Digital Certificates

In these days of massive Internet insecurity, there are ways to provide a more trusted approach to email, web-commerce, and encryption through the use of digital certificates. We'll explain first the issues and then how the free or very low cost certificate can address them.

Spoofing - This has happened to everyone. You get an email message from a friend that contains links for funny stuff, and when you click on those links, you are taken nowhere near a place you would have gone alone. When you call your friend to ask why they sent this, they've never heard of it, nor did they send you an email. The act of fraudulent assumption of another person's identify - through email or other ecommerce means - is called "spoofing"., and you'll get to the point of just deleting weverything your friend sends, or they get to changing their email address every month.

Phishing - You get an email or follow a link that is from a notice that your bank's on-line access has been compromised, asking you to re-enter this information in what looks like a proper environment. Days later, your checking and savings account has been emptied. Turns out that, if you had looked a little closer at the URLs that you were directed to by this "phishing" expedition, none of them were in your bank's domain. Ditto eBay, ditto PayPal...

In both of these cases, you followed links from emails that appeared to be legit from a friends or a business. If you go to the real websites, you will find down in the small print that you never read the fact that these companies will never contact you via email to do anything...which would have helped to stop the phishing stuff...but in some cases, they do use email, and have within these messages what is known as a digital certificate to prove the message is legit. Down in the corner of a secured page, there is a small padlock that you can click on to prove you're on their site and not a fake copy of them. These proofs are also done by digital certificates. Such a ceritificate can be added to every email you send so that people at the other end will know it's really you.

Some people will add "signiatures" to the bottom of their messages - snippets of text that state things like "this is really me, accept no fakes". But this text in itself can be compromised if anyone were to get one of these messages from you to steal it from. The digital certificate is like a fingerprint, in that once it is associated with an email address, it will only be real if its use matches that email. Furthermore, these certificates can be used to encrypt the contents of the email such that only those people who have received your certificate can decrypt and read them.

There are many locations to either get a free cert (short for "certificate") or purchase a more robust one. The benefit from a purchased one is that they can be used at higher encryption rates. We will mention the ones we have tested for ease of use and certification from trusted eCommerce and security companies.

Comodo - free annual cert, authority second in volume to VeriSign, wide authority coverage. Application and installation requires use of Internet Explorer. 1024 encrption key only.

VeriSign - annual digital certificate, authority world-wide, can also be used for secure Instant Messaging. 1024 or 2038 bit encryption key available. Easier application than others, but requires email to match and validate.

Installation instructions vary between versions, but once installed, the email or browser it is installed into can export the certificate for use in other applciations or on other machines that you access the same services from. It is also a good thing to back up the certificate(s) off these machines - perhaps on a USB-keychain drive or other physical location.

Once in place, go to the security preferences for your browser or email program and turn on the options to use these certs. We recommend you not encrypt every message or communication by default, but to use this feature of the cert only as necessary. Digitally signing ALL of your messages is a must. The recipient automatically gets half of the key for your identification, and if they also use a cert, enable full encryption between the two of you.

Windows 2000 and later servers have the ability to generate such certificates with the trusted authority only being that of your server's...so while this is a cost-effective method of ensuring all the email within a corporation to be signed, using these signatures outside the office may not allow these messages to be "trusted". Corporations can apply for a trusted authority chain sequence to make this sort of "worthiness" available, but it is costly. We recommend you purchase or obtain an external cert from one of the trusted vendors and avoid this issue. And if you have any further questions on using these tools, be sure to contact us for assiatance.


678-454-7344
kaui@kaui.com
Unless otherwise specified, all material on this web site is copyright © 1994 - 2016
by KAUi Software, Inc. Last modified 08/15/16