Howto Encrypt Your E-Mail

To encrypt email communication can be really simple. If you  want to communicate in a  secure way to your friends you can achieve this in only a few minutes. It does not have to be complicated.

There are some good technologies you can use for this task. The most common are PGP and X509 certificates. Both are public key systems and consist of two parts. One is public and the other is secret (and kept on your own computer). If you want to send someone else a encrypted mail you need to have the public part of that person. Here comes the problem: you need to have the public part of the other person. For that reason there is the “Web of Trust” in PGP and Trust Center in X509 to verify the owner of a special public part to ease the key exchange.

BUT if you only want to communicate with a few friends in a secure way that infrastructure is not necessary at all. Generate your keys, exchange with your friends, communicate.

Here are the basic steps to achieve this with X509 certificates.

  1. Download and Install OpenSSLfor your platform. (if not already installed on your computer. Many linux systems have it installed by default)
  2. Create your certificate with following command:
    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 356
    and answer all questions. The only important field is the EMail Adress. This has to be the address which is used for this certificate. All other you write whatever you want.
  3. Congratulation! Now you have a so called self signed certificate.

What next? You have to install this certificate to use it with your mail program. Yes, it also mean you need a mail program and cannot you web mail. How to install depends on your mail program and operating system and is another story. Check the manual of your mail client and follow the steps to install.

Now you are ready but for communication at least two persons are involved. Export the public part of your shiny new certificate and bring it to your friends. The best way is by visiting them and give it to them in a private meeting. Why? To be sure the have right key. We have created our own certificate and do not use a trust center as “trusted” third person which everybody trust.

About trust. We do not use a trust center in this setup. So not root certificate proofs that our certificate is valid. Sounds insecure? Not really. Why? Because we exchanged our keys by ourself. Thats the most secure way exists. All other “Stuff” like root certificate from trust center around certificate (and web of trust in case of PGP) have the only purpose to verify that a key belongs to the person which name is stored in the certificate (remember the information from step 2).

Encrypting your communication is the best way to protect your privacy.  It is a tool to help improve security but it is no solution to solve the problem of illegal communication surveillance. Only the content of your mail is encrypted. The destination cannot be secured and it is still possible to monitor which people you write to.

Dear Google, Dear USA

I am so angry I even write a blog entry. If you check my blog history you can see that is really something special.

So far I used Google Analytics to get some information about my blog. From where, how often, how long, and so on. It is a very good service and the results are really good. Now, after the latest news about PRISM and Co. I started to think about the privacy statements of that service again. If Google tells me  in their terms of services that my data related to visitors is stored secure and confidential than I am not sure anymore who and where my data is stored elsewhere and what happens with it.

Every week another piece of informations drops into the public about secret surveillance programs. What exactly these programs do is still unknown. From official site everything is legal and we should be glad that these systems make our life more secure. But how? That’s secret, too. Of course these systems are controlled – by secret rules of course. The fact that PRISM is an United States System also means that as an non US citizen you have no right at all for asking which data is stored about you. (You can ask the companies, but in case of a national security letter you will get no useful answer).

All secret surveillance programs in general have one big flaw. They are the exact opposite of freedom and democracy. How can people vote for a party to form a government if politicians do things nobody is allowed to know? How can justice work it is not possible to control the judges?

What can I do? Unfortunately not much. At first I decided to remove Google Analytics. It is really not much but at least I can express my anger about it. Sorry Google, but there is not enough trust in your system (and server location) anymore. Now I am using Piwik and count visitors on my own server. This also improves privacy for visitors because this information can not be used to track surfing behavior across different websites.