IETF Logo Mail Archive

[perpass] Why Yaron can't encrypt: S/MIME in the real world

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 07 September 2013 13:39 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EEA221E80A8 for <perpass@ietfa.amsl.com>; Sat, 7 Sep 2013 06:39:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uY8O-Q1-3R2k for <perpass@ietfa.amsl.com>; Sat, 7 Sep 2013 06:39:23 -0700 (PDT)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) by ietfa.amsl.com (Postfix) with ESMTP id 11FBC11E812B for <perpass@ietf.org>; Sat, 7 Sep 2013 06:39:20 -0700 (PDT)
Received: by mail-wg0-f48.google.com with SMTP id n12so1454660wgh.3 for <perpass@ietf.org>; Sat, 07 Sep 2013 06:39:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=TVvqfQwfijBGc6X4aB+6XOJ15Y9JImAxUzMM8njgAQU=; b=M+x+pOWQ2z4oFucqtn7FaB8UwipQ+TXJBg0kbkB3If+eHZsd6VNsJIq5hn9te5z1Le 0Vix75HYEYyd63d26YigRCBLih++2fE0j9QmBb2qYXDOD0dFP8igdKapSYvfallu1YLi yq60l0brpKZ6/aiwjB3I97L0kgE7a5MWGG2ZJn1MI26If9PiPgTg/XiNdVlkiOFFijPX j9Yi3zgkBaN0aAm6Pqml30LL8uev8CWjo3juUxE1TThGwrpjm6kagZHihm2CpCgkbKFR r3D8B7weyu9g1at2MNeEoW8f0ob1CXfnjwouiiaBn01notS0nuESucqBUcS0L1VCIsev V9Yg==
X-Received: by 10.180.37.164 with SMTP id z4mr2242607wij.30.1378561160278; Sat, 07 Sep 2013 06:39:20 -0700 (PDT)
Received: from [10.0.0.8] (bzq-79-182-222-201.red.bezeqint.net. [79.182.222.201]) by mx.google.com with ESMTPSA id ey2sm3750196wib.5.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 07 Sep 2013 06:39:19 -0700 (PDT)
Message-ID: <522B2C86.7020300@gmail.com>
Date: Sat, 07 Sep 2013 16:39:18 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: perpass@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Subject: [perpass] Why Yaron can't encrypt: S/MIME in the real world
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Sep 2013 13:39:24 -0000

Hi,

I have wanted to get my company on S/MIME for a while, and the recent 
noise was the final motivator I needed. We are a small company doing 
security, however (like anywhere else) not everybody can be considered a 
security "expert".

So Outlook and Thunderbird have good support for S/MIME. This is a good 
starting point, right? Personally I am using Thunderbird running on 
Linux, which has very convenient S/MIME support. I had actually used it 
in the past.

Below I will show that in today's market you simply cannot use S/MIME, 
because of a combination of bad security practices, silly web-site 
design, lousy CA support on Linux and probably a few more factors.

  * Started with the free options. The Web is full with tutorials on how
    to install the free Comodo email cert in your mail client. It turns
    out, with InstantSSL (Comodo) you cannot register twice with same
    email address (e.g. if the cert is lost for some reason or you just
    want to use two different machine without shuttling private keys
    around). The same is true for StartSSL.
  * Next tried Symantec: this is $22 per year, the UI is not very good
    (says cert is installed but then has a button to install cert). TB
    says the certificate could not be validated "for unknown reasons". I
    guess there is no valid certificate chain. Well, Symantec doesn't
    appear in either the Chromium/Linux or Firefox/Linux cert stores.
  * GlobalSign: EUR 12 for 1 yr, 29 for 3 yrs. Not too bad. So you go
    into their wizard. The default is that the private key is generated
    by the CA! Which means this product is not (securely) usable for
    multiple users in an organization. Most of them will probably leak
    their private key.
  * CACert: Free and open source. Probably still struggling (the server
    is extremely slow). Surprisingly, the CAcert root CA is known by
    Chromium/Linux but not by TB/Linux (stock Thunderbird on Ubuntu 12.04).
  * Entrust: pricing is only for US, UK and Canada. Other customers are
    referred to a small number of resellers (none for my geography).
    They still let you order the cert though. And then surprise! The $20
    price that appears on the "Buy Now" page turns into $30 when you
    complete filling the form.

This covers all I could find on the first 4 Google search pages for 
"email certificates". I will try again in a year or two.


Thanks,

     Yaron

v2.23.0 | Report a Bug | By Email