Aktivix:Help:Mail:webmail-encryption

From Aktivix
Jump to navigation Jump to search

If we would not accept to receive our bank statements on a postcard and we always seal our love letters, why do keep sending non-encrypted emails?

Probably, because encrypting an email is not as simple as sealing an envelope. While it only takes a simple gesture to close an envelope, email encryption requires, namely: a pair of keys, a passphrase to activate them and a program to handle it all.

One of the most popular ways to use encryption is probably with Thunderbird and its PGP plug-in. Once both are installed, it is all pretty intuitive:

https://security.ngoinabox.org/en/thuderbird_encryption

But what do you do if you don't even have a computer, and/or you have to use computers that are not yours, to connect to the internet?

Web mail encryption is the solution for such situation. If you use web mail all the time, you need to have your mail tools on that interface. But in come the experts. Web mail can be good enough for almost every one, but most people with some knowledge of computer security are horrified at the notion of storing your private encryption key on a server. They would prefer you to have your encryption keys always on a pen drive. Always secure. Would you leave your door keys outside your house once you have locked it? Then why leave your keys on the very server that provides your email service? However the equivalent to the pocket where you usually carry your house keys everywhere would be a device like a pen drive and not every one can afford that.

Luckily some web mail programmers have developed tools for people who can not afford or handle the hardware necessary to keep their keys always with them. They will repeat the mantra that web mail encryption is not the *ideal* situation at all, but if locking your house door will always be better than leaving it open no matter where you leave your keys, sealing your envelopes will always be better for your privacy than sending postcards, regardless of the quality of the glue.

It should be argued that using corporate email providers is even less ideal, but let's not even get there. This post is about closing the envelope. Who you allow to handle it and what kind of glue you are using to close it are two other different subjects. Just to mention that no free corporate email providers facilitate web encryption. It is not in their interest. They do want to read your email; it is part of their business plan.

The following instructions work for the web mail installation I am using, run by Aktivix, as in January 2011.

Once logged in to Horde, on the left-hand-side menu, open Options, then Mail. At the bottom right, above the last item (Mime options) there is the “PGP Options – Control PGP support for Mail”. That's the encryption. Click on PGP encryption and tick on the square where it says: “Enable PGP functionality?” then Save options. A warning about the need for pop-up windows will appear but if your web browser is as decently behaved as Firefox, even if you have a “no pop-up windows” policy in place, it will give you the option to allow them for this site as an exception.

There are three options. The second one is the most important one to tick. You can get away with not ticking the other two but if the body of text/plain messages is not scanned for PGP data, there will be emails sent to you in this way that will simply not be decrypted. So tick at least the option in the middle.

Scroll down to create your pair of keys. You do need to put something in the “name” field. It will be what people will see next to the full name of your public key. You do not need to put anything on the “comment” field. The recommended key length is 2048. The passphrase can contain spaces and should contain lower and capital letters as well as numbers and/or weird characters like *% , etc. In theory you should be able to remember it. However, do not worry if you forget it irremediably and you need to create another key. Every single person I know who uses encryption forgot the passphrase for their first encryption keys. To avoid frustration, you can either just assume that you will forget it and get on with following these steps again when it happens, or write it some where safe that no one ever reads. Just remember not to write “encryption passphrase” next to it.

When you click on “create keypair”, it says it will take some time. You can go and do something else in the meantime, or you can simply stare at your screen, but under no circumstances are you to close that window. If that happens, or if you loose the connection, you may need to start from the beginning or even ask for help. aktivix-discuss at lists.aktivix.org is a good place to start. Do not include your password because it is a public list. Do not send any information you do not want to see online. Again: please do not include your password in your email. None of them.

Once the key pair is created, you can go to the main mail page and you can create a new message. Click on “new mail” and write to people you want to send “letters” to, not “postcards”.

At the bottom of your screen you have the following option: Attach a copy of your PGP public key to your message? You only have to tick that box and the recipient will receive a copy of your public key, which they need in order to send you encrypted emails. In order to open them, you will need their public key and your own private key, which you have now created together with your public key.

In order to add your contacts' public key, you need to have at least one address book selected. To do this, go again to Options in the left-hand-side menu, and choose the fourth option, "Mail". Again towards the bottom of the screen, on the right-hand side, above the PGP options, are the options for Address Books. From the box on the left, click on your Favourite Recipients and then click on the hand pointing to the box on the right. Do the same for the other Address Book and Save your Changes

Again on the left hand side menu, click on "Address Books" and do the same: highlight the books from the left hand side box and, clicking on the hand pointing to the right, move them to the right hand side box. In the box at the bottom, after "Choose the address book to use when adding addresses", make sure it is set to your address book and not "None".

Once you have saved these options, a link will appear at the bottom of emails that are sent to you which contain the sender's public key: “Save the key to your Address book”. A pop-up window will appear very briefly when you click there and the public key will be incorporated. You can now reply to this person with an encrypted email - just scroll down to the bottom of the body of your email and select the option to encrypt it.

When you receive encrypted emails, you will need to enter this passphrase that you will eventually forget because it is your first encryption passphrase - and because you will only need to enter it once per session. So, please make sure you close your email session when you leave the shared computer you are using. Or would you leave your postcards and letters openly lying around?