Skip to content or view mobile version

Home | Mobile | Editorial | Mission | Privacy | About | Contact | Help | Security | Support

A network of individuals, independent and alternative media activists and organisations, offering grassroots, non-corporate, non-commercial coverage of important social and political issues.

How to start sending encrypted emails in 10 minutes...

Krop | 12.01.2009 00:13 | Technology | Terror War

So you want to send encrypted emails but don't know how? Strapped for cash? Here is how to do it in 10 minutes using Windows, Firefox, and Outlook and for free - though it will probably apply to most other systems using email through a windows programme (like Thunderbird, Outlook Express, etc). Keep PC Plod and the Job Centre away from your private emails!

How to VERY QUICKLY, start sending and receiving encrypted emails.

I discovered how to do this just now... it is not a guide to online security, or authoritative in ANY WAY. But it took my all evening for me to work out how to do this, so in order to save people time, and to get people sending emails that nobody can get their prying eyes into, read on....

The instructions below describe how to send your first encrypted email using a Windows PC, browsing with Firefox, and collecting and sending emails with Outlook 2007. But I reckon it shouldn’t be too different doing this in Thunderbird or under Internet Explorer.

If you use webmail – e.g. Googlemail, Yahoo, Riseup, etc., then you should first set up a mail client (such as Thunderbird or Outlook Express) to handle all of your emails first and then try and get the emails encypted. It is well worth doing this if you get the chance just for usability’s sake.

1) Get a “Digital Signature” for yourself. This isn’t a signature like you have in your emails at work with a phone number and other personal information. It’s a piece of information that identifies you digitally. I tried a few software programmes for free to create a signature, but none of them would work with Outlook 2007. Forget telling me that Outlook is corporate crap by the way...it’s quite good, and besides, it’s a free copy (courtesy of the Pirate Bay). To get a digital signature that worked in Outlook, I got one from  http://www.comodo.com/products/certificate_services/email_certificate.html. I do not know much about this company, but it’s probably as secure as any other. Fill in your details, and you will get your Signature. Follow the instructions on the screen, and do some background reading if you want to – Wikipedia is a good place to start (Google threw up a lot of very old websites and old software which was pretty irrelevant).
2) I got my certificate and thought...where the heck has it been saved to? Luckily I found it... it had been added to Firefox itself! To find your signature (if using Firefox 3), go to Tools > Options > View Certificates > Your Certificates. Here you will see your signature, from The UserTrust Network. Anyway, click on the name you gave yourself when requesting a Digital Certificate from Comodo, and click on the button “Backup”. Here, enter the password you chose, and save it somewhere easy to find – e.g. your desktop.
3) Now, load up Outlook 2007, and go to Tools > Trust Centre > Email Security. From here, import your Digital ID that you saved. You will want to automatically sign all of your email, and to encrypt them when you are communicating with anyone who you hold a Digital ID for - click the appropriate options.
4) What I did to check it was all working, was to send myself an email with a few words in the main body of the text (the message itself – not the subject), and sent it to myself, and to another email address where I could look at the email that had been sent. The email I sent myself I could open correctly and read; there was a little icon on the email message which indicated it had a signature and was signed, and was encrypted. The email that I copied (CC’d) to another email address that I have access to, I could open, but could not read – the message contents were just a load of garbage...it had been encrypted!

I do not count myself as an expert in this, and the only reason I have written the above is because I have wanted to get my mail secured for ages, and have never been able to work it out. I looked online, and it seemed like a matter of luck discovering how to go about doing it....especially when I didn’t want to spend a penny doing it... so if even one person manages to get their email signed, and then later, encrypted, then it has been worthwhile.

Krop

Additions

Other places to get your Digital Signatures From

12.01.2009 13:52

Visit here:
 http://kb.mozillazine.org/Getting_an_SMIME_certificate

---

Comodo - as in the guide above, is listed as the easiest place to get a Digital Signature.

Dr Encro

Comments

Hide the following 9 comments

One slight problem

12.01.2009 10:14

One slight problem is that it will register on the internet traffic as "unusual" and it will draw attention towards it... sometimes you are better off using normal e-mail account.

loppy

au contraire

12.01.2009 13:30

Everyone should encrypt their emails really - as a matter of course. Many commercial operations do so already because of obvious reasons. Likewise, in the UK, where there are hundreds of government agencies which are all allowed to snoop on its residents, almost every email of any personal nature should be guarded against prying eyes. The messages do not flag-up as suspicious automatically because unless someone is looking, to all intents and purposes, they look like all other emails.

I can see no argument for not encrypting, unless one supports the right of unhindered access to emails by government and the police.

In particular though, anyone organising a demonstration, or a campaign, should ensure that the people their are communicating with online use encryption.

There is NEVER a reason for not encrpting when you have the opportunity to do so.

Krop

re-read

12.01.2009 13:31

Also, Loppy, I don't think you understand:

you ARE using your normal email account. You are simply scrambling the contents of the messages that you send and receive from it.

It's not a new email account! Or anything even remotely unusual for that matter.

Krop

Actually

12.01.2009 14:18

I have to agree with Krop. You don't have to be up to something illegal to be encrypting. Just like you don't have to be up to anything dodgy to shield your answers in a school exam. It is just plain common sense.

But if you were to be using computers for anything illegal and needing to be told to encrypt, you are probably going to be busted anyway.

The common sense aspect of encrypting any activism related material, is this:

1. Any 3rd rate network admin can tell you that you can you use even the lamest Microsoft network analysis tools to record network data (if you can access that network... legally or illegally) and if you can "sniff packets" and those packets contain unencrypted text you can sit and read those messages straight out the data capture... I used to do it just out of boredom at work.

So, remember unencrypted data is totally visible if anyone can get into your network.

ISPs make all sorts of bold claims about their firewalls and security measures, but people get scanned for Trojans from within their own ISPs all the time, so do not expect ISPs to be AHEAD of the game, but rather always playing catch up.

And hey, they could even use your wireless router if you are not diligent.

2. You may not be doing anything illegal, but someone nearby may be, and may be subject to a RIP warrant and because you may be a few degrees away from that person, you may be being watched too. And, who is to say that the non-violent blockade you have planned for next week doesn't get passed on to your local plod & target location and lo and behold they are there before you are when you turn up.

3. Worse than PC Plod, is the private sector of "surveillance". Your average rent-a-spook has been demonstrated time and time again to have the morals of the slimy shits that hire them. If they can easily gain access to your system, they aren't going to worry about warrants and due process, they will just ram their sniffers up your ports to their heart's content.. assuming they have been unable to hack you directly...

But yes, if you are an activist and people are working with other people, it really should be seen as an obligation to to take data security seriously.

Obviously the biggest/toughest issue is infiltration, but that is no reason to lock the doors and leave the windows open.

MNM

I would recommend PGP instead

12.01.2009 23:37

I would recommend PGP (Pretty Good Privacy) for encrypting emails instead of this method (S/MIME). It's less corporate, more decentralised, and is already used widely by activists, especially in the animal rights movement.

A non-free version is here:  http://www.pgp.com
A free version is here:  http://www.gnupg.org

The second option, GnuPG is very good. It integrates very nicely with the Thunderbird email program using the Enigmail add-on, but you can also use it with other programs such as Outlook or Outlook Express.

I would resist the temptation to download cracked versions of things like PGP or Outlook from places like the PirateBay. They could easily contain trojans or viruses and when security is concerned, this is a massive compromise.

Free software is definitely the way to go for security (that is free as in both speech and beer). Even if the software is paid for, you can't totally trust it unless the "source code" is freely available for inspection.

g33k

PGP

13.01.2009 03:13

Yes G33k, I would agree with you - except I couldn't for the life of me get a signature working with Outlook using the tools you describe. Personally I think that any level of encryption has to be better than none....if people can't use the tools you mention (which are doubtless good ones), then the 'corporate' solution has to be a very good second best.

Krop

g33k

13.01.2009 12:25

Perhaps you can follow Krop's example and provide us with a keystroke tutorial on using the applications you recommend?

MNM

GPG how to ( for the 3rd time this month!)

13.01.2009 19:24

Mail encryption:

Gpg4Win is explained here so even a Microsoft engineer can understand it:
 http://www.theregister.co.uk/2008/11/14/email_encryption_how_to

The article links to this Linux How To for Gnu Privacy Guard:
 http://dewinter.com/gnupg_howto/english/GPGMiniHowto.html

Drive encryption:

TrueCrypt offers plausible deniability, meaning you can nest an encrypted volume. That means if the judge orders you to provide a password to it, or a gangster threatens to cut off your fingers unless you unlock it, your sensitive data is still hidden.
 http://www.truecrypt.org/docs/plausible-deniability.php

xMCSE

GPG = PGP

14.01.2009 23:20

Just to clarify some of the terms used:

PGP = Pretty Good Privacy, which is the name used for both the open specification and the particular corporate software that is an implementation of it. The software is kind of free as in beer if you use a cut-down version, but it isn't really properly open-source. The non-free part has some other tools like encrypted disks that aren't part of the main PGP specification.

GPG = GnuPG = Gnu Privacy Guard, which is a totally free and open-source software implementation of the PGP standard specification.

PGP and GPG are totally compatible with each other, they are just two programs that do that same basic thing - encrypt and sign emails and other files.

There are a lot of tutorials out there on using them, a previous poster has provided some links.

Personally I would recommend using GnuPG with the Thunderbird email program instead of Outlook or Outlook Express.

g33k

Upcoming Coverage
View and post events
Upcoming Events UK
24th October, London: 2015 London Anarchist Bookfair
2nd - 8th November: Wrexham, Wales, UK & Everywhere: Week of Action Against the North Wales Prison & the Prison Industrial Complex. Cymraeg: Wythnos o Weithredu yn Erbyn Carchar Gogledd Cymru

Ongoing UK
Every Tuesday 6pm-8pm, Yorkshire: Demo/vigil at NSA/NRO Menwith Hill US Spy Base More info: CAAB.

Every Tuesday, UK & worldwide: Counter Terror Tuesdays. Call the US Embassy nearest to you to protest Obama's Terror Tuesdays. More info here

Every day, London: Vigil for Julian Assange outside Ecuadorian Embassy

Parliament Sq Protest: see topic page
Ongoing Global
Rossport, Ireland: see topic page
Israel-Palestine: Israel Indymedia | Palestine Indymedia
Oaxaca: Chiapas Indymedia
Regions
All Regions
Birmingham
Cambridge
Liverpool
London
Oxford
Sheffield
South Coast
Wales
World
Other Local IMCs
Bristol/South West
Nottingham
Scotland
Social Media
You can follow @ukindymedia on indy.im and Twitter. We are working on a Twitter policy. We do not use Facebook, and advise you not to either.
Support Us
We need help paying the bills for hosting this site, please consider supporting us financially.
Other Media Projects
Schnews
Dissident Island Radio
Corporate Watch
Media Lens
VisionOnTV
Earth First! Action Update
Earth First! Action Reports
Topics
All Topics
Afghanistan
Analysis
Animal Liberation
Anti-Nuclear
Anti-militarism
Anti-racism
Bio-technology
Climate Chaos
Culture
Ecology
Education
Energy Crisis
Fracking
Free Spaces
Gender
Globalisation
Health
History
Indymedia
Iraq
Migration
Ocean Defence
Other Press
Palestine
Policing
Public sector cuts
Repression
Social Struggles
Technology
Terror War
Workers' Movements
Zapatista
Major Reports
NATO 2014
G8 2013
Workfare
2011 Census Resistance
Occupy Everywhere
August Riots
Dale Farm
J30 Strike
Flotilla to Gaza
Mayday 2010
Tar Sands
G20 London Summit
University Occupations for Gaza
Guantanamo
Indymedia Server Seizure
COP15 Climate Summit 2009
Carmel Agrexco
G8 Japan 2008
SHAC
Stop Sequani
Stop RWB
Climate Camp 2008
Oaxaca Uprising
Rossport Solidarity
Smash EDO
SOCPA
Past Major Reports
Encrypted Page
You are viewing this page using an encrypted connection. If you bookmark this page or send its address in an email you might want to use the un-encrypted address of this page.
If you recieved a warning about an untrusted root certificate please install the CAcert root certificate, for more information see the security page.

Global IMC Network


www.indymedia.org

Projects
print
radio
satellite tv
video

Africa

Europe
antwerpen
armenia
athens
austria
barcelona
belarus
belgium
belgrade
brussels
bulgaria
calabria
croatia
cyprus
emilia-romagna
estrecho / madiaq
galiza
germany
grenoble
hungary
ireland
istanbul
italy
la plana
liege
liguria
lille
linksunten
lombardia
madrid
malta
marseille
nantes
napoli
netherlands
northern england
nottingham imc
paris/île-de-france
patras
piemonte
poland
portugal
roma
romania
russia
sardegna
scotland
sverige
switzerland
torun
toscana
ukraine
united kingdom
valencia

Latin America
argentina
bolivia
chiapas
chile
chile sur
cmi brasil
cmi sucre
colombia
ecuador
mexico
peru
puerto rico
qollasuyu
rosario
santiago
tijuana
uruguay
valparaiso
venezuela

Oceania
aotearoa
brisbane
burma
darwin
jakarta
manila
melbourne
perth
qc
sydney

South Asia
india


United States
arizona
arkansas
asheville
atlanta
Austin
binghamton
boston
buffalo
chicago
cleveland
colorado
columbus
dc
hawaii
houston
hudson mohawk
kansas city
la
madison
maine
miami
michigan
milwaukee
minneapolis/st. paul
new hampshire
new jersey
new mexico
new orleans
north carolina
north texas
nyc
oklahoma
philadelphia
pittsburgh
portland
richmond
rochester
rogue valley
saint louis
san diego
san francisco
san francisco bay area
santa barbara
santa cruz, ca
sarasota
seattle
tampa bay
united states
urbana-champaign
vermont
western mass
worcester

West Asia
Armenia
Beirut
Israel
Palestine

Topics
biotech

Process
fbi/legal updates
mailing lists
process & imc docs
tech