GlobalSign Blog

14 Feb 2017

What Is S/MIME and How Does It Work?

No, it’s not a type of street performer. S/MIME, or Secure/Multipurpose Internet Mail Extensions, is a technology that allows you to encrypt your emails. S/MIME is based on asymmetric cryptography to protect your emails from unwanted access. It also allows you to digitally sign your emails to verify you as the legitimate sender of the message, making it an effective weapon against many phishing attacks out there. That’s basically the gist of what S/MIME is all about. Do you have any questions?

Our Email Server Is Already Encrypted. Isn't That Enough?

Sure, encrypting your email servers with Digital Certificates is a wise move. This also prevents outsiders from getting in between your email and mail servers and intercepting sensitive data. However, it can only do as much, as the Digital Certificates that encrypt the server don’t necessarily protect the emails themselves. Basically, your emails will be protected to and from the encrypted server but hackers can still get in your email system and open your messages from there or access them while they pass through other servers. So sure, your emails are well-protected on transit to your server but the emails at rest or in transit elsewhere are still up for grabs.

This was evident in a recent attack that stole almost 20,000 emails from the Democratic National Committee right in the middle of the 2016 US elections. The hacker forced his way into the DNC’s unencrypted inbox. The emails that revealed the DNC’s supposed bias towards Sen. Bernie Sanders were published in WikiLeaks, with some experts saying that this hack started Hillary’s downfall towards losing the elections. Encrypting the individual emails themselves, using S/MIME for example, would have kept the contents inaccessible.

Well, You Can't Argue with That. But How Will It Encrypt My Email?

S/MIME is based on asymmetric cryptography that uses a pair of mathematically related keys to operate – a public key and a private key. It is computationally infeasible to figure out the private key based on the public key. Emails are encrypted with the recipient’s public key. The email can only be decrypted with the corresponding private key, which is supposed to be in sole possession of the recipient. Unless the private key is compromised, you can be confident that only your intended recipient will be able to access the sensitive data in your emails.

If you’re still unconvinced about encrypting emails, consider this. Edward Snowden, the whistleblower who exposed secret NSA operations, believes in encrypting emails. Over the years, several big names have also realized the importance of encrypting emails. Google already encrypts the messages sent to Gmail, while Facebook and AOL have followed suit in encrypting their emails. Even Microsoft, a company that hosts a stable of mailing services, have already secured accounts with email encryption. Your company can also join in as well with S/MIME. Aside from encryption, you’ll also have the ability to sign your emails.

Did You Say "Sign My Emails"? That Seems Impossible, Doesn't It?

You heard that right. S/MIME allows you to sign your emails to prove your identity as a legitimate business. You won’t need a pen to do this, though. Every time to you create and sign an email, your private key applies your unique Digital Signature into your message. When your recipient opens your email, your public key is used to verify the signature. This ensures your recipient that the emails really came from you. Signing emails authenticates your identity in an age where phishing attacks have already become so clever and it has become increasingly difficult to identify spoofed emails.

Not only is signing your emails helpful for your outside transactions with clients, it’s also highly recommended to have the emails between your employees signed. This isn’t a sign of distrust among your co-workers; this is a means to protect them from aggressive phishing techniques that will go as far as to impersonate your colleagues’ emails. Imagine yourself receiving an email from a low-level co-worker blackmailing you to release confidential information. Naturally, you’d be pretty shocked, but once you check the email again and see that it wasn’t signed by your actual co-worker, you would be instantly relieved and just nod it off as a hacker’s pathetic attempt to get inside your account.

Sounds Great! So Do You Think Our Company Needs S/MIME?

Considering how the benefits of S/MIME can help your company in the long run, we highly recommend it for your business. If you want to establish integrity, uphold privacy, preserve sensitive data and mitigate phishing and other email attacks, you should definitely consider having S/MIME around. If you have doubts about its complexity, fear no further. Over the years, S/MIME have become easier to implement, with Windows phones already equipped right out of the box being a good example. The technology to keep your emails safe is readily available. The choice is yours.

Do you have further questions about S/MIME? Send us your questions at the comments box below. You can also click here to learn more about the basics of S/MIME.

Share this Post