probably plugins for your particular MUA, most are listed here. My own experience is with Thunderbird and Enigmail currently. I'll be getting to Microsoft Outlook and one of the plugins for it in the coming weeks. Otherwise, feel free to submit your own setup instructions and screen shots for your particular MUA in the comments for inclusion in an updated security how to. To begin with, after you have GnuPG and Enigmail installed, you first need to generate your first key pair.

Identifying Yourself And Securing That Identity

So we've got GnuPG command line client installed. Maybe we even installed the GnuPG Shell to go with it. We have Thunderbird ready with the Enigmail plugin. Where do we go from here? Notice: All instructions are for Thunderbird 3.0 and Enigmail on Windows XP SP3. Your mileage may vary. Instructions for other clients and on other OSes will be addressed in a future web site feature combining this series into one document.

First lets open up Enigmail from the menu in Thunderbird. The menu entry will read OpenPGP and can be reached with alt+n or the mouse.

OpenPGP Menu

Next we want to select the Key Management option.

Key management

Now, if you haven't received any email that was PGP signed to verify, your key management window will be empty. We will fix that by selecting the the "Generate" menu option, selecting "New Key Pair" from the drop down.

Generate -/> New Key Pair

That will open the following window.

Basic Options for Key Pair Generation

For most users the default, basic options will suffice. Follow the resulting instructions (doing lots of disk intensive operations during key generation is not only recommended, it should be mandatory). Put in a passphrase (not using one really defeats the purpose of securing your identity in email communications. If you have more then one email account setup in Thunderbird, you can generate a separate key pair for each account. Just keep your pass phrases secure, if you forget it you won't be able to use the key you just created! For more advanced users, click on the advanced tab for some more options.

Advanced Key Pair Generation - Key Size Selection

Advanced Key Pair Generation - Key Type Selection

As you can see, you can select the key size (bigger is always better in this case, although it is also slower) as well as the algorithm to be used (I suggest researching on your own the differences between the two different options, although I will go into a discussion about them sometime in the coming weeks). Once you have your pass phrase typed in (twice), you've checked the option to have the key used with the identity selected, click generate and start doing as many disk intensive operations as you can. Open and close large programs as much as you can (without making the system unstable, of course). Open and close large files. Do everything you can to help add to the randomness of the key generation. The more random data that can be collected during key creation the better off the key will be.

When you're done with that, your key management window will have your new key listed. You still have one more step to go, though, before you'll be fully ready to use your key (and let other people verify it). You need to upload your key to a key server.

You'll just need to highlight (select) your key, and then select the upload key to public server option.

Upload Public Keys to Public Key Server

Once your key is uploaded, you are now ready to sign your email, letting people around the world (who use PGP/OpenPGP/GnuPG) know you are who you say you are. Of course there is the issue of verification. It gets harder, though, the less you know a person. Ideally the best way to verify you are who you say you are is to not only exchange keys in person, but to sign each others keys in person as well. That is the only 100% way to achieve verification of the other person. With less reliable methods, you can only at best be marginally sure that you are talking to who you think you are talking with.

Two rules of thumb to remember when using GPG (or any other public/private key pair identity system):

  1. Never, ever share your pass phrase with anyone.

  2. Never, ever lose track of your private key. Without it your public key is useless.

There is tons of documentation out there for the use of Enigmail and GnuPG, especially on their respective sites. If you are new to using either of them, I highly recommend reading up on the documentation. In a world where personal security and identity protection is essential, you can never have too much information on the tools you are using.

Providing Yourself Anonymity: Anonymous Proxy Relay - Tor Settings

The next step in providing yourself with privacy is setting up Thunderbird 3 (as with GnuPG, other clients/platforms will be included when all this gets combined onto a static website) to use Tor for anonymous proxy relay. You will most likely also have to adjust time-outs accordingly (which will be discussed here).

The settings will be just like for Firefox. The reason for the connection time out change is because it can sometimes take longer then normal to establish a circuit to and from your mail server (if you are running a local mail server, this might not apply, see your mail server's documentation for passing it through a proxy once it's outside your local network if you wish for this additional layer of privacy).

Thunderbird 3.0 Proxy Settings

This takes care of your proxy settings. If you connect to any mail server over an unsecured connection (port 110), Tor will warn you about this potential security hazard. If you absolutely cannot use SSL or TLS with that server, all you can do is ignore it, but this means that anyone who intercepts your packets to the entry router or from the exit router will be able to read your login and password details.

To adjust your proxy timeout settings in Thunderbird, you will need to hit ok on the connection settings and open the config manager. Take heed of the warning! If you are not entirely comfortable messing with these settings, I recommend that you find a trusted friend who is and ask them to do this for you. I make no guarantees about the continued stability of Thunderbird if you mess with any of the settings past what I'm showing.

From here we want to search for timeout settings.

Timeout configuration for Thunderbird 3.0

I use 1800 seconds (yes, that is measured in seconds) because it provides a sufficiently long enough time for a circuit to be created. I've had great success with those settings. If you use Thunderbird for NNTP, set the mailnews.tcptimeout to 1800 seconds as well.

You might have some issues with RSS polling if you use Thunderbird as your news reader as well. I highly recommend moving to a stand along application for reading your news feeds.

That about covers securing your privacy and identity within Thunderbird. I'll have one more article concerning encryption of your IMs in the coming weeks as well as everything else I've mentioned. That will be my last article in this series before I move everything to a static website.

If any of these articles have helped you, please leave a comment. Also please leave a comment if you have suggestions or updates or corrections to anything I've posted.

[tags]technology, computers, email, security[/tags]

Originally published at Ameliorations 1.0.