How To: Secure and Private Email How To: Secure and Private Email A Manual By Ryan Porterfield CONTENTS 1.0 Introduction ................................................................................................... 1 Disclaimer ........................................................................................................ 1 2.0 Choosing an Email Provider ........................................................................... 3 2.1 POP3 vs IMAP ............................................................................................. 3 2.2 Location of Servers ..................................................................................... 3 2.3 Privacy Policy.............................................................................................. 4 2.4 When You Can’t Choose Your Email Provider ............................................ 4 3.0 Choosing an Email Client ................................................................................ 5 3.1 Support for Email Encryption ..................................................................... 5 3.2 Open Source vs Proprietary ....................................................................... 5 4.0 Choosing a Secure Password.......................................................................... 7 5.0 Configuration How-To .................................................................................... 9 5.1 Configuring Thunderbird ............................................................................ 9 5.2 GPG .......................................................................................................... 11 5.3 Configuring Enigmail ................................................................................ 12 5.4 Sharing Keys and Sending Email ............................................................... 16 5.4.1 Exporting a Key ................................................................................. 16 5.4.2 Importing a Key ................................................................................. 18 5.4.3 Sending an Encrypted Email .............................................................. 19 iii LIST OF FIGURES Figure 1 .............................................................................................................. 10 Figure 2 .............................................................................................................. 11 Figure 3 .............................................................................................................. 12 Figure 4 .............................................................................................................. 12 Figure 5 .............................................................................................................. 13 Figure 6 .............................................................................................................. 14 Figure 7 .............................................................................................................. 15 Figure 8 .............................................................................................................. 16 Figure 9 .............................................................................................................. 17 Figure 10 ............................................................................................................ 17 Figure 11 ............................................................................................................ 18 Figure 12 ............................................................................................................ 19 iv 1.0 INTRODUCTION The ability to have private conversations with friends or acquaintances is a right most people expect they have. It is also a necessity for people discussing business or trade secrets, activists, and a group of friends planning a surprise birthday party for their friend. However, in the digital age, keeping communications private is becoming harder and harder. Whether it’s a government monitoring people for international security purposes, a hacker spying on someone maliciously, or a nosy friend reading through your emails, communications are constantly being monitored. As the expectation of privacy and lack of actual privacy conflict, it is more important than ever to make sure digital communications are kept both secure and private. This manual will teach you how to keep your email communications private under a range of circumstances. In the ideal circumstance, the user can choose their email provider and is sending email to contacts who are also using a trustworthy email provider. Under slightly less ideal circumstances, the user can control their email provider, but their contact is not using a trustworthy email provider. In the least ideal circumstance, the user cannot control their email provider, perhaps because it was assigned by work or school. This manual will help the user choose an email provider, configure an email client, and then help the user set up Gnu Privacy Guard to encrypt emails. DISCLAIMER This manual does not guarantee that all of your communications will be kept completely secret from all entities. It does not guarantee privacy or security when used incorrectly. This manual will not help if you are looking for a way to keep all of your electronic communications private from national governments or other state-sponsored entities. 1 2 2.0 CHOOSING AN EMAIL PROVIDER There are many things to consider when choosing an email provider, such as price, location of servers, supported protocols, Terms of Service, Privacy Policy, and available email addresses to name a few. For our purposes, we will be covering only the privacy related topics, supported protocols (POP3 vs. IMAP), location of servers, and Privacy Policy. Other things that may be important to you such as price should be considered on your own. 2.1 POP3 VS IMAP There are two protocols for receiving email, and one for sending. Since there is only one supported protocol for sending email (SMTP) we won’t focus on it, and instead will consider the two protocols for receiving email, POP3 and IMAP. Post Office Protocol (POP) was originally developed in 1984. POP3 works by downloading all of your email from the server, to your computer. This is good when you are very concerned about your communications being intercepted or hacked, as nothing is left on the server for an adversary to read. The drawback to POP3 is that if you access email from multiple locations, such as a home computer, work computer, phone, or tablet, you cannot read email messages downloaded to a different device. Internet Message Access Protocol (IMAP) was originally developed in 1986. IMAP gets a list of emails from the server, but not the email content. This takes up less bandwidth which is good for people with slow connections, or a monthly bandwidth limit. Also, because IMAP leaves emails on the server, you can access all of your emails from multiple login locations. For general email use, IMAP is recommended. 2.2 LOCATION OF SERVERS The location of servers can be a very important factor in choosing an email provider depending on what you use email for. For general use by American 3 users, servers in the U.S. are the best choice. For activists or people concerned with corporate entities or governments getting a hold of their email, servers in countries with strong privacy laws such as Italy or the Netherlands are a better choice. Most large email providers such as Google and Yahoo have servers in multiple countries, and users may have no control over which country the servers they connect to are in. There are a few countries to avoid, such as Iran, China, and Syria (as well as a few others) where internet access is heavily monitored and restricted. For the average user, servers in the United States are recommended. 2.3 PRIVACY POLICY Perhaps the most important aspect in choosing an email provider is the Privacy Policy. The Privacy Policy of an email provider details the steps that the company guarantees to take (or not to take) to keep a user’s data private. For example, some companies such as Google and Yahoo reserve the right to scan a user’s email (incoming and outgoing) and use that data for advertising purposes. For someone concerned with privacy, this would not be acceptable. On the other end of the spectrum, some email providers such as Austici/Inventati do not keep logs of users accessing their service, and Vmail encrypts all data on their servers. Privacy Policies are usually short, and it is recommended to read the Privacy Policy of all email services you are considering. 2.4 WHEN YOU CAN’T CHOOSE YOUR EMAIL PROVIDER In some cases, you are stuck using an email provider you have no control over, such as a work or school email address. Other times, you may be sending an email to someone who uses an email provider you don’t trust. Encrypting your email is always recommended, but is especially useful in these cases. Email encryption is covered in section 3.0. 4 3.0 CHOOSING AN EMAIL CLIENT There are a few things to consider when choosing an email client. Frequency of security updates, interface usability, encryption support, open source vs. proprietary, and trust in the developer are a few of the things to consider. Of these, encryption support is the most important, followed closely by open source vs. proprietary considerations. 3.1 SUPPORT FOR EMAIL ENCRYPTION Most email clients support some form of encryption. Claws Mail, Thunderbird, and Outlook all have some support for email encryption. Claws Mail is a simple, lightweight, lightning fast client that is lacking in features, and has a less-than-attractive interface. Thunderbird is developed by Mozilla and is the email counterpart to the Firefox web browser. Thunderbird is more full featured, but also slower. Outlook is slower, but has an interface that is familiar to most windows users. All three email clients require a plugin to support encryption, but installation is simple. 3.2 OPEN SOURCE VS PROPRIETARY The development model of an email client can be a factor in choosing a client. Open source means that anyone can look at and contribute to the source code, while proprietary means that the source code is closely controlled by the entity who owns it (usually a corporation). While it may seem that open source is less safe because anyone can contribute, the opposite is true. When a project is open source, multiple individuals or organizations can “audit” the source code and verify that it is safe. Also for most open source projects, code that is contributed has to be approved by the original author of the project, so safety is maintained. Proprietary software on the other hand cannot be audited by neutral third parties, and may have security holes that the programmers are unaware of. 5 Also in some cases, proprietary software may have a “backdoor” that allows the persons or company who developed the software to spy on its users. Open source software is recommended, and both Thunderbird and Claws Mail are open source. Microsoft Outlook is proprietary. The email client recommended and used in the following tutorial is Thunderbird. 6 4.0 CHOOSING A SECURE PASSWORD The weakest part of security is the password used to protect your data. This makes choosing a strong password the most important part of security. There are a few simple rules to creating a strong password. A strong password is at least 16 characters long and uses a mix of uppercase letters, lowercase letters, numbers, and symbols. An easy way to generate a strong password is to think of a “passphrase.” A passphrase is a phrase of 2 or more words that are easy for the user to remember. To make the passphrase harder for someone to guess, replace random letters with numbers and symbols. An example is to pick the passphrase “Rubber Duckies Float” which can changed to “rUb%ER)^cK!3Sf\0aT”. 7 8 5.0 CONFIGURATION HOW-TO The following tutorial assumes that you have found an email provider you trust or are using one assigned to you, and that you have already created an account with this provider. You may also have to look up the server settings for these providers. Most corporations that provide corporate email will provide instructions for setting up an email client, and public email providers usually provide instructions on their website. For common server configurations, Thunderbird can automatically detect settings. 5.1 CONFIGURING THUNDERBIRD When Thunderbird starts up for the first time, it will ask if you want to set it as the default application for email, RSS feeds, and other things. This is up to you. Next you will be presented with a menu to create an account. You should have already created an email account, so select “Skip this and use my existing email” at the bottom left. On the next screen, enter your email address and the password you created when you registered your email. You can also enter your name so that people you send email to will know who the email is from, but this is not required. 9 FIGURE 1 If your email provider has a common server configuration, Thunderbird may successfully detect the settings and finish. If not, you need to look up the server settings. The input fields in Thunderbird should be straight forward to fill in once you have found the server settings for your email provider. 10 FIGURE 2 Once you have entered all the server information (or if Thunderbird configured it for you) you can click “done.” Thunderbird will test the server to make sure your password is correct, and then will display your inbox. Thunderbird is now set up to check your email. 5.2 GPG OpenPGP is a standard originally defined for Pretty Good Privacy (PGP), which is encryption software. The OpenPGP standard allows multiple vendors to offer encryption software that is compatible with PGP. One of the most popular OpenPGP programs is GNU Privacy Guard (GPG). Go to http://gpg4win.org/download.html to download the most recent version of GPG4Win (GPG for Windows). Follow the installation steps, keeping the default settings. GPG is what will be used to encrypt email, but in order to encrypt email to someone you must have their public key. Key generation is covered in the next section. 11 5.3 CONFIGURING ENIGMAIL Now Thunderbird has to be configured for encryption. In Thunderbird, click the settings button which is 3 horizontal lines at the top right. FIGURE 3 Select Add-ons from the menu, which will open the Add-ons tab. Search for Enigmail in the search bar. The top result should be Enigmail <version number> where version number is a decimal number. Click the Install button on the right to install Enigmail. Once Enigmail is installed Thunderbird will need to restart. FIGURE 4 When Thunderbird restarts, an Enigmail helper wizard will pop up to walk you through the steps of setting up GPG. If the wizard does not automatically start, you can run it by clicking on the Settings (3 horizontal bars) -> OpenPGP -> Setup Wizard. 12 FIGURE 5 Select “Yes, I would like the wizard to get me started.” When the setup wizard opens, select “I want to create a new key pair for signing and encrypting my email”. 13 FIGURE 6 Enigmail will now ask if you want to sign all of your email by default. Signing email is not the same as encrypting email. Signing email allows you to send unencrypted email that anyone can read (such as an email to multiple recipients), but allows the users to verify that it was you who sent it, not someone gaining access to your email address. Whether or not you want to sign by default is up to you. When you have decided, click “Next”. The next screen will ask if you want to encrypt all your email by default. Since you have to have PGP/GPG keys for a recipient to encrypt email, and most of your contacts probably don’t use PGP/GPG yet, select “No” and click “Next”. Enigmail will ask if you want it to optimize Thunderbird’s settings for OpenPGP. You can get more information by clicking on “Details …” This is up to you. Click “Next” when you’ve decided. Now it’s time to generate a PGP key of our own. Select the option to create a new key pair and click “Next”. Enigmail will fill in the relevant data (such as 14 your email address) so all you have to do is select a password. Remember the weakest part of encryption is the password you choose for your key, so pick a strong password. FIGURE 7 Enigmail will show you the settings it’s going to use to generate the key, and then click “Next”. 15 FIGURE 8 It will take a minute to generate the key. When that is complete, select Generate Certificate and save the file somewhere safe. Finally click finish. 5.4 SHARING KEYS AND SENDING EMAIL Once you’ve generated a GPG key, there are a couple things you need to do to send your contacts encrypted email. 5.4.1 EXPORTING A KEY Now that a PGP key has been generated, the public key needs to be exported so it can be shared with contacts and email can be encrypted. Accompanying 16 screenshots are on the next page. This requires use of the command prompt. Open up the start menu and type “cmd”. FIGURE 9 Type “gpg –list-keys” and press Return/Enter. This should print out 3 lines about your GPG keys. FIGURE 10 On the first line should be the text, “pub 2048R/[key number]” where key number is an 8 digit hexadecimal number, such as 1B836459. To export the key, type “gpg –-export -a –o my_key.asc [key number]”. 17 FIGURE 11 Now you can share your my_key.asc file with all of your contacts. NOTE: THE FILE YOU EXPORT YOUR KEY TO DOES NOT HAVE TO BE CALLED MY_KEY.ASC. YOU CAN CALL THE FILE WHATEVER YOU LIKE AS LONG AS IT HAS AN .ASC EXTENSION. 5.4.2 IMPORTING A KEY To import a key file that someone else gave you, right click on the key file (for this example we’ll call it “friends_key.asc”), hover over “More GPGEx Options” and select “Import”. 18 FIGURE 12 This will import your contacts key so you can encrypt email to them. 5.4.3 SENDING AN ENCRYPTED EMAIL The next time you send an email to a contact you have a public key for, you can select the OpenPGP drop down menu, and check Encrypt Message. When you send the email, it will ask which public key to encrypt for, and then prompt you for the password you used to create your key. Once you enter your password, the email will be encrypted, and only the contact you sent it to can decrypt it. 19 20
© Copyright 2024