Please try this Secure Email Beta product and give us your feedback.

[Guest]

[Roy]

Hi,

tried the web method and now have a certificate installed. I had to use IE to achieve this, as your web page didn't work with firefox - it wouldn't go past the first step in the sign up. Anyway, i installed the cert in IE, exported it and installed it in Thunderbird.

Interestingly, in signing up it did not object to my email address. Which, if i read it correctly, means that a cert was not sent out previously for this address. One of your FAQs on your website talks about the fact that you can not get 2 certs for 1 email address.

So, this may help you in trying to work out why it didnt happen for me??

Anyway.... I'm gonna play around with my cert now! Thanks for your help.

R.

[Roy]

Right then...next update!!  I can now send a non-encrypted, signed email (!). This works without the program installed.

Next step to re-install the cert program..no problems there, it found the cert, asked for a re-boot and that was it.

Next to try and send a signed & encrypted email... no joy.

basically what happens is that i press "send" and the pop up appears, saying that it is connecting, but nothing happens, thunderbird cannot send the email. Upon cancelling the email send from thunderbird, the comodo email program does not terminate. I had to click on the X to get rid of the pop up.

I guess it does not work with smtp ssl, which is gmail's outgoing email setup. If I turn ssl off it the comodo program detects a non-encrypted email & starts doing its thing. But unfortuately, with ssl off I can not connect to the server.

R.

[Comodo_Shane]

Hi Roy,

Thank you for the feedback.   

The problems SE Beta 1 is having with your configuration are gmail SSL and the port settings.  We are now working to resolving both of these issues.

Thanks,
Shane.

[cloggy]

I have to use Socks5 in my email client (Thunderbird) to be able to use it behind the company's firewall and to stay anonymous but if I specify Socks5 in TB, CSE doesn't touch my incoming nor outgoing emails. Any chance to enhance it (while it is still in Beta) to include Socks5 support?

Not using this Socks5 option gives me the same problems as reported by Roy...so, I've uninstalled it again.

What surprises me too is that since March 19 there was no reaction on this post...does that mean that this product is going to get the lowest attention/priority?

Thx..

[Opus Dei]

When I first Installed CSE I could not get cse to load my first DIgital Cert. and had to follow these instructions

Here is a small work around for you.  I know this is not exactly what we intended but in the mean time please can you use the web based e-mail sign-up facility to obtain a FREE Comodo e-mail certificate.  Go link below and click on “GET YOUR FREE CERT NOW !” button.

http://www.comodogroup.it/eng/products/certificate_services/email_certificate.html

After that CSE has seemed to load the other Certs. Just fine ....or so I thought
Google will not download Email from Gmail any more my other accounts work fine
It says
Receiving mail
Connecting to wx-in-f109.google.com

Error list
The connection to your email server was lost ....
Error code 0021

My Real Questions are:
 If you send a key (smime.p7s) with email what is to keep this from being intercepted and use by anyperson to decript the mail not only the intended receiver?

Or is this only meant to guarantee the send is who thy say they are?

The certificate sign-up process (for those who want to know more):
The certificate sign-up process involves something called a Certificate Signing Request (CSR). 

A CSR is generated on your computer and sent to the Comodo servers for formatting into the certificate standard and signing.  During the CSR generation process a public and private key are generated.  The private key is stored in the registry on your computer ready to be linked to your certificate once you receive it from Comodo.  The public key is placed in the CSR which you send to Comodo CA’s servers.  In the above link, this whole process is done via script on the web page by using a control shipped with Windows.

Once Comodo has signed the certificate you need to collect and install it.  A collection code is e-mailed to your e-mail address to authenticate it and the collection code must be entered into the web page given in the e-mail’s instruction, to download and install the certificate.  The certificate is installed by script on the web page using the same control shipped with Windows.

SecureEmail’s sign-up wizard does the same thing as above but SecureEmail will (unless you are Roy, sorry Roy) auto detect the collection code in the e-mail you receive, download the certificate and install it automatically.

Hope this info helps

Shane.

Thanks Opus

[Melih]

When I first Installed CSE I could not get cse to load my first DIgital Cert. and had to folow

My Real Question are:
 If you send a key (smime.p7s) with email what is to keep this from being intercepted and use by anyperson to decript the mail not only the intended receiver?

Or is this only meant to guarantee the send is who thy say they are?

Thanks Opus

There are many issues with email today. this is why it has become a tool for spammers and fraudsters and we are always edgy when it comes to using email as a communication tool.

The solution, i believe, has to be based on PKI.
we have to give the ability to simply press a button and secure email for the recipient based on PKI and without the sender worrying about if the recipient can decrypt it or not.
and another issue is about authenticating the sender.

Today people don't have/use any (huge majority). So we have to take some baby steps.

Step 1) We must get people to use digital certificates as their Online Passports.
Step 2) We must get people to encrypt all their emails
Step 3) We must get people to digitally sign all their emails

the biggest vulnerability is when the recipient recieves the digital cert. The ideal scenerio is: for them to get a cert from a CA get validated and tell the world they have this. But it ain't going to happen, so we must first get everyone to use digital certs. once they are used to using it, then we can increase the trust value inside a cert so that we know that only the authentic entities are using their own certs etc..

So baby steps.. today we have nothing.. all email can be intercepted and read. for more security concious people, people can exchange their certs out of band, or put a passphrase for the very first email.. but as I said, it will be a great achievement to get PKI as the platform that everyone uses as the first goal.

thanks
Melih

[Opus Dei]

Thanks Melih
 And I agree %100.  The primary thing that has prevented me from using PKI Programs, such as PGP, in the past was the need to 1st send a key to the reciever (not sure if I was mistaken about that, but that was my belief) given that most people don't have the technical knowlege or the desire to mess with it.  I can include myself in the latter group, which may account for my beliefs or mistaken beliefs about PKI.  I awalys thought it was a good idea but due to lack of general acceptance have not messed with it.

But I either don't totally understand or you did not quite anwer my questions

but Thanks for a great bunch of products 
So far I use CPF and am trying out CSE.  I can not use CAVS because of an incompatability issue with Gmail   

[/quote]

When I first Installed CSE I could not get cse to load my first DIgital Cert. and had to follow these instructions

After that CSE has seemed to load the other Certs. Just fine ....or so I thought
Google will not download Email from Gmail any more my other accounts work fine
It says
Receiving mail
Connecting to wx-in-f109.google.com

Error list
The connection to your email server was lost ....
Error code 0021

My Real Questions are:
 If you send a key (smime.p7s) with email what is to keep this from being intercepted and use by anyperson to decript the mail not only the intended receiver?Could someone please give me a straight answer

Or is this only meant to guarantee the send is who thy say they are?Yes or No

Thanks Opus

There are many issues with email today. this is why it has become a tool for spammers and fraudsters and we are always edgy when it comes to using email as a communication tool.

The solution, i believe, has to be based on PKI.
we have to give the ability to simply press a button and secure email for the recipient based on PKI and without the sender worrying about if the recipient can decrypt it or not.
and another issue is about authenticating the sender.

Today people don't have/use any (huge majority). So we have to take some baby steps.

Step 1) We must get people to use digital certificates as their Online Passports.
Step 2) We must get people to encrypt all their emails
Step 3) We must get people to digitally sign all their emails

the biggest vulnerability is when the recipient recieves the digital cert. The ideal scenerio is: for them to get a cert from a CA get validated and tell the world they have this. But it ain't going to happen, so we must first get everyone to use digital certs. once they are used to using it, then we can increase the trust value inside a cert so that we know that only the authentic entities are using their own certs etc..

So baby steps.. today we have nothing.. all email can be intercepted and read. for more security concious people, people can exchange their certs out of band, or put a passphrase for the very first email.. but as I said, it will be a great achievement to get PKI as the platform that everyone uses as the first goal.

thanks
Melih

[Melih]

Thanks Melih
 And I agree %100.  The primary thing that has prevented me from using PKI Programs, such as PGP, in the past was the need to 1st send a key to the reciever (not sure if I was mistaken about that, but that was my belief) given that most people don't have the technical knowlege or the desire to mess with it.  I can include myself in the latter group, which may account for my beliefs or mistaken beliefs about PKI.  I awalys thought it was a good idea but due to lack of general acceptance have not messed with it.

But I either don't totally understand or you did not quite anwer my questions

but Thanks for a great bunch of products 
So far I use CPF and am trying out CSE.  I can not use CAVS because of an incompatability issue with Gmail   

There are many issues with email today. this is why it has become a tool for spammers and fraudsters and we are always edgy when it comes to using email as a communication tool.

The solution, i believe, has to be based on PKI.
we have to give the ability to simply press a button and secure email for the recipient based on PKI and without the sender worrying about if the recipient can decrypt it or not.
and another issue is about authenticating the sender.

Today people don't have/use any (huge majority). So we have to take some baby steps.

Step 1) We must get people to use digital certificates as their Online Passports.
Step 2) We must get people to encrypt all their emails
Step 3) We must get people to digitally sign all their emails

the biggest vulnerability is when the recipient recieves the digital cert. The ideal scenerio is: for them to get a cert from a CA get validated and tell the world they have this. But it ain't going to happen, so we must first get everyone to use digital certs. once they are used to using it, then we can increase the trust value inside a cert so that we know that only the authentic entities are using their own certs etc..

So baby steps.. today we have nothing.. all email can be intercepted and read. for more security concious people, people can exchange their certs out of band, or put a passphrase for the very first email.. but as I said, it will be a great achievement to get PKI as the platform that everyone uses as the first goal.

thanks
Melih

Hi Opus

sorry if i didn't answer your question.
Can you pls expand your question and i will try to answer again.
thanks
Melih

[Opus Dei]

Thanks for Helping me understand this Melih

Sorry if I was short I was just frustrated
I've been fight Application rules in CPF And the keep rearanging on me.  I've been working with Toogie and Lil Mac  but not sure if they are going to do what I want. I'm hopeful V3 will help me out

Hi Opus

sorry if i didn't answer your question.
Can you pls expand your question and i will try to answer again.
thanks
Melih

After doing some studying on PGP
I think I understand a little better however I think I need To read a little more

Tell me if this is close

 If you send a key (smime.p7s) with email what is to keep this from being intercepted and use by anyperson to decript the mail not only the intended receiver?
I think the answer is if that person does not have A cert there is nothing keeping it from being decrypted.  Ideally The key (smime.p7s) is generated using your private key and the public key of the receiver. 
If I'm correct about CES is that it will send a email to a person without a cert.
It will in this case Send your cert but not encrypt the email 
or
It encrypts the email and it Will decrypt only using smime.p7s If  this is the case the answer to my first question is nothing

My Real Questions are:
 If you send a key (smime.p7s) with email what is to keep this from being intercepted and use by anyperson to decript the mail not only the intended receiver?

Or is this only meant to guarantee the send is who thy say they are?

Thanks Opus

[Melih]

Thanks for Helping me understand this Melih

Sorry if I was short I was just frustrated
I've been fight Application rules in CPF And the keep rearanging on me.  I've been working with Toogie and Lil Mac  but not sure if they are going to do what I want. I'm hopeful V3 will help me out
After doing some studying on PGP
I think I understand a little better however I think I need To read a little more

Tell me if this is close

 If you send a key (smime.p7s) with email what is to keep this from being intercepted and use by anyperson to decript the mail not only the intended receiver?
I think the answer is if that person does not have A cert there is nothing keeping it from being decrypted.  Ideally The key (smime.p7s) is generated using your private key and the public key of the receiver. 
If I'm correct about CES is that it will send a email to a person without a cert.
It will in this case Send your cert but not encrypt the email 
or
It encrypts the email and it Will decrypt only using smime.p7s If  this is the case the answer to my first question is nothing

the way CES work is by generating a temporary cert for the recipient if the recipient does not have one. And recipient has to receive the cert in order to decrypt it.  the only vulnerability is how the recipient receives the cert for the first time. So email is always encrypted.

Melih

Melih

[Opus Dei]

Thanks for the Info and help you have already given me with this Melih

I loaded COMODO Secure Email(CSE ) 0.9.0.17 Beta 2 RC1 (I know there’s a new beta 0.9.0.30 Beta and I will give it a try but nothing in the notes indicate they was any issue with any thing like this so I do not thinl tey have addressed this not at least intentionally)
Here's a history of what I've done and in the end what failed and why I uninstalled
1)I had to follow this procedure to get my first cert installed but that was not a big
problem

....Here is a small work around for you.  I know this is not exactly what we intended but in
the mean time please can you use the web based e-mail sign-up facility to obtain a FREE
Comodo e-mail certificate.  Go link below and click on “GET YOUR FREE CERT NOW !” button.

http://www.comodogroup.it/eng/products/certificate_services/email_certificate.html....

2) seemed to be going well with only Email account. I had sent several emails to people with
several address in the To or CC address bar and everyone was able to open them with no
problem
Note this included Web mail accounts such as Gmail and Yahoo mail.  No one was registered
Cert holder so all addresses used one time certificates.
3) I added a cert my wife’s email account ( I sometimes answer emails to her clients for her)
     Note: she still does not have the software installed on her PC  I had to try register
her for several certificates as I had problems getting them to load I don't remember exactly
why.  Only one went through the entire process
4) I sent an Email through her account on my PC. To several non certificate registered users in the To: and the CC: fields and my wife in the BCC: field
5) I Could open it fine on my PC in her account,this is what I expected as It should use
the same type key system, as PGP if I’m correct in how PGP and CSE  function
At the bottom You cann see How I think PGP and CSE  Funtion I listed my understanding outstep by step in Examples 1 & 2 if something is wrong please correct it unless it is a trade
secret )
6) My wife could not open it on her system, again this is what I expected as she did not have the software on her system and she was a registerd certifcate user.
7) and here's the problem The users not registered for certificates could not open the email either

Thanks for reviewing this and if possible let me know if I am correct about how it works
 
Opus Dei

Here's how i think PGP And CSE  work

Example 1   
TO SEND AN ENCRYPTED TO A USER WITH A PKI(Public Key Infrastructure) CERT STORED ON THE PKI
CERTIFICATE SERVER,
I think this is almost the same in CSE  or A PGP (type) program. In the below Examples
1a)-1h) both users are registered users and have the CSE  or PGP(type) software installed on
their PCs this implies they both have public keys stored on the PKI Certificate server
       1a) The users must install the PKI software CSE  or PGP(type) and register to be
       certified
       1b)After being certified the software generates a private key or receives a private
       key from the PKI certificate server(not sure exactly where the private key is
       generated it may be different for different softwares). 
       1c)a private key is stored on the registered users PC (in this case both the sender
       and receiver are registered users)
       1d) The registered users public key is stored on PKI certificate server
       1e) The COMODO CSE  or PGP software on the senders system uses private key and
       the public key of the receiver to encrypt the message.
       1f) The email is sent
       1g) The Recipient receives the Email
       1h) The Recipient opens the email and the email is decrypted with the private key of
       the recipient and the public key of the sender by the software.
     
Example 2
TO SEND AN ENCRYPTED TO A USER WITHOUT A PKI(Public Key Infrastructure) CERTIFICATE STORED

ON THE PKI CERTIFICATE SERVER, I think this is advantage of COMODO Secure Email(CSE ).
I think this is unique to CSE . In the below example 2a)-2k) only one user is registered and
has the CSE  or PGP(type) software installed on their PC. Also only 1 user has a public key stored
on the PKI Certificate server therefor most other PKI or as I previously called it
PGP(type) Software will not function. This in my opinion has been the major obstacle to the wide sread use of PKI software in the general market.

       2a) The user must install the PKI software CSE  or PGP(type) and register to be
       certified
       2b) After being certified the software generates a private key or receives a private
       key from the PKI certificate server(not sure exactly where the private key is generated
       it may be different for different softwares). 
       2c) The private key is stored on the registered users PC (in this case only the
       sender is a registered user and the receiver is not)
       2d) The registered users public key is stored on PKI certificate server.
       2e) The COMODO CSE  software on the registered users system generates a temporary
       public key for the unregistered receiver of the Email 
       2f) The COMODO CSE  or PGP software on the senders system uses private key of the
       registered user and the temporary public key of the receiver to encrypt the message.
       2g) The email is sent
       2h) The COMODO CSE  software on the registered users system sends the temporary
       Public key to the PKI certificate server where it is stored until the receiver opens the
       email
       2i) The temporary public key of the unregistered email is sent to the
       2j) The Recipient receives the Email
       2k) The Recipient opens the email and the email is decrypted with the private key of
       the recipient and the public key of the sender by the software 

[Comodo_Shane]

Hi Opus Dei 
Regarding your question:

“My Real Questions are:
 If you send a key (smime.p7s) with email what is to keep this from being intercepted and use by anyperson to decript the mail not only the intended receiver?Could someone please give me a straight answer

Or is this only meant to guarantee the send is who thy say they are?Yes or No

Thanks Opus”
The smime.p7m you are seeing sent from SecureEmail contains the actual encrypted and signed data not a key.

“Or is this only meant to guarantee the send is who thy say they are?Yes or No”

This is signing e-mail, not encrypting.  I sign an e-mail and you would know it was from me.

“I loaded COMODO Secure Email(CSE ) 0.9.0.17 Beta 2 RC1 (I know there’s a new beta 0.9.0.30 Beta and I will give it a try but nothing in the notes indicate they was any issue with any thing like this so I do not thinl tey have addressed this not at least intentionally)”

I strongly recommend you move to the latest Beta 0.9.0.35.  It is much improved.

 “but Thanks for a great bunch of products So far I use CPF and am trying out CSE.  I can not use CAVS because of an incompatability issue with Gmail”

CSE Beta actually suffers from the same problem.  I will have a fix out for both products very soon. 

I'll explain the workings in seperate post.
Thanks
Shane

[Comodo_Shane]

SecureEmail has a unique feature where it will allow you to encrypt for a contact even if you don’t have a public key certificate for that contact.  For me to explain this, we must first all follow how regular e-mail encryption works with PKI where we do have a contacts e-mail certificate.

PKI.
PKI is essentially public and private key encryption, Pulic Key Infrastructure.  These keys are always in pairs, one unique public key is always paired with one unique private key. 

Public keys as their name suggests, are safe to distribute and make public.  Public keys are stored in Public Key Certificates (X.509).  There is lots of info about this if you look this up on wikipedia for example.

Private keys always remain private to the holder.

The way these keys are used together…two very simple rules…
Rule 1 Data encrypted with a public key can only be decrypted with the paired private key, likewise,
Rule 2 Data encrypted with the private key can only be encrypted with public key. 

You can think of this as the public key locks/hides the data and the private key makes it visible again, and visa versa.  It’s really a very simple concept.

To put this in to practical terms. 
1) I create paired Pubic and Private keys.
2) I make my public key public and give it to you.  (We show how this is done below).
3) You encrypt the words HELLO SHANE with my public key.  As we have just seen the only key that can now decrypt this is the paired private key.
4) I am the only person who has the private key, so only I can decrypt the word HELLO SHANE.
(This is encryption, making the data private)
…
5) I create a reply… HELLO OPUS DEI
6) I encrypt this with my private key, and then send this to you.
7) You decrypt it with my public key, and you know that I sent the message because it must have been encrypted with my private key that only I have.
(this is signing, authentication who the data came from)

Distribution of Public Key Certificates and Trusted Root
Windows has something called a certificate store.  Windows is shipped with a number of pre-installed certificates called Root certificates.  Root certificates can issue (by signing) subordinate certificates in a hierarchy.  Here’s a real example of one you have pre-installed:

-- CN = UTN-USERFirst-Client Authentication and Email


Rule – If you trust the Root cert, you trust all certificates that are issued by it. 

As we’ve said you already have a number of Root certificate installed with your copy of Windows, so you can now automatically trust all certificates issued by that Root.  Issued certificates are signed by the Root.

Ok, so image at later stage an e-mail cert is issued by the above root:
-- CN = UTN-USERFirst-Client Authentication and Email
    -- Robert McBob – "bobby [ at ] internet.com"

Since you have the root, you can now trust the issued e-mail certificate no matter who sends it to you.  The e-mail certificate is signed by the Root so you can check the integrity.  If someone tries to edit this e-mail certificate and add a different e-mail address, the signature of the certificate will be broken and we will no longer trust it.

E-mail Encryption:
E-mail certificates link together a Public key and an e-mail address into a certificate that you can check the integrity of.

As you can see above, if you have an e-mail certificate for someone you can encrypt data for them by encrypting for they public key.  Only they can decrypt it.

If you have a public key certificate and your private key of your own, you also easily sign e-mails and people who receive them know the mail was form you and that the contents are intact.

I does not really matter how you get the public key certificate, you contact could e-mail it to you or send you a signed e-mail which will have the certificate included.  As long as you check signature of the cert and that it is trusted back to you pre-installed trusted root then the mail is valid.

To complicate matters a little more, this isn’t quite how it works, a symmetric session key and hashing algorithms are used for speed, but the concepts of PKI are the same.

[Comodo_Shane]

SecureEmails system to encrypt even if you don’t have the contacts e-mail certificate, or they don’t have an e-mail certificate.

Here’s how it works…sending:
1)   An e-mail to be encrypted with a single-use certificate is detected.
2)   A sefl-signed public key certificate and paired private key are generated for the recipient.
3)   The e-mail is encrypted for the public key that was just generated.
4)   The encrypted e-mail is sent to the recipient’s e-mail address along with instructions of how to decrypt.
5)   The public and private keys are sent over an encrypted connection (SSL) to the Comodo SecureEmail server.


How it works… receiving – Installing SecureEmail using Outlook, Outlook Express or Thunderbird:
1)   The encrypted e-mail is received.
2)   The recipient installs Comodo SecureEmail.
3)   SecureEmail checks to see if the recipient has an e-mail certificate.
a.   If the recipient does not have an e-mail certificate then SecureEmail will not be able to download the single-use public and private key until they sign up for a Comodo e-mail certificate.
b.   If recipient already has an e-mails certificate
i.   SecureEmail connect via SSL and client authentication, authenticating to the recipients e-mail address
ii.   If the authentication is successful then the single-user certificate and private key are downloaded securely.
iii.   The e-mail is decrypted with the private key and then encrypted (depending on SE options) for the recipient’s permanent e-mail certificate.
iv.   On the next Send and Receive SecureEmail will prompt the user to send their permanent e-mail certificate to the sender so from this point forward, permanent PKI based certificates will be used for communications.

If there are any questions thus far let me know.

I hope this helps

[Opus Dei]

Thanks shane,
I apreciate the in depth answers I just skimmed them.  I will have to sit down and read them and absorb the info.

I would like to get myself and my wife on secure email.  However, After my last secure email problem, I am a little shy.  When a client can not read an email it could cause a delay of 2 days or more in our communications. 1 day for them to tell me they could not read the Email and 1 day for me to resend it.  Chat programs or the phone does not work either if your clients a 10-12 hours diferent than you.  Our work can be time sensitve and small problems like that can be big problems. Howecver much of our work can be highly cofidential and I am sure the clients would like the confidence of knowing our comunication was ecrypted and secure. We email back and fourth to all over the world for bussines and if I can get it to work reliably for some time.  I would consider purchasing  business  certs for our small company. but I need it to work and can´t afford a lot of problems. 

I am a real geek and sooner or later I will give the latest CSE a try again.  Am I right in assuming there are no stable versions yet?

thanks for the good work and keep building grat products

OPUS

[Tags:]