Home > Security > Gmail S/MIME

Gmail S/MIME

April 16, 2009 Kevin Heald Leave a comment Go to comments

I do love it when wading through the Twitter chaff actually does yield something productive.  Thankfully, my saved search in TweetDeck led me to the Security Musings blog run by Gemini Security Solutions.

Besides feeling a bit of kinship to a blog that seems to really get PKI and security, they had an interesting post a couple of days ago about S/MIME support in Gmail.   It is a Firefox plug-in called Gmail S/MIME.  From reading the blog entry and the plug-in home page, it sounds like it essentually wraps your message in an attachment (which is basically what an S/MIME message is anyhow) and uploads to Gmail.

I gave it a test run by sending a message from Gmail to Outlook 2007 (only after an hour and a half of trying to fix Outlook…thx Gist plugin).  I get an underlying security message error in Outlook…odd.  That is usually related to trust or odd formatting of a message.  If I had some more time, I’d dig into the attachment.  Still a cool idea, and it has lots of promise.  One of the challenges of webmail (and mail on mobile devices) is signing and encrypting email.

But it is 4/16 after all…time to watch the boys finish OGBC!

Tags: , ,
  1. tim
    April 16, 2009 at 11:15 PM | #1
    Reply | Quote

    I’d like to talk to a programmer, or maybe just do a little googling, to find out why it’s difficult to add signatures and encryption to webmail apps. doesn’t seem like it should be that hard. and if it’s in fact not difficult to do, why the delay in adoption? this was a killer on my last PKI project…end users all used webmail (hotmail, yahoo, etc) and couldn’t digitally sign messages such as revocation and renewal requests, which resulted in a ton of help desk support being required.

    • Peter Hesse
      April 17, 2009 at 9:45 AM | #2
      Reply | Quote

      Kevin, thanks for the link and glad you enjoy the blog.

      Tim, the biggest problem with encryption/signatures in webmail apps is the fact that the webmail provider generally can’t/shouldn’t be trusted with your private key, or even the secured message. At a minimum, you need some interaction between a private key held on the client side (or through secure network storage) and the email message.

      It really shouldn’t be hard, and I would be more than happy to help any of the big webmail providers integrate it. The webmail provider would need to understand and process the S/MIME, and just call back to the holder of the private key when the signature or decryption is necessary.

      Microsoft’s Outlook Web Access has supported since Exchange 2007. However that’s not a general-purpose webmail provider, but is a web-based email application.

  1. No trackbacks yet.