Here’s how to use SSL/TLS, S/Mime, certificates and public key cryptography in order to make Web services and email communications safer

Despite several technologies related to SSL/TLS protocols being attacked in the last 3 years, a good sysadmin or IT manager in 2016 can’t tolerate its organization still uses systems that transmit information in clear.
The use of Transport Layer Security (and its predecessor SSL) -it should be clear- it not enough to guarantee confidentiality of transmitted data on the Internet, and a quick bibliographic research shows the vast method of attacks to such protocols (like in this case and this other). TLS represents a first, fundamental security level for transmitted data, both for the access of a Web service of your company and the access to email via Webmail or IMAP/POP3/Exchange.
TLS acts as a tunnel and doesn’t modify the ongoing communication between client and server: it only adds a layer, indeed, that ciphers data between the source and the destination by using some key concepts at the basis of public key cryptography. Who has a server role needs a certificate, released by a certification authority or, in the worst case, self-signed: only who has purchased the certificate owns the private key that allows to encrypt the communication.

startssl startcom tool

Self-signed certificates don’t guarantee the authenticity of the connection, but still guarantee encryption. In practice, if you’re browsing on www.example.com and see a self-signed certificate, that means it’s still signed, but you don’t have any certainty that the site that is replying is actually www.example.com. It could be that someone acting between you and that site and pretending to be www.example.com to steal your credentials, for instance. As long as you are in controlled situations, like when visiting the Web interface of your local NAS or some Intranet service, then this kind of error could be acceptable because you probably don’t use a domain name but an IP address. In such cases you are reasonably sure that who replies is actually who says to be (as per the nature itself of the communication).

On the other hand, it’s unacceptable if it’s a Webmail service or other Web service that uses a self-signed certificate. It doesn’t give you any guarantee at all about who’s on the other part of the connection.

Certificates released by certificate authorities are of three types: they can certify only the domain (ie confirming that the remote site actually is www.example.com), or they can certify the person or organization that replies on the other side. For instance a certification authority could certify that the site is owned by John Doe, or that it’s owned by John Doe Inc.
The price for this certificate is higher as the certification authority didn’t simply verified the domain owners, but also ID cards and documentation related to the person or organization. Such certification is fundamental for banks and financial services Web sites, as it also guarantees upon the organization that purchased the certificate.

The value of a certificate is then determined by additional services that it could provide or by the number of supported mobile devices: for instance some free certificates have relevant problems with older cellphones because these devices aren’t updated and recognize only certain certification authorities.
Who provides an email service should keep these considerations in mind and behave accordingly. The first point is to avoid to provide services that don’t have an SSL option, like an email service with only unencrypted IMAP, POP3 or ActiveSync. The best idea is to close all unencrypted ports and use only the ones with TLS, but this can’t be done with all clients: unfortunately some still use older devices that don’t support more recent protocols.
Who provides any other kind of service shouldn’t offer services with self-signed certificates. Certificates should be at least with domain verification. Some certificate provider even offer free certificates of this kind, albeit with several limitations, therefore there are no valid excuses not to use them.

Those who look for a way to improve confidentiality of emails should think about using S/Mime at least for the contacts exchanging classified or strategic information. This technology, based on public and private keys, can be easily implemented on all modern clients (Outlook, Thunderbird and so forth), including some Android and iOS clients. With this technology not only the transmission is encapsulated in a secure channel, but also email messages can be completely ciphered from sender to receiver, and the signing can guarantee the origin and the fact that nobody modified the message during its transit.

If it’s the first time you’re dealing with certificates, you might experience some difficulties. Here’s a brief handy glossary.

  • DER encoding: the extension is DER, CER or CRT and it’s one of the most used formats for the encoding of x.509 v3 certificates.
  • PEM encoding: the extension is PEM and it’s used for x.509 v3 certificates stored in (Base64) ASCII with the typical “--- BEGIN…” string at the beginning of the file.
  • CRT is the typical extension of certificates on Linux/Unix certificates. For instance for the configuration of Apache on Linux, coupled with the encrypted private key (KEY), of course.
  • CER is the Microsoft way of certificates, recognized by Windows and Internet Explorer. Files with this extension are encoded as DER or Base64 and they can be easily imported in Windows, but they include ONLY the certificate, without its key. They might contain a chain of certificates.
  • KEY is the extension usually used for PKCS#8 public and private keys, which can be encoded in DER binary format or ASCII PEM, and can be in clear or encrypted.
  • PKCS: Public Key Cryptography Standards are specifics of RSA labs for a PKI, a Public Key Infrastructure. Formats are identified by a number, for instance PKCS#15.
  • P7B or P7C: Signed Data PKCS#7 structures without data that contain only the certificate (or certificates) and the Certificate Revokation List. They are user to envelope data of a PKI structure.
  • P12: PKCS#12 structure that can contain certificates, public and private keys. Private keys are password-protected.
  • PFX: PKCS#12 format that includes certificate, public and private key. Private keys can be password protected. It can be created from keys and certificates in other formats using OpenSSL or other specific tools. If you are configuring a Windows system, then probably you will create, or download, this format
  • CA stands for Certification Authority.
  • CSR (Certificate Signing Request) is a certificate request to send a CA in order to have a signed certificate. The most used format is the one set by the PKCS#10 standard. The request is compiled using a private key, so that the certificate will be usable only with the private key used to create the CSR. The CSR includes the public key of the private key used to sign it.
  • OpenSSL: an open source library for the management of all the ciphering options of the SSL and TLS protocols, NOT to be confused with OpenSSH. Its most notable vulnerability among the many found is Heartbleed. On Linux you can easily convert all aforementioned certificate/key formats by using the tools included with the library and available on the command line.

About the Author

Filippo Moriggia

After more than 10 years of experience in the technical journalism with PC Professionale (the italian version of PC Magazine) and other newspapers of Mondadori group, Filippo Moriggia founded GURU advisor, the reference website for IT professionals, system integrators, cloud providers and MSPs. He has a Master of Science in Telecommunications Engineering and works as a independent consultant and contractor for different firms. His main focuses are software, virtualization, servers, cloud, networking and security. He's certified VMware VCA for Data Center Virtualization.

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...

>

The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...

>

The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...

>

Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...

>

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • GURU advisor: issue 13 - March 2017

    GURU advisor: issue 13 - March 2017

  • GURU advisor: issue 12 -  January 2017

    GURU advisor: issue 12 - January 2017

  • GURU advisor: issue 11 -  October 2016

    GURU advisor: issue 11 - October 2016

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1