Why Encrypt and Sign Email
Some background information about email and how you can install software to sign and encrypt it [30-45 mins]
E-mail is one of the oldest forms of communication on the Internet. We often use it to communicate very personal or otherwise sensitive information. It is very important to understand why e-mail in its default configuration is not secure. In the following tasks we will describe the different methods necessary to secure your e-mail against known threats.
No sender verification: you cannot trust the 'from' address
Most people do not realize how trivial it is for any person on the Internet to forge an e-mail by simply changing the identity profile of their own e-mail program. This makes it possibly for anyone to send you an e-mail from some known e-mail address, pretending to be someone else. This can be compared with normal mail; you can write anything on the envelope as the return address, and it will still get delivered to the recipient (given that the destination address is correct). We will describe a method for signing e-mail messages, which prevents the possibility of forgery.
E-mail communications can be tapped, just like telephones
An e-mail message travels across many Internet servers before it reaches its final recipient. Every one of these servers can look into the content of messages, including subject, text and attachments. Even if these servers are run by trusted infrastructure providers, they may have been compromised by hackers or by a rogue employee, or a government agency may seize equipment and retrieve your personal communication.
There are two levels of security that protect against such e-mail interception. The first one is making sure the connection to your e-mail server is secured by an encryption mechanism. The second is by encrypting the message itself, to prevent anyone other than the recipient from understanding the content. This challenge covers E-mail encryption using PGP within Thunderbird.
Installing Thunderbird, Enigmail & PGP / GPG
Thunderbird is an email client which has many options and add ons which give you better email security. One of these add ons is a tool called Enigmail. Enigmail needs another bit of software called GPG (which is also known as PGP) to work. What Enigmail does when it is installed is to add a menu item called OpenPGP to your Thunderbird email client when you are checking or sending emails.
Before we can continue we need to make sure you have the right tools for the job. In some operating systems it is quite easy to install these tools so that they work well together. It should only take you 5 minutes if you are using Ubuntu. However in other operating systems getting these three tools to play nicely together can be a bit tricky. You may have to do some troubleshooting. We really wish that this stage was easier. If you run in problems, try to have patience and read the instruction well help you if you get stuck.
Install Thunderbird, PGP and Enigmail and set up an email account.
If you don't already have Thunderbird, PGP and Enigmail tools installed then;
- Read the installation instructions for your operating system in the Thunderbird Workbook here: http://en.flossmanuals.net/thunderbird-workbook/
- Install the latest version of Thunderbird for your operating system.
- Install PGP and the Enigmail plugin for Thunderbird.
- Set up an account with Thunderbird to use an email