I never used CSE yet, however it looks interesting. It is also free, which makes it a good deal. (And of course in the long run, in case I will open an office, I might stick to your product using a non-free version…)
I would like to know the exact mechanism how CSE works regarding the exchange and creation of the certificates / keys especially. E.g. I write an email, what exactly happenes from the sending to the receiving of it ?
(In more detail than on your webpage herehttp://www.secure-email.comodo.com/overview.html)
Where can I get this info ?
P.S.: How does it exactly work, that someone unauthorised intercepting or receiving an email cannot read it or its attchments ?
If you are sending to someone who has a digital certificate: then the message is encrypted and digitally signed (noone can read it but the recipient and noone can modify it as recipient will know its modified)
If you are sending it to someone who hasn’t got a digital certificate: it has two modes… just sends it digitall signed, which means people can still intercept and read it, but they can’t modify the message. (eg: digitally signed)…or
in the 2nd mode where u can ask it to be encrypted: It uses our patent pending solution where we create a certificate for the recipient and the email is encrypted and digitally signed for the recipient (noone can read it but the recipient and noone can modify it as recipient will know its modified).
hope this simple explanation clarifies it for you.
Lets assume User A wants to write a securely encrypted and digitally signed email to user B:
User A therefore has got a free digital certificate (private person) from COMODO, using CSE.
User A writes the E-Mail, adds userB as the recipient. Mail is encrypted and digitally signed by CSE using User B’s public key for encrypting the message to User B and then sent using Thunderbird.
Scenario All OK:
User B receives the encrypted and digitally signed message from user A (in Mozilla Thunderbird). How does User B’s CSE know the “decryption” code for the message ? Where is the decryption code stored ?
And how does User B’s CSE know that the message originates really from User A and not from somebody else ?( Especially if User B receives a digitally signed and encrypted message from User A for the first time)
And the final general question:
What encryption method is used ?
Sorry for the amount of questions, but we want to understand exactly what we might be using in future…
Thank you !
If A already has B’s digital certificate.
In this case CSE simply uses S/MIME encryption and PKI above.
If A already has B’s digital certificate.
If A doesn’t already have B’s certificate, CSE has a few options for B to read this mail, all determined by A using our patent pending single user certificate system and our server. A sends the e-mail using this system, setting which options from the list below B can use to read it.
i) B must install CSE to read the mail. This is our recommend method and is fully secure.
ii) B can forward the mail to our web reader, and read the mail by supplying a password which A agreed with B in advance, e.g. by telephone or letter. Not as secure as i)
iii) B can forward the mail to our web reader but does not need to supply a password. Not as secure as ii)
As I said, A the sender decides which of the options are avaible to B. Hope this answers your questions.
I was going to try CSE a while ago (Months). But what put me off is, I think Comodo would be able to Decrypt my Emails.
As far as I’m aware, it would be almost the same as Two People (A & B) sending Secure Gmail’s to each other; accessing their Web Mail Page using https. (Staff at Google would be able to Decrypt my Emails.)
I think this could be the Second main reason why a lot of people simply don’t bother Encrypting. If a Company can easily Decrypt your Email, whether it is Comodo, Google, or your ISP who can Decrypt them, then why bother?
Is it possible to Encrypt Emails without a Digital Certificate from a Certificate Authority? (This would take the power away from Comodo, Google, or the ISP, and give it completely to the User.)
If this is feasible, would this be possible in CSE?
I don’t know much about Certificates, but how about CSE being able to generate randomized Self Signed Certificates so that the Emails can never be Decrypted by ANYONE but the User? (And the recipient of course.)
If you find it difficult to understand this Post, its because I’m talking about a Subject I am not familiar with.
Some of the very early versions of PGP operated that way. I do not know if you can find software that works in that way now. Possibly OPGP or GnuPG but then you must get you Key signed by other users of the same in order to verify the identity of your key and your key still ends up public.
As you are specifically restricting your focus on the decryption without CSE, did you at least confirm that key generation is carried locally and that if both users use CSE both encryption, decryption are carried locally too?
J2045 are you seriously implying that there is a Comodo master key?
Because of course this would be worse than asking you if you are NOT legitimately interested to understand how CSE works but only to discourage its use (at least).
Does your anonymity guarantee over you conjectures more than the replies form Comodo staff and CEO?
Because despite you are asking Comodo while neglecting existing replies, everybody else should acknowledge that your implied concerns may be totally unwarranted and not being swayed by them.
I’m implying nothing… I was simply asking if it was ENCRYPTED with Comodo’s PUBLIC KEY.
If the PUBLIC KEY is to ENCRYPT THE MESSAGE, and the PRIVATE KEY is to DECRYPT THE MESSAGE, then in those Two scenarios, it would make perfect sense if the MESSAGE was ENCRYPTED with Comodo’s PUBLIC KEY. (If I’m understanding correctly of course!)
Again, I am referring to Comodo’s OWN key, NOT the Key’s in the Digital Certificate that the User gets Free with CSE!
An why you question implicitly assume that the process rely on a Comodo key and not on enduser key?
Could it be you are still willing to drown this topic with feelings and analogies that advocate fear? 88)
You know the above quoted feeling and analogy was actually a reply to Comodo CEO post:
Where it was explicitly stated DO NOT and CANNOT.
Again I ask: As you are specifically restricting your focus on the decryption without CSE, did you at least confirm that CSE key generation is carried locally and that if both users use CSE both encryption, decryption are carried locally too?
… As Comodo’s PRIVATE KEY would then be needed for the DECRYPTION process. (After person ‘B’ Forwards the Email to Comodo’s Web Reader.)
If Comodo really wanted to, they ‘could’. If you want to break any Encryption, all you need is the Guy’s who created the algorithm. (Or just their knowledge of course.)
Though my concerns were that Comodo was keeping a Copy of the Key’s, which can be used to Decipher ANY Emails created with CSE, in a Data Base. I was also concerned about who had access to that Data Base and how Secure it was.
But after xiuhcoatl explained that the public key does not permit decryption, my concerns were over/relieved.
So why you choose to ask these ridiculous questions, I have no idea.
But what you are implying that the “Guy who created the algorithm” had to do?
Please consistently and thoroughly address this fictional scenario you alone introduced in this topic by means of feeling and analogies.
Is this why you are posting your conjectures about a Comodo key?
Please reread you concerns/feelings/analogies..
Are you you guessing that a Comodo key would be needed and it will be used even when two users have CSE? How so?
Or this is something you are now guessing only for the scenario where the recipient use the online decryption services because s/he is not willing to install CSE? How so?
If this is the you comment about asking you to reply to some of the conjectures you yourself posted about…
You know, you are the “Guy who created these concerns” in the first place.
You ‘could’ have asked those questions even if you were not genuinely concerned.
But apparently you were concerned about a Lock Smith keeping a copy of the key, isn’t it?