security email smime meta

Yesterday I received an email from Thawte, (potentially) self-proclaimed globally leading authority for SSL certificates, informing me that their free email certificate program will be discontinued in about a month’s time. Verisign (which bought Thawte about a decade ago) offers current users of the Thawte Personal E-mail Certificates program to get a year free which would otherwise cost USD 20.00 per year.

Thawte’s email certificate services are based on S/MIME, a standard for secure email communication that is supported by all common MUAs. Although S/MIME is inferior to the PGP/GPG mechanism which allows encryption / signing of arbitrary data instead of just email contents, the aforementioned fact was what made me shift to S/MIME some months ago: it is accessible, whereas PGP/GPG requires not only the installation of plugins on the sender’s side, but also for everyone who might want to benefit from it (ie. your recipients). As virtually every MUA out there already provides the mechanics for S/MIME, everything gets reduced to your own initiative: to apply for an email certificate. Unfortunately, the way x.509 certificates work, you would need a Certificate Authority (CA) which attests that you are, well, yourself. Thawte/Verisign is such a CA. The CA itself is listed in your MUA’s or system-wide catalogue of “trustworthy” root CAs and all certificates signed by those CAs inherit their status (ie. considered trustful if not configured otherwise).

The concept of giving trust to only one authority which earned their status by undergoing a more or less complex process (which, in case of Microsoft putting them into their certificate root, revolves around paying insane amounts of money), if at all, has flaws by it’s own right, of course. Without going into details: Thawte had a rather unique approach of mixing the x.509 certificate system with the Web of Trust system, prominently used by PGP/GPG, easing the paranoia-struck people’s tension a bit.

Security is always about trade-offs: the most secure computer system is probably one cast into concrete, six stories beyond the ground and naturally without any input or output device whatsoever. It’s a trade-off between ease of use and maximum security and the trick is to find a balance that suits your own needs and standards, a role which S/MIME plays quite well.

I am not aware of other free x.509 email certificates that will work for common mail clients. As a security zealot, I might very well pay the yearly fee for the new paid services, but others may not. And there arises the problem: with the relative ease of setting up S/MIME based email security there were little “excuses” for the average user not to make use of it, even less so if you as an evangelist were aiding them in the setup process (which, truth be told, still wasn’t as self-explanatory as it should have been). However, the average user certainly won’t invest 15€ p.a. into a technology completely unknown to them and which in addition will only add more complexity to their life. I can imagine it to be quite difficult to convince them otherwise: after all, the most common approach to (email) security is “I have nothing to hide“.

Of course I would still be able to digitally sign my emails, assuring the recipient that I was indeed the sender and that the email got to him/her untainted, but that is only half of it: I would not be able to encrypt emails when no one has access to a personal certificate / key. Thawte’s notice on discontinuing their service thus practically marks the death of S/MIME to me which worked conveniently over many years. Or will we pay for it? Are we ready to spend money on “postage for (secure) emails”?

comments powered by Disqus