S/MIME is a long-established method of sending encrypted, signed email, based on public Internet standards. We regularly come across requirements for S/MIME, particularly from regulated industries such as banking, health, and finance. S/MIME often is required when communicating between businesses and government agencies, for example.

Another secure mail standard, PGP (amusingly named as “Pretty Good Privasi”), is used more for secure person-to-person communications. It’s less popular now because the consumer versions of popular web-based email clients such as Gmail and Outlook/Hotmail aren’t able to display encrypted mail. That’s one reason much person-to-person communication that requires privacy has moved to platforms such as Ada yang (and many others) that offer native, end-to-end encryption.

Both PGP and S/MIME require a mail client that can use keys and certificates. Many desktop and mobile clients, including Apple Mail, Microsoft Outlook, and Mozilla Thunderbird fit the bill, as do business versions of some web clients such as Microsoft Office 365. Setting up the keys takes work, but many organizations still consider it worthwhile, despite recent pengungkapan kerentanan requiring solusi to block loading of remote content.

S/MIME has been around since 1995 and gone through several revisions; the current version is covered by RFC 5751. It requires exchange of public keys, a non-trivial task that often requires the support of an IT team or similar resource. This is wdi sini commercial solutions from companies such as SparkPost partners Virtru and Echoworkx come in, making security easier for person-to-person business mailing (see our Cara menggunakan SparkPost/Echoworkx for more information).

Oleh karena itu, mari kita gali S/MIME yang lama sedikit lebih dalam dan lihat apa yang bisa kita lakukan dengannya.

Kenapa aku harus peduli?

Versi singkatnya:

• Enkripsi memberi Anda privasi pesan.

• Penandatanganan memberi Anda otentikasi (pengirim), tidak dapat disangkal asal-usulnya, dan pemeriksaan integritas pesan.

• S/MIME bekerja secara berbeda dari DKIM dan DMARC dan dapat hidup berdampingan dengan keduanya.

Privasi
If your messages contain nothing personal, private, or legally important, then you probably won’t need to think about S/MIME. Modern email delivery systems such as SparkPost already use “TLS oportunistik” to secure the message transport from sending server to recipient server.

The “opportunistic” part does mean however that if the sending server can’t negotiate a secure connection, we’ll send the mail in plain text. This isn’t suitable if you want to force the message to be secure all the way. You can take a peek at penyedia kotak surat mana yang mengklaim dukungan TLS and which benar-benar melakukan. Assuming the recipient’s server does support TLS, your message is secured seperti ini:

TLS mengamankan percakapan antara server email (karena itulah disebut Transport Layer Security). MIME (termasuk S/MIME) berhubungan dengan isi pesan dan perlakuannya, dan dapat dianggap sebagai bagian dari "Lapisan Presentasi".

S/MIME secures the message content all the way (“end to end”) from the message origin ke recipient mail client, encapsulating the message body.

S/MIME mengenkripsi badan pesan dengan kunci publik penerima. Isi pesan tidak dapat diterjemahkan tanpa kunci privat penerima-tidak oleh "orang yang berada di tengah" seperti ISP Anda, SparkPost, atau server email penerima.

Kunci privat tidak pernah diungkapkan; kunci ini hanya dimiliki oleh penerima. Pesan terenkripsi berjalan melalui Internet ke server email penerima. Ketika mendarat di inbox penerima, pesan tersebut (biasanya secara otomatis) didekripsi dengan kunci privat mereka dan dapat dibaca.

Beberapa masalah S/MIME yang perlu diperhatikan:

Enkripsi S/MIME memiliki efek samping mencegah pemindaian pesan masuk berbasis server untuk mencari malware karena muatan pesan dalam bentuk terenkripsi sehingga tidak dapat diidentifikasi.

Note that the message tajuk (From:, To:, Subject: etc) are not encrypted, so the subject-line content needs to be created with that in mind.

Penandatanganan - autentikasi
S/MIME also provides the recipient the ability to check that the identity of the message sender adalah siapa yang mereka katakan.

The sender’s email has a certificate attached, which, rather like the certificate on a secure website, can be traced back to an issuing authority. Tdi sini’s a full description of the signing process di sini.

Kami akan mengambil pendekatan dengan menandatangani email terlebih dahulu, lalu mengenkripsinya, sehingga prosesnya terlihat seperti ini.

Non-penolakan
Another useful benefit of signing ke recipient is non-repudiation of origin. Consider a situation wdi sini an email message is used to approve a contract. The recipient gets the contract in a message from the sender. If the sender later tries to say, “Nope, I never sent that message to you”, then the received message shows that the sender’s certificate was in fact used.

Integritas pesan
The signing process creates a fingerprint of the plain source message (known as a message digest), encrypts the digest using the sender’s private key, and includes it in the delivered message. The recipient’s mail client can tell if the message body is tampered with.

Perhaps you might say, “I thought DKIM gives me message integrity checks!” Well yes, DKIM provides message body and message header integrity checks – anti-tampering guarantees. However, DKIM failure (or absence) will not usually cause the incoming message to be marked as completely invalid, …unless a DMARC policy of `p=reject` is in play (more on DMARC here). DKIM is one factor of many used by the ISP for reliable assignment of reputation to a domain and is, of course, an essential part of your messaging stack.

Klien email Anda akan menampilkan secara jelas jika pesan S/MIME gagal dalam pemeriksaan tanda tangan:

Ringkasan: end-to-end (S/MIME) vs server-ke-server (DKIM, DMARC, TLS)
S/MIME is a presentation-layer capability that can work between two email end-users (with valid certificates/keys) without any action by the email admin. S/MIME provides encryption and signing and is personal to each user.

S/MIME is tied to the full sending address (local part and domain part), so, for example, alice@bigcorp.com and bob@bigcorp.com would need to have different certificates. In contrast, DKIM validates the email is coming from the signing domain. DKIM is a whole subject in itself; artikel ini is a good place to start.

Penyiapan DKIM dan DMARC dilakukan oleh admin email Anda (bekerja pada server email dan catatan DNS). Setelah disiapkan, keduanya aktif untuk domain, bukan untuk pengguna perorangan.

Bagaimana hal ini berhubungan dengan SparkPost?

Mail systems for person-to-person messaging, such as Microsoft Exchange Server, have S/MIME yang sudah lama didukung.

Jika Anda menggunakan SparkPost untuk mengirim ke penerima tertentu dengan klien email yang dapat membaca S/MIME, maka akan lebih masuk akal jika Anda menandatanganinya. Penandatanganan S/MIME menambahkan jaminan lebih lanjut bahwa pesan tersebut benar-benar berasal dari Anda (atau sistem Anda), dan belum diutak-atik, yang mungkin sangat berharga dalam beberapa kasus penggunaan. Yang Anda perlukan hanya kunci Anda sendiri dan beberapa perangkat lunak gratis yang akan kami tunjukkan pada bagian 2 artikel ini.

Menggunakan enkripsi S/MIME adalah pilihan yang terpisah untuk dibuat. Anda akan membutuhkan kunci publik untuk setiap penerima Anda. Mendapatkannya bisa semudah meminta mereka mengirimi Anda (atau aplikasi Anda) email yang ditandatangani. Kita akan menjelajahi alat praktis untuk mengirim email yang ditandatangani dan dienkripsi S/MIME melalui SparkPost dalam tulisan berikutnya.

Klien mana yang mendukung S/MIME?

Gmail Konsumen
The ordinary Gmail web client displays incoming mail signatures (see below), but it’s not set up to hold your private key to read encrypted messages. Even if that were possible via third-party plugins, uploading your private key is not a great idea from a security standpoint.

Saya sama sekali tidak bisa membuat Yahoo! Mail menerjemahkan tanda tangan dalam pesan.

Akun Microsoft Outlook/Hotmail versi konsumen memperingatkan Anda tentang keberadaan tanda tangan S/MIME, tetapi tidak memberi Anda akses penuh untuk melihat atau memeriksa sertifikat.

Email bisnis yang dihosting
For organizations with hosted mail, Microsoft Office 365 and G Suite Enterprise have S/MIME support.

Klien email Outlook
Client-based Microsoft Outlook (e.g. 2010 for Windows) works:

Mengklik ikon-ikon tersebut akan memberikan informasi lebih lanjut:

Pada Outlook 2010 / Windows, penyimpanan sertifikat diakses melalui File / Opsi / Pusat Kepercayaan / Pengaturan Pusat Kepercayaan / Keamanan Email / Impor / Ekspor.

Thunderbird - lintas platform dan gratis
If you’re looking for a free client, Mozilla Thunderbird fits the bill. It’s available on PC, Mac, and Linux, and supports S/MIME across all of these. Here’s how a message looks on Mac. The “sealed envelope” icon indicates the message is signed, and the padlock indicates it was encrypted.

Mengklik amplop/padlock akan menampilkan informasi mengenai pesan tersebut:

Thunderbird has its own key store, accessed in similar ways on each platform:
Mac via Preferences / Advanced / Certificates / Manage Certificates
PC: menu (“hamburger” top right), Advanced / Certificates / Manage Certificates
Linux: menu (“hamburger” top right), Preferences / Advanced / Manage Certificates

Mac Mail
Mac Mail also supports S/MIME. It relies on your Mac keychain to hold your keys.

Mail iOS
Firstly, import your email account’s certificate like this, then you can view S/MIME signed and encrypted emails. They don’t really look any different on the viewing screen.

Android
Beberapa devices and apps support S/MIME; there’s a lot of variety out there. Samsung has a guide.

Akhirnya...

That’s our quick overview of the practical uses of S/MIME. If you want to get your own mail certificates, there’s a list of providers here. I found Comodo works well (free for non-commercial use – open this in Firefox, not Chrome).

Di bagian 2, kita akan membahas cara menerapkan penandatanganan dan enkripsi S/MIME pada pesan yang Anda kirimkan melalui SparkPost.

Bacaan lebih lanjut
Microsoft has a good introductory article on S/MIME here.

For more info on the EFAIL vulnerability and how it’s been addressed, this is the definitive site. Other easy-to-follow explanations are here and here.