By creating one-time session certificates, the firm's SecureEmail solution allows users to send encrypted emails to recipients who don't have public-key certificates.
I shudder when I think about some of the stuff we send over the Internet either in emails or as attachments.
Last season, my bookkeeper sent my tax return back for review as an email attachment and put my name and social security number in the subject line. I know; you think I'm making this stuff up. Believe me, I'm not. Was I freaked out? Yes. Did I sign up for an identity theft service whose initials are LifeLock? Yes. Did it protect me? No. Well, it helped, but I still had someone try to open eight credit card accounts in my name in a single day (keyword here is "try"). There's more drama to the story that I will spare our gentle readers, but the point is that sending information by email is tantamount to writing it on a postcard in pencil and dropping it into a mailbox.
Isn't that a great line? I wish I could take credit for it, but it comes from Melih Abdulhayoglu, chief security architect and CEO of Comodo Group, a leading Internet security company. "If it's urgent enough to send in a business email, it's usually something you don't want others to see," says Abdulhayoglu. "Most emails are not secure messages," he notes. "To a moderately skilled person, inside the organization or out, they are as easy to read or even to change as a postcard written in pencil." I don't know about you, but I'm pretty careful what I write on postcards, though I can't imagine someone erasing my words and changing them before putting the card back in the mail. Imagine one that states: "Hi, Sweetie. Having fun at the conference. Working hard. Went sightseeing for 10 minutes last night in the dark. Let's both get away next year and come together. This place has some great sights--see front of card." Would someone really change that to "Having a great time. Glad you're not here!" Well, apparently it's possible.
The fact is, most of us don't encrypt our email, though we have the uneasy feeling that we should. If an organization, say in the healthcare field, is in the habit of doing so, oftentimes they use an email gateway that encrypts messages as they leave the corporate perimeter. This creates vulnerabilities internally because any internal mail is unprotected and subject to not only tampering by employees and contractors, but also packet sniffing.
To address this problem, security companies recommend that every email message be encrypted and signed using a digital certificate. In the past, however, setting up such a system has been difficult. The user has to identify a certification authority--and there are some oddball ones out there--sign up for the certificate, learn about creating a certificate request and importing it into Windows or another operating system, and then figure out how to configure the mail client to use the certificate.
Comodo, which secures online transactions and communications for more than 200,000 business customers and has more than 10 million installations of desktop security products, has come up with a product it believes will greatly simplify the process of securing email. SecureEmail, as it is appropriately called, comes in two editions: Pro, for corporate use, and Home for home and personal use. Like many Comodo products, the Home version is free. The Pro version can be configured to encrypt and decrypt messages using certificates from any vendor, while the Home version can only encrypt and decrypt using a Comodo email certificate.
What SecureEmail offers is a relatively simple way for even non-technical users to have private and secure messaging. It accomplishes this by offering automatic encryption and signing of outgoing emails. The solution operates at the network layer to provide encryption and signing capabilities even if your mail client doesn't feature encryption. SecureEmail works with most Windows mail clients including Outlook 2000 and above, Outlook Express 5.5 and above, Thunderbird 1.5 and above, Windows Mail, Incredimail, Windows Live Mail, and Eudora.
Comodo SecureEmail is a PKI-based solution designed to automatically encrypt and sign all outgoing messages. To make the process easy, the application has a built-in wizard that allows users to download and set up a Comodo email certificate, and it is designed to handle challenging or hard-to-remember processes, such as the exchange of public keys. Most email encryption solutions today allow you to encrypt a message only after you have the recipient's public-key certificate installed on your system. In order to do this, the sender and recipient have to acquire each other's certificates. How do you do this without exchanging signed emails?
SecureEmail takes the approach that it's preferable to generate a single-use session certificate even if the recipient's email certificate isn't present on the system. After having received the encrypted message, the recipient can either install her own free copy of SecureEmail to unencrypt the message or use Comodo's online WebReader service by forwarding the email to email@example.com and following the instructions.
The solution has some incompatibilities, and Comodo says it may not work well with several utilities and anti-virus programs, including Panda Antivirus, Avira AntiVir Premium, CA Internet Security Suite, PC Tools Antivirus, Kaspersky Internet Security 2009, and ArcaVir 2008.
For those interested in getting a free Comodo certificate, however, you can sign up on the Comodo Web site .