Why My Emails Are Digitally Signed

(and why yours should be too)

If you get email from me, you might notice the little ribbon that appears next to my name, or sometimes a checkmark or a padlock, depending on what program you use for a mail reader. If your mail reader doesn't support S/MIME or PGP, you might see my digital signature as an attachment to the email instead. You can still validate that signature manually, but you should probably get a more modern mail reader that supports S/MIME natively. Most do by now.

What does that little icon mean? It means that the message has been digitally signed and can only have beeen sent by me. Most people don't realize how easy it is to forge emails to look like they came from someone else. It is trivial to send an email that looks like it came from god@heaven.org, just by changing the FROM: header in the message. It is equally trivial to send an email that looks like it came from you or me. The only way you can be sure an email came from Jeff Loughlin is by checking for that digital signature. Anyone can send an email with my name and email address in the FROM: header, but no one can send an email with my digital signature on it, unless they have my private key. And my private key is very closely guarded. Knowing that, you can be assured that any email with my digital signature on it most definitely came from me. And knowing that all of my emails are digitally signed, you can also be assured than any email WITHOUT my digital signature on it most definitely DID NOT come from me.

Why does this matter?

For one thing, it matters because spammers and malware writers have gotten smarter over the years. There is malware out there that replicates itself by digging through your address book and sending emails that appear to come from you, or others you know and trust. It could be malware on my computer, or it could be on your computer, or on a computer belonging to someone we both know in common. If you get email from someone you know and trust that says something like "Dude, check out these pics from my vacation", you are much more likely to open the attachment than you would be if it came from someone you don't know, right? That's why it's important for you to be able to know if it really came from me or not. If you get an email that says it's from Jeff Loughlin, and it doesn't contain my digital signature. DON'T OPEN ANY ATTACHMENTS OR CLICK ANY LINKS IN IT. I didn't send it.

There are other reasons someone might try to impersonate me. I participate in many open source software projects, some of which are used in secure environments. When I submit a code patch to a project's maintainer, they need to know that the patch really came from me, someone they know and trust, and not from some random person who might be trying to sneak a backdoor into a widely used piece of secure software. The maintainers of those projects know to look for my digital signature, and if it's missing or invalid, they know the patch didn't come from me. There have been several instances where this has happened.

There are other good reasons for signing your emails. I don't think I have any enemies, but you never know. Someone could pretend to be me and send emails to people I know, saying anything they want. I don't want that to happen, so I sign my emails with my digital signature. If it came from me, it will have my signature on it. If it doesn't have my signature on it, it didn't come from me. It's that simple.

How does it work?

Digital signatures come in different flavors. The most widely supported is S/MIME, which stands for Secure/Multipurpose Internet Mail Extensions. The other widely used standard is PGP, which stands for "Pretty Good Privacy". The S/MIME standard is more widely supported, but PGP is considered more secure. Both systems rely on a technology known as Public Key Cryptography, the details of which are (way) beyond the scope of this document. The short version is that a pair of really big mathematically related numbers are generated, one of which is kept secret, and the other is shared publicly. An email is "signed" using the private key, and the signature can then be verified by using the public key. Since the two numbers are mathematically related, and there is a one-to-one correspondence between them, the signature can be validated by decrypting it with my public key. If it matches, then it can only have been signed by my private key, which (hopefully) nobody has access to but me. If it doesn't match, the validation fails and the mail program can issue a warning to the user that the email may have been forged.

I've greatly oversimplified the process, and I encourage you to check out the wikipedia links above as a starting point for all the messy details. Public key cryptography is a fascinating subject, and I hightly recommend learning about it if you are at all technically inclined. But even if you're not technically inclined, setting up your email to use a digital signature is really easy. Go to startssl.com to get started. They'll give you an S/MIME certificate for free. Install it into your favorite email program, and you're ready to go. That's all there is to it.

Return to Jeff Loughlin's home page