Klaus Knopper answers your Linux questions

Adding Encryption to Thunderbird

How can I add encryption and signature capabilities to the Thunderbird mail program?

Because they are part of the Mozilla suite, the procedure of importing certificates and keys is the same for the Firefox browser (Iceweasel in Debian) and the Thunderbird mail client (Icedove in Debian).

In theory, you could just import the keys.p12 private/public keypair combo file that was created in the answer to the previous question, into Firefox and Thunderbird using the Import function in the Preferences | Advanced | View Certificates section. But not yet! Before you start the actual import, you have to tell Firefox that the self-signed public key contained in the file is trustworthy and acceptable for encryption and signature verification. The "trust" principle is very important in SSL; attackers could easily trick you into accepting wrong keys by just creating a certificate with a given name, if you were not required to verify and accept a new contact certificate manually.

To do this, import the public.pem file (created previously) as Certificate Authority. Firefox will display a dialog asking about trust options; you should at least select Trust this CA to identify email users (Figure 3). Next, you can import the file keys.p12 into Your Certificates to install the private key in Firefox (Figures 4 and**5) as well.

Figure 3: The imported, now trusted, public key as signer certificate.
Figure 4: Importing the pkcs12 file with private and public keys.
Figure 5: The imported personal key.

The Details dialog shows the key's fingerprint and gives you access to the content of the certificate, in case someone asks for verification of your public key data (Figure 6). The fingerprint (or checksum) is a reliable criterion for the authenticity of a certificate, other than the name or mail address, which can just be entered by the user during certificate creation. The fingerprint cannot easily be faked, because it must match the cryptographic key as well as the human-readable, personal data associated with it.

Figure 6: Public key short description and fingerprint (note that this is just an example).

The import procedure is the same for Thunderbird, Firefox, and Chrome/Chromium, as well as proprietary mail clients like MS Outlook/Exchange on other operating systems (Figure 7).

Figure 7: Thunderbird/Icedove security settings after importing the key.

Back to Thunderbird; you can now digitally sign messages using your personal SSL key and read encrypted messages sent by friends who have your SSL public key (remember, the file was public.pem in the example), which is automatically attached when you send a signed email (Figure 8).

Figure 8: Writing email to myself, so I can use my own public key for encryption, and my secret key for signing.

Safety Check

How can I be sure that my mail program does not send email or mail access passwords over an insecure network with no encryption?

Go into your mail program's Account settings and check both the incoming message and outgoing message servers and protocols. For encrypted transfer of access passwords, as well as encrypted mail transport, the protocol for receiving messages should be "IMAPS" (usually port 993 on the server) or "POP3S" (usually port 995 on the server).

For sending email, TLS and/or SSL should be required. Some mailers use the standard mail port 25 for switching to transport layer security only if the mail client explicitly asks for it, but the standard port for SMPTS running in SSL-enabled mode is 465, which you should use if your mail provider offers this service.

Once TLS or SSL are enabled, your mail program should ask you a question to verify validity of the presented SSL certificate's fingerprint and content. You should check whether the certificate verifies against a trusted certificate authority (most mailers have a built-in list).

If in doubt, contact the technical administrator of the mail server and verify the certificate's fingerprint. After this one-time verification, your mail traffic will be point-to-point encrypted between you and the mail server.

Apart from the secured transport layer, confidential email should always be encrypted by itself so that only the holder(s) of the secret key(s), namely the designated recipients, can read it.

Adding Encryption to Mutt

How can I add encryption and signature capabilities to the text-based Mutt mailer program?

Make sure you have the OpenSSL package installed and add the lines shown in Listing 1 to your .muttrc configuration file.

Listing 1

Settings for Handling S/MIME Attachments

set smime_default_key="<your smime key file ID>"
set smime_ca_location="~/.smime/ca-bundle.crt"
set smime_certificates="~/.smime/certificates"
set smime_keys="~/.smime/keys"
set smime_pk7out_command="openssl smime -verify -in %f -noverify -pk7out"
set smime_get_cert_command="openssl pkcs7 -print_certs -in %f"
set smime_get_signer_cert_command="openssl smime -verify -in %f -noverify -signer %c -out /dev/null"
set smime_get_cert_email_command="openssl x509 -in  %f -noout -email"
set smime_import_cert_command="smime_keys add_cert %f"
set smime_encrypt_with="des3"
set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c"
set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin -in %f -outform DER"
set smime_decrypt_command="openssl smime -decrypt -noverify -passin stdin -inform DER -in %f -inkey %k -recip %c"
set smime_verify_command="openssl smime -verify -inform DER -in %s -content %f -noverify"
set smime_verify_opaque_command="openssl smime -verify -inform DER -in %s -noverify"

To create the public key infrastructure for Mutt – in directory $HOME/.smime in this example – you need the smime_keys command, which is part of the SSL-enabled Mutt package. The command

smime_keys add_cert public.pem

imports your self-signed public key from the previous examples and

smime add_p12 keys.p12

adds your secret key for signing and decrypting messages.

From Mutt's Send dialog, you can type S to get into the S/MIME options to encrypt or sign a message before sending.

Decryption and signature verification of received mail containing S/MIME attachments work automatically once you have the corresponding public and secret keys installed.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Digital Signatures and Encryption with SSL

    Using personal, self-signed certificates and digital encryption.

  • Ask Klaus!

     

  • Encrypting Email

    The leading email applications include new features for helping users secure and authenticate their mail messages, but each tool has a different approach to handling tasks such as signing and encryption. This article describes how to add encryption and digital signatures to the Thunderbird, Kmail, and Evolution mail clients.

  • Thunderbird Security

    Thunderbird offers several options for secure email, and the GnuPG-based Enigmail encryption add-on provides an additional layer of protection.

  • VoIP Security

    Eavesdropping on conversations on a LAN is easier than ever thanks to insecure VoIP installations. You don't need to bug restaurant booths or tap phone lines – standard Linux tools are all a hacker needs.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News