Please try this Secure Email Beta product and give us your feedback.

There are many issues with email today. this is why it has become a tool for spammers and fraudsters and we are always edgy when it comes to using email as a communication tool.

The solution, i believe, has to be based on PKI.
we have to give the ability to simply press a button and secure email for the recipient based on PKI and without the sender worrying about if the recipient can decrypt it or not.
and another issue is about authenticating the sender.

Today people don’t have/use any (huge majority). So we have to take some baby steps.

Step 1) We must get people to use digital certificates as their Online Passports.
Step 2) We must get people to encrypt all their emails
Step 3) We must get people to digitally sign all their emails

the biggest vulnerability is when the recipient recieves the digital cert. The ideal scenerio is: for them to get a cert from a CA get validated and tell the world they have this. But it ain’t going to happen, so we must first get everyone to use digital certs. once they are used to using it, then we can increase the trust value inside a cert so that we know that only the authentic entities are using their own certs etc…

So baby steps… today we have nothing… all email can be intercepted and read. for more security concious people, people can exchange their certs out of band, or put a passphrase for the very first email… but as I said, it will be a great achievement to get PKI as the platform that everyone uses as the first goal.

thanks
Melih

Thanks Melih
And I agree %100. The primary thing that has prevented me from using PKI Programs, such as PGP, in the past was the need to 1st send a key to the reciever (not sure if I was mistaken about that, but that was my belief) given that most people don’t have the technical knowlege or the desire to mess with it. I can include myself in the latter group, which may account for my beliefs or mistaken beliefs about PKI. I awalys thought it was a good idea but due to lack of general acceptance have not messed with it.

But I either don’t totally understand or you did not quite anwer my questions

but Thanks for a great bunch of products (R)
So far I use CPF and am trying out CSE. I can not use CAVS because of an incompatability issue with Gmail (:SAD)
[/quote]

[quote author=Melih link=topic=6280.msg65166#msg65166 date=1179424208]
There are many issues with email today. this is why it has become a tool for spammers and fraudsters and we are always edgy when it comes to using email as a communication tool.

The solution, i believe, has to be based on PKI.
we have to give the ability to simply press a button and secure email for the recipient based on PKI and without the sender worrying about if the recipient can decrypt it or not.
and another issue is about authenticating the sender.

Today people don’t have/use any (huge majority). So we have to take some baby steps.

Step 1) We must get people to use digital certificates as their Online Passports.
Step 2) We must get people to encrypt all their emails
Step 3) We must get people to digitally sign all their emails

the biggest vulnerability is when the recipient recieves the digital cert. The ideal scenerio is: for them to get a cert from a CA get validated and tell the world they have this. But it ain’t going to happen, so we must first get everyone to use digital certs. once they are used to using it, then we can increase the trust value inside a cert so that we know that only the authentic entities are using their own certs etc…

So baby steps… today we have nothing… all email can be intercepted and read. for more security concious people, people can exchange their certs out of band, or put a passphrase for the very first email… but as I said, it will be a great achievement to get PKI as the platform that everyone uses as the first goal.

thanks
Melih

[quote author=Opus Dei link=topic=6280.msg65176#msg65176 date=1179425695]
Thanks Melih
And I agree %100. The primary thing that has prevented me from using PKI Programs, such as PGP, in the past was the need to 1st send a key to the reciever (not sure if I was mistaken about that, but that was my belief) given that most people don’t have the technical knowlege or the desire to mess with it. I can include myself in the latter group, which may account for my beliefs or mistaken beliefs about PKI. I awalys thought it was a good idea but due to lack of general acceptance have not messed with it.

But I either don’t totally understand or you did not quite anwer my questions

but Thanks for a great bunch of products (R)
So far I use CPF and am trying out CSE. I can not use CAVS because of an incompatability issue with Gmail (:SAD)

Hi Opus

sorry if i didn’t answer your question.
Can you pls expand your question and i will try to answer again.
thanks
Melih

Thanks for Helping me understand this Melih

Sorry if I was short I was just frustrated
I’ve been fight Application rules in CPF And the keep rearanging on me. I’ve been working with Toogie and Lil Mac but not sure if they are going to do what I want. I’m hopeful V3 will help me out

After doing some studying on PGP
I think I understand a little better however I think I need To read a little more

Tell me if this is close

If you send a key (smime.p7s) with email what is to keep this from being intercepted and use by anyperson to decript the mail not only the intended receiver?
I think the answer is if that person does not have A cert there is nothing keeping it from being decrypted. Ideally The key (smime.p7s) is generated using your private key and the public key of the receiver.
If I’m correct about CES is that it will send a email to a person without a cert.
It will in this case Send your cert but not encrypt the email
or
It encrypts the email and it Will decrypt only using smime.p7s If this is the case the answer to my first question is nothing

the way CES work is by generating a temporary cert for the recipient if the recipient does not have one. And recipient has to receive the cert in order to decrypt it. the only vulnerability is how the recipient receives the cert for the first time. So email is always encrypted.

Melih

Melih

Thanks for the Info and help you have already given me with this Melih

I loaded COMODO Secure Email(CSE ) 0.9.0.17 Beta 2 RC1 (I know there’s a new beta 0.9.0.30 Beta and I will give it a try but nothing in the notes indicate they was any issue with any thing like this so I do not thinl tey have addressed this not at least intentionally)
Here’s a history of what I’ve done and in the end what failed and why I uninstalled
1)I had to follow this procedure to get my first cert installed but that was not a big
problem

2. seemed to be going well with only Email account. I had sent several emails to people with
   several address in the To or CC address bar and everyone was able to open them with no
   problem
   Note this included Web mail accounts such as Gmail and Yahoo mail. No one was registered
   Cert holder so all addresses used one time certificates.
3. I added a cert my wife’s email account ( I sometimes answer emails to her clients for her)
   Note: she still does not have the software installed on her PC I had to try register
   her for several certificates as I had problems getting them to load I don’t remember exactly
   why. Only one went through the entire process
4. I sent an Email through her account on my PC. To several non certificate registered users in the To: and the CC: fields and my wife in the BCC: field
5. I Could open it fine on my PC in her account,this is what I expected as It should use
   the same type key system, as PGP if I’m correct in how PGP and CSE function
   At the bottom You cann see How I think PGP and CSE Funtion I listed my understanding outstep by step in Examples 1 & 2 if something is wrong please correct it unless it is a trade
   secret )
6. My wife could not open it on her system, again this is what I expected as she did not have the software on her system and she was a registerd certifcate user.
7. and here’s the problem The users not registered for certificates could not open the email either

Thanks for reviewing this and if possible let me know if I am correct about how it works
(R)
Opus Dei

Here’s how i think PGP And CSE work

Example 1
TO SEND AN ENCRYPTED TO A USER WITH A PKI(Public Key Infrastructure) CERT STORED ON THE PKI
CERTIFICATE SERVER,
I think this is almost the same in CSE or A PGP (type) program. In the below Examples
1a)-1h) both users are registered users and have the CSE or PGP(type) software installed on
their PCs this implies they both have public keys stored on the PKI Certificate server
1a) The users must install the PKI software CSE or PGP(type) and register to be
certified
1b)After being certified the software generates a private key or receives a private
key from the PKI certificate server(not sure exactly where the private key is
generated it may be different for different softwares).
1c)a private key is stored on the registered users PC (in this case both the sender
and receiver are registered users)
1d) The registered users public key is stored on PKI certificate server
1e) The COMODO CSE or PGP software on the senders system uses private key and
the public key of the receiver to encrypt the message.
1f) The email is sent
1g) The Recipient receives the Email
1h) The Recipient opens the email and the email is decrypted with the private key of
the recipient and the public key of the sender by the software.

Example 2
TO SEND AN ENCRYPTED TO A USER WITHOUT A PKI(Public Key Infrastructure) CERTIFICATE STORED

ON THE PKI CERTIFICATE SERVER, I think this is advantage of COMODO Secure Email(CSE ).
I think this is unique to CSE . In the below example 2a)-2k) only one user is registered and
has the CSE or PGP(type) software installed on their PC. Also only 1 user has a public key stored
on the PKI Certificate server therefor most other PKI or as I previously called it
PGP(type) Software will not function. This in my opinion has been the major obstacle to the wide sread use of PKI software in the general market.

   2a) The user must install the PKI software [B]CSE[/B]  or PGP(type) and register to be 
   certified
   2b) After being certified the software generates a [b]private key[/b] or receives a private 
   key from the PKI certificate server(not sure exactly where the [b]private key[/b] is generated
   it may be different for different softwares).  
   2c) The [b]private key[/b] is stored on the registered users PC (in this case only the 
   sender is a registered user and the receiver is not)
   2d) The registered users [b]public key[/b] is stored on PKI certificate server.
   2e) The COMODO [B]CSE[/B]  software on the registered users system generates a temporary
   [b]public key[/b] for the unregistered receiver of the Email  
   2f) The COMODO [B]CSE[/B]  or PGP software on the senders system uses [b]private key[/b] of the 
   registered user and the temporary [b]public key[/b] of the receiver to encrypt the message.
   2g) The email is sent
   2h) The COMODO [B]CSE[/B]  software on the registered users system sends the temporary 
   Public key to the PKI certificate server where it is stored until the receiver opens the 
   email 
   2i) The temporary [b]public key[/b] of the unregistered email is sent to the 
   2j) The Recipient receives the Email 
   2k) The Recipient opens the email and the email is decrypted with the [b]private key[/b] of 
   the recipient and the [b]public key[/b] of the sender by the software

Hi Opus Dei
Regarding your question:

“My Real Questions are:
If you send a key (smime.p7s) with email what is to keep this from being intercepted and use by anyperson to decript the mail not only the intended receiver?Could someone please give me a straight answer

Or is this only meant to guarantee the send is who thy say they are?Yes or No

Thanks Opus”
The smime.p7m you are seeing sent from SecureEmail contains the actual encrypted and signed data not a key.

“Or is this only meant to guarantee the send is who thy say they are?Yes or No”

This is signing e-mail, not encrypting. I sign an e-mail and you would know it was from me.

“I loaded COMODO Secure Email(CSE ) 0.9.0.17 Beta 2 RC1 (I know there’s a new beta 0.9.0.30 Beta and I will give it a try but nothing in the notes indicate they was any issue with any thing like this so I do not thinl tey have addressed this not at least intentionally)”

I strongly recommend you move to the latest Beta 0.9.0.35. It is much improved.

“but Thanks for a great bunch of products So far I use CPF and am trying out CSE. I can not use CAVS because of an incompatability issue with Gmail”

CSE Beta actually suffers from the same problem. I will have a fix out for both products very soon.

I’ll explain the workings in seperate post.
Thanks
Shane

SecureEmail has a unique feature where it will allow you to encrypt for a contact even if you don’t have a public key certificate for that contact. For me to explain this, we must first all follow how regular e-mail encryption works with PKI where we do have a contacts e-mail certificate.

PKI.
PKI is essentially public and private key encryption, Pulic Key Infrastructure. These keys are always in pairs, one unique public key is always paired with one unique private key.

Public keys as their name suggests, are safe to distribute and make public. Public keys are stored in Public Key Certificates (X.509). There is lots of info about this if you look this up on wikipedia for example.

Private keys always remain private to the holder.

The way these keys are used together…two very simple rules…
Rule 1 Data encrypted with a public key can only be decrypted with the paired private key, likewise,
Rule 2 Data encrypted with the private key can only be encrypted with public key.

You can think of this as the public key locks/hides the data and the private key makes it visible again, and visa versa. It’s really a very simple concept.

To put this in to practical terms.

1. I create paired Pubic and Private keys.
2. I make my public key public and give it to you. (We show how this is done below).
3. You encrypt the words HELLO SHANE with my public key. As we have just seen the only key that can now decrypt this is the paired private key.
4. I am the only person who has the private key, so only I can decrypt the word HELLO SHANE.
   (This is encryption, making the data private)
   …
5. I create a reply… HELLO OPUS DEI
6. I encrypt this with my private key, and then send this to you.
7. You decrypt it with my public key, and you know that I sent the message because it must have been encrypted with my private key that only I have.
   (this is signing, authentication who the data came from)

Distribution of Public Key Certificates and Trusted Root
Windows has something called a certificate store. Windows is shipped with a number of pre-installed certificates called Root certificates. Root certificates can issue (by signing) subordinate certificates in a hierarchy. Here’s a real example of one you have pre-installed:

– CN = UTN-USERFirst-Client Authentication and Email

Rule – If you trust the Root cert, you trust all certificates that are issued by it.

As we’ve said you already have a number of Root certificate installed with your copy of Windows, so you can now automatically trust all certificates issued by that Root. Issued certificates are signed by the Root.

Ok, so image at later stage an e-mail cert is issued by the above root:
– CN = UTN-USERFirst-Client Authentication and Email
– Robert McBob – “bobby [ at ] internet.com”

Since you have the root, you can now trust the issued e-mail certificate no matter who sends it to you. The e-mail certificate is signed by the Root so you can check the integrity. If someone tries to edit this e-mail certificate and add a different e-mail address, the signature of the certificate will be broken and we will no longer trust it.

E-mail Encryption:
E-mail certificates link together a Public key and an e-mail address into a certificate that you can check the integrity of.

As you can see above, if you have an e-mail certificate for someone you can encrypt data for them by encrypting for they public key. Only they can decrypt it.

If you have a public key certificate and your private key of your own, you also easily sign e-mails and people who receive them know the mail was form you and that the contents are intact.

I does not really matter how you get the public key certificate, you contact could e-mail it to you or send you a signed e-mail which will have the certificate included. As long as you check signature of the cert and that it is trusted back to you pre-installed trusted root then the mail is valid.

To complicate matters a little more, this isn’t quite how it works, a symmetric session key and hashing algorithms are used for speed, but the concepts of PKI are the same.

SecureEmails system to encrypt even if you don’t have the contacts e-mail certificate, or they don’t have an e-mail certificate.

Here’s how it works…sending:

1. An e-mail to be encrypted with a single-use certificate is detected.
2. A sefl-signed public key certificate and paired private key are generated for the recipient.
3. The e-mail is encrypted for the public key that was just generated.
4. The encrypted e-mail is sent to the recipient’s e-mail address along with instructions of how to decrypt.
5. The public and private keys are sent over an encrypted connection (SSL) to the Comodo SecureEmail server.

How it works… receiving – Installing SecureEmail using Outlook, Outlook Express or Thunderbird:

1. The encrypted e-mail is received.
2. The recipient installs Comodo SecureEmail.
3. SecureEmail checks to see if the recipient has an e-mail certificate.
   a. If the recipient does not have an e-mail certificate then SecureEmail will not be able to download the single-use public and private key until they sign up for a Comodo e-mail certificate.
   b. If recipient already has an e-mails certificate
   i. SecureEmail connect via SSL and client authentication, authenticating to the recipients e-mail address
   ii. If the authentication is successful then the single-user certificate and private key are downloaded securely.
   iii. The e-mail is decrypted with the private key and then encrypted (depending on SE options) for the recipient’s permanent e-mail certificate.
   iv. On the next Send and Receive SecureEmail will prompt the user to send their permanent e-mail certificate to the sender so from this point forward, permanent PKI based certificates will be used for communications.

If there are any questions thus far let me know.

I hope this helps

Thanks shane,
I apreciate the in depth answers I just skimmed them. I will have to sit down and read them and absorb the info.

I would like to get myself and my wife on secure email. However, After my last secure email problem, I am a little shy. When a client can not read an email it could cause a delay of 2 days or more in our communications. 1 day for them to tell me they could not read the Email and 1 day for me to resend it. Chat programs or the phone does not work either if your clients a 10-12 hours diferent than you. Our work can be time sensitve and small problems like that can be big problems. Howecver much of our work can be highly cofidential and I am sure the clients would like the confidence of knowing our comunication was ecrypted and secure. We email back and fourth to all over the world for bussines and if I can get it to work reliably for some time. I would consider purchasing business certs for our small company. but I need it to work and can´t afford a lot of problems.

I am a real geek and sooner or later I will give the latest CSE a try again. Am I right in assuming there are no stable versions yet?

thanks for the good work and keep building grat products

OPUS

As I understand this The user has to download and use COmmodoSecure Email?

I thought this was the differnce between CSE and standard PKI Secure email
I thought with CSE if a user did not have CSE they had the ability to decrypt the message.

In my initial test emails with your previous beta I could send to users with any type of PKI software on their PC and they could read these emails.
from my understanding below these emails were signed but not encrypted is this correct.

If they had been encrypted they would have been promted to download CSE and install it?

If this is the case I will probably still be shy about trying CSE (:SAD) as I don´t want to require anybody install any software on their system to do business with us.
Thanks
OPUS

when a secure email sent… the receiver can simply forward the email to an email address provided in the email and they will receive a link. once they click on this link, they can read the email.
so they don’t have install anything if they don’t want to.

Melih

Is it available for any platform besides Windows?

not yet I am afraid.
Melih

Hi -

I have a Compaq Laptop running MS Vista and Office 2007. I am using MS Outlook 2007 as well as webmails - gmail and hotmail.

Having gone through a number of email security programs, I finally decided to try signing up for a free Comodo Email Certificate, which refused to be downloaded by IE even after setting it to trusted and installing the activeX Angry. Tried downloading with Firefox and lo…it installed! But it was not to be as even though the message said it was installed, but in Outlook it was nowhere to be found! Angry

Finally I installed Comodo Secureemail beta (I did not at first 'cos the site did not say it worked with Vista) and in terms of ease of use I must say that Comodo Rocks…when it works…

The cert finally installed ok. I followed the settings instructions (both for SecureEmail and Outlook) and no matter what I settings I tried it was still sending email in clear text.

No email interception by SecureEmail, no dialog boxes, nothing. Finally, the only way I could send signed and encrypted messages was by setting outlook trust center settings to sign and encrypt emails. Embarrassed

And I can’t get it to work with webmail and single use certificates! Thinking

To top it all off, now whenever I startup SecureEmail Configuration, I get a pop up box titled “configure” and the message “The parameter is incorrect.”

I don’t know what’s wrong. Are my settings incorrect? Is it a beta problem? Does it work properly with Vista? Is it an Outlook 2007 problem? How do I get single use certificates to work? Grrrrrr…somebody please help…

Hi nickchan

We’re sorry to hear you have had some problems with CSE.

nickchan: “I have a Compaq Laptop running MS Vista and Office 2007. I am using MS Outlook 2007 as well as webmails - gmail and hotmail.”

Currently, CSE only supports POP/SMTP/IMAP not webmail. In addition we are working on a version that supports SSL connections, which gmail uses, so gmail isn’t supported yet either, although we have an SSL beta in testing that has shown promising results so far.

nickchan: “Having gone through a number of email security programs, I finally decided to try signing up for a free Comodo Email Certificate, which refused to be downloaded by IE even after setting it to trusted and installing the activeX Angry.“

This could be IE settings, or security settings in Vista although it’s a little tricky to say without seeing the exact error you were receiving.

nickchan: “Tried downloading with Firefox and lo…it installed! But it was not to be as even though the message said it was installed, but in Outlook it was nowhere to be found! Angry”

Firefox has a separate certificate repository from Windows and Outlook. To use a certificate in Outlook which you installed into Firefox’s certificate repository, you need to export the certificate and most importantly, the private key, from Firefox to a pkcs#12 and install that into the Windows certificate store. At this point CSE will be able to use the certificate, but if you want to use Outlook without CSE, then you have to setup Outlook to use that certificate for your e-mail account via Outlook’s options.

nickchan: “The cert finally installed ok. I followed the settings instructions (both for SecureEmail and Outlook) and no matter what I settings I tried it was still sending email in clear text.”
Where you able to see your certificate installed via Outlook?

nickchan: “No email interception by SecureEmail, no dialog boxes, nothing.”
CSE won’t be able to intercept web mail or gmail unless it’s being used over a non-ssl pop/smtp/imap connection.

nickchan: “Finally, the only way I could send signed and encrypted messages was by setting outlook trust center settings to sign and encrypt emails. Embarrassed

This is standard Outlook operation and nothing to do with CSE. To make Outlook encrypt, you have to setup your own certificate and you also have to install a certificate for each contact you wish to encrypt for.

SE is intended to remove the complexities and complications of understanding public key encryption and setting up your e-mail clients. Currently it does this well for the protocols it supports, which again are POP, SMTP and IMAP. CSE has a protocols tab where you can setup what ports to scan for each protocol. If the correct ports are not set, CSE won’t intercept and encrypt your e-mail.

nickchan: “And I can’t get it to work with webmail and single use certificates! Thinking”
Could you supply more about your mail settings?

nickchan: “To top it all off, now whenever I startup SecureEmail Configuration, I get a pop up box titled “configure” and the message “The parameter is incorrect.”

Are you running 32 or 64 bit Vista and is it a 32 bit or 64 bit version of Outlook?
We’ll be uploading a new version of CSE very soon that will have SSL support too that you could try if you wish.

“I don’t know what’s wrong. Are my settings incorrect? Is it a beta problem? Does it work properly with Vista? Is it an Outlook 2007 problem? How do I get single use certificates to work? Grrrrrr…somebody please help…”

A lot of the issues seem to be maybe that you’re not using non-ssl POP, SMTP or IMAP for the connection to the mail server. Could you supply a bit more info about your connection and port settings?

Are you running any e-mail monitoring anti-virus programs?

Hi Shane - Thanks for the quick reply. My replies below in red:-

To rub salt into my wounds, I tried introduced my biz partner (in the same co) also running 32bit Vista + Outlook 2007 and his installation worked like a dream! Single use certificates, hassle free setup of certs etc! Grrr! So it looks like Comodo is on the right track, but I just cant get mine to work… (:SAD)

Hi nickchan :SMLR

nickchan : Fantastic. I have very high hopes that Comodo will support webmails like Gmail. I know its still a beta, and I can wait for version 1.0 which will hopefully support webmail

The problem here isn’t really Comodo supporting webmail, it’s the webmail provider themselves. If an encrypted e-mail is sent to a web mail account (that doesn’t support S/MIME, which they don’t) the recipient won’t be able to read the mail since the web mail does not have facilities to decrypt it, there’s no support for it with webmail providers so far. If the recipient reads the encrypted mail inside the web browser, then they’ll just see an encrypted mail.

If the web mail can be accessed via POP/SMTP then CSE can do this decryption/encryption during the POP/SMTP communications before it gets to the e-mail client.

GMAIL is an exception to most web mails, it has the ability to allow plug-ins. There is a FireFox SMIME plug-in for GMAIL currently available that would, when the recipients cert is setup in FireFox, allow them to read encrypted and mails. But of course they have to view the mail in FireFox, and will have to setup the certificate and plug-in on each PC they want to use to see the S/MIME encrypted mails.

nickchan: I use Outlook to download from / send through 4 different mailboxes/ email addresses. All are using POP connection. Even my gmail is downloaded/ sent by Outlook via POP connection. No joy.
GMAIL isn’t just POP/SMTP it’s POP/SMTP over SSL. As the release post says, SSL isn’t supported yet, so CSE will not work with GMAIL.

nickchan: The ports being used are Incoming: Ports 110 for 2 addresses and 995 for the other 2. Outgoing is 26 and 587 respectively.

Are your other accounts over SSL too? The one on 995 seems to be.

Can you check the protocols tab in CSE to make sure that CSE is actually monitoring the ports you have setup in your e-mail client for POP and SMTP? Remember CSE will not work with SSL turned on.

The reason for this is that CSE monitors the network traffic so that it can support as many e-mail clients as possible, rather than specific plug-ins for each e-mail client because there aren’t too may e-mail clients that support plug-ins. When SSL is on, the traffic is encrypted from your e-mail client to the server, and CSE just can’t read it at the network level, until the next version that is. I’ll post it up in a day or so.

If you e-mail me directly I will find the source of the problem which is that CSE for some reasons isn’t detecting the ports.