If your folks were like mine, they hammered that adage at you continually on interacting with others – be yourself. In the realm of e-commerce and electronic contact, nothing could be closer to the truth. Being yourself and claiming you are you isn’t always easy. Especially in the wonderful and relatively deregulated landscape that is the internet and its many protocols. One place in particular where authenticity can be complicated is around email.
I got thinking about this recently when I received an email from a friend of mine claiming she was at a consulate in London. I found this a little peculiar, considering we had met the night prior and she certainly didn’t mention any kind of trip. The email was asking for financial assistance, claiming she had been accosted and robbed, and the U.S. embassy wasn’t getting her anywhere. Curious, I responded to the email saying I’d be happy to help. However I requested she authenticate herself by telling me where we had dinner the night before. I never got a reply – I think that answers the authenticity question right there.
This kind of social engineering is not new, nor is it limited to electronic mail. I’ve heard of people getting envelopes from friends, with the proper sender address label affixed, surrounding charitable causes. Inside you find a letter addressed from the “friend” asking for help with a noble cause like fighting cancer or multiple sclerosis. The letter innocuously asks for donations not to the author of the letter itself, but instead directed to the agency combating the disease. What happens next, well that’s up to the recipient. But these kinds of insidious efforts are here, and they aren’t going away.
There’s solutions to either of these problems. In the physical arena, you can send certified letters through the post office who assure both the identity of the sender and the proper receipt of the parcel. On the electronic side, you’ve got certification authorities and signing.
If you sign your emails with an X.509 certificate, kudos – you can stop reading. If you don’t, let me tell you why you should. An email certificate, like an SSL certificate issued to a domain, is a way of signing every communication you send with a fingerprint. It makes your letter bona fide. The King’s ring imprinted in wax on that message. When your friends and family get correspondence from you, they know it’s you. That certificate lives on your trust ring, on your computer, installed and associated with your user profile. Presuming your antivirus software is good and you don’t have malware tapping into your email client, you’re running a pretty tight email ship with a certificate.
- You’re sending a certified letter to your recipients, so spam filters are less likely to flag you.
- Your recipients will take a little more notice, because you’ll be in the minority of signers out there and visually in their mail client the message will distinguish itself.
- If you get OTHERS on board with signing, they can publish their identity. Then you can encrypt messages that can only be decrypted by the intended recipient.
There are both free and fee email certificates out there. If you want a free one, you can get it from Comodo’s web site. You can purchase one for about $20 from Verisign. In either case the certificates is valid for one calendar year. There are many others out there, just make sure you get one that is S/MIME compliant and supports the email client you traditionally use.
No security measure is 100% perfect, so by no means are you immune from people impersonating you. Having a certificate will however get you closer to authenticity with little to no expense. And then if you do happen to end up in London and claim to be out of money and in dire straits, you just might get that money order that helps you get home.
Cheers,
Mark
