
20 mar 2017
¿Qué es S/MIME y cómo funciona?
Por extraño que parezca, S/MIME no es una nueva corriente de performance callejera, sino un acrónimo que hace referencia a "extensiones seguras /multipropósito de correo en Internet ("Secure/Multipurpose Internet Mail Extensions", por sus siglas originales en inglés), una tecnología que le permite cifrar sus correos electrónicos. S/MIME está basado en los principios de la criptografía asimétrica y su finalidad es proteger sus correos electrónicos frente a accesos no deseados. Además, esta tecnología le permite firmar digitalmente sus correos electrónicos para autenticarse como el remitente legítimo de sus mensajes, lo cual la convierte en una eficaz arma contra los numerosos ataques de phishing que se producen cada día en Internet.Estos son, en esencia, los fundamentos de la tecnología S/MIME.
Ya hemos cifrado nuestro servidor de correo electrónico. ¿No es suficiente?
Ni que decir tiene que cifrar sus servidores de correo electrónico con certificados digitales es una medida muy acertada, puesto que al hacerlo evitará que posibles intrusos se cuelen entre sus correos electrónicos y sus servidores de correo e intercepten datos confidenciales. Sin embargo, su radio de acción es limitado, ya que los certificados digitales que cifran el servidor no necesariamente protegen los propios correos electrónicos que se envían y reciben a través del mismo. Aunque esencialmente sus correos electrónicos estarán protegidos en su tránsito saliente y entrante desde el servidor cifrado, los hackers seguirán pudiendo acceder a su sistema de correo electrónico y abrir sus mensajes desde él o acceder a ellos cuando pasen por otros servidores. Por tanto, podemos decir que aunque sus correos electrónicos estarán correctamente protegidos mientras viajan hacia/desde su servidor, continuarán estando expuestos cuando se almacenen o encuentren en tránsito por otros servidores.
Esta afirmación se hizo especialmente evidente en un ataque reciente mediante el cual se sustrajeron casi 20.000 correos electrónicos al Comité Nacional del Partido Demócrata (DNC) en plena campaña de las elecciones estadounidenses de 2016. Para llegar hasta los correos, el hacker se abrió paso a través del buzón de correo entrante sin cifrar del DNC. Los correos electrónicos sustraídos, que revelaron el supuesto sesgo del DNC hacia el Senador Bernie Sanders, se publicaron en WikiLeaks, y algunos expertos afirman que el ataque informático del que procedieron marcó el comienzo de la derrota de Hillary Clinton en los comicios presidenciales. Cifrar cada uno de los correos electrónicos del DNC usando, por ejemplo, la tecnología S/MIME habría garantizado la inaccesibilidad de sus contenidos.
Hasta aquí todo claro. ¿Pero cómo cifrará S/MIME mis correos electrónicos?
S/MIME está basado en los principios de la criptografía asimétrica, que utiliza un par de claves matemáticamente relacionadas –una pública y otra privada– para funcionar. Desde un punto de vista computacional, es inviable adivinar la clave privada a partir de la clave pública: los correos electrónicos se cifran con la clave pública del destinatario y, posteriormente, estos solo pueden descifrarse con la clave privada correspondiente, que se supone que solo posee dicho destinatario. Por tanto, a menos que la clave privada caiga en las manos equivocadas, puede tener la certeza de que solo el destinatario al que envió el mensaje podrá acceder a los datos confidenciales transmitidos.
Si aun así no le convencen del todo las ventajas de cifrar sus correos electrónicos, piense que Edward Snowden el denunciante que sacó a la luz las operaciones secretas de la Agencia Nacional de Seguridad de los Estados Unidos (NSA), confía en el cifrado de correos electrónicos como medida de seguridad. A lo largo de los años, varias empresas de primer nivel también han tomado conciencia de la importancia de cifrar los correos electrónicos. Google, por ejemplo, ya cifra los mensajes que se envían a Gmail, y tanto Facebook como AOL han seguido sus pasos implantando medidas similares. Incluso Microsoft, compañía que aloja un gran número de servicios de correo, ya ha protegido sus cuentas mediante sistemas de cifrado de correo electrónico. Ahora, su empresa puede sumarse a esta práctica de seguridad adoptando S/MIME, que además de cifras sus correos electrónicos le dará la posibilidad de firmarlos.
¿He leído "firmar sus correos electrónicos"? Pero si eso es imposible, ¿no?
Ha leído bien. S/MIME le permite firmar sus correos electrónicos para acreditar la identidad legítima de su empresa. ¡Y lo mejor de todo es que no necesitará ningún bolígrafo para hacerlo! Cada vez que cree y firme un correo electrónico, su clave privada aplicará su firma electrónica única a su mensaje. De este modo, cuando su destinatario abra su correo electrónico, su clave pública se utilizará para verificar la firma y garantizará a este que el mensaje procede realmente de usted. La firma de correos electrónicos permite autenticar su identidad en una coyuntura en la que los ataques de phishing ya han alcanzado sofisticación y en la que es cada vez más difícil identificar los mensajes fraudulentos.
Además, firmar sus correos electrónicos no solo le resultará útil para sus operaciones externas con clientes, sino que es también una práctica muy recomendable para los correos electrónicos enviados entre sus empleados. Sin embargo, la aplicación de esta medida no debe considerarse un signo de desconfianza hacia sus colaboradores, sino simplemente un método para protegerlos frente a las agresivas técnicas de phishing que hoy llegan hasta el punto de suplantar la identidad de compañeros de trabajo en correos electrónicos. Imagínese que recibe un correo electrónico de un compañero de trabajo de nivel básico en el que trata de chantajearle con el fin de que le facilite información confidencial. Como es natural, el mensaje le dejaría en estado de shock, pero una vez que volviese a comprobarlo para ver que de hecho no había sido firmado por su compañero, sentiría un alivio inmediato al saber que solo se trataba de un patético intento de un hacker de acceder a su cuenta.
¡Suena bien! Entonces, ¿necesitaría nuestra empresa S/MIME?
Teniendo en cuenta las ventajas que S/MIME proporciona a su empresa a largo plazo, le recomendamos encarecidamente su adopción. Si su objetivo es asegurar la integridad, garantizar la confidencialidad, proteger sus datos confidenciales y mitigar los ataques de phishing y otras formas de intrusión en correos electrónicos, debe considerar la implantación de esta tecnología sin lugar a dudas. Además, no debe temer que le resulte compleja. Con el paso de los años, la implantación de S/MIME ha ido simplificándose progresivamente, y de hecho los teléfonos Windows son un buen ejemplo de dispositivo que ya integra esta tecnología de serie. S/MIME ya está a su disposición para garantizar la seguridad de sus correos electrónicos. Ahora, le decisión es enteramente suya.
¿Tiene alguna otra pregunta sobre S/MIME? Envíenosla a través del recuadro de comentarios siguiente. También puede hacer clic aquí para obtener más información sobre los fundamentos básicos de S/MIME.
Share this Post
Envie tu blog
ParticipeSuscríbase a nuestro Blog
Vea la Política de Privacidad de GlobalSign
To download a version of this privacy policy, Click Here.
GlobalSign Privacy Policy Version 3.0
Updated April 1, 2018
GlobalSign respects your right to privacy.This privacy policy has been developed to inform you about the privacy practices followed by GlobalSign in connection with its websites, products and services. This privacy policy does not apply to GlobalSign services offered by or through our partners, resellers or other third parties, or other third party services or websites, and we encourage you to read the privacy policies of those parties.
This privacy policy will inform you about what data is collected, how we use such data, where data is processed, how you may opt out of your data being used, the security provisions around storing your data and how to correct or update your data.
1. Data Controller
In order to communicate with you and to provide our products and services and related support, it is necessary for GlobalSign to transfer your personal data outside of the European Union. In such case, the data controller for this data for EU residents is GMO GlobalSign, Ltd., having its registered offices at Springfield House, Sandling Road, Maidstone, Kent, ME14 2LP, United Kingdom. All questions or requests regarding the processing of data may be addressed to: dpo@globalsign.com.
2. Collection of Personal Information
We collect information from you when you (i) place an order for a GlobalSign digital certificate product or other product or service, (ii) scan your servers for digital certificates using our Certificate Inventory Tool (CIT), (iii) apply for access to our managed service platforms, (iv) subscribe to our newsletter, (v) use our online chat service, (vi) download a white paper, (vii) register for a webinar, (viii) respond to a survey, (ix) fill out a form for pre/post sales assistance, (x) open a support ticket, or (xi) your use of social media.
GlobalSign is a Certification Authority and trusted third party. To fulfill requests for digital certificates or other products or services, you may be asked to enter your name, email address, physical address, phone number, credit card information and/or organizational details or other personal information.
We may develop and acquire additional information about you using third-party sources, browsing, and purchasing history, and so on in order to process certificate requests and to improve our services.
GlobalSign treats personal information as confidential, except for the information included in an issued digital certificate. Such information may be verified using third party commercial and government resources, and as such, is deemed to be public information.
3. Use of Personal Information
Your information, whether public or private, will not be sold, exchanged, transferred outside of our group company, or given to any other company for any reason without your consent, other than for the purposes specified in below:
3.1 To process applications for GlobalSign products and services
Your information is used to provide our products and services and order processing as well as to conduct business transactions such as billing.
3.2 To improve customer service
Your information helps us to more effectively respond to your pre/post sales requests and provide technical support.
3.3 To send renewal notices
The email address you provide for order processing may be used to send you renewal notices for your expiring digital certificate.
3.4 To send periodic emails
In addition, we may send you periodic company newsletters, new service updates, security updates, related product or service information, and status updates on maintenance windows or service availability.
3.5 To tell you about our products and services
We may send you information about our products and services that may be of interest to you based on your use of other GlobalSign products and services, your attendance at GlobalSign sponsored marketing events such as webinars, your requests for information about similar products and services, or your sharing of data with social media sites such as LinkedIn or Facebook.
4. Processing of Data and Consent
We will process your data for the purpose of performance of our contract with you or the legitimate interest of our business. In other cases, we will request your consent for the processing of the personal data you may submit.
Your refusal to provide personal data to us for certain products and services may hinder us from fulfilling your order for those products or services. Also, if you deny or withdraw your consent to use personal data or opt out of receiving information about GlobalSign products and services this may result in you not being made aware of sales promotions, renewal notices, periodic company newsletters, new service updates, security updates, related product or service information, and status updates on maintenance windows or service availability.
5. Use of Cookies and web beacons
The GlobalSign Certificate Center (GCC) uses cookies to enable the fulfillment of services. Cookies may be used when you log into the GCC, purchase products or use certain GCC functions.
In addition, like most online businesses, GlobalSign uses cookies and web beacons on our websites and through marketing related emails to gather and analyze some personal data such as the visitor’s IP address, browser type, ISP, referring page, operating system, date/time and basic geographical information.
We use cookies and web beacons to compile aggregate data about site traffic and site interaction so that we can gauge the effectiveness of our communications and offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.
First time visitors may choose to not have any activity monitoring cookies set in their browser. We use an opt-out identification cookie to tag these users as having made this decision. Those cookies that pertain to site performance, experience improvement and marketing are programmed not to execute when an opt-out cookie is present in a visitor’s browser. Opt-out cookies persist until a visitor clears their browser cookies, or until their expiration one year after the set date. A visitor is required to opt out again after one year in order to disable any activity monitoring cookies.
More details of GlobalSign’s use of cookies can be found on our website at https://www.globalsign.com/en/repository/cookie-policy/
6. Use of application logs for diagnostics or to gather statistical information
Our servers automatically record information ("Application Log Data") created by your use of our services. Application Log Data may include information such as your IP address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device and application IDs, search terms, and cookie information. We use this information to diagnose and improve our services. Except as stated in section 8 (Data Retention), we will either delete the Application Log Data or remove any account identifiers, such as your username, full IP address, or email address, after 12 months.
7. Sharing of Information and Transfers of Data
We do not sell or trade your personal information to outside parties.
GlobalSign is a global organization with business processes and technical systems in various countries. As such, we may share information about you within our group company and transfer it to countries in the world where we do business in connection with the uses identified in section 3 above and in accordance with this Privacy Policy. In these cases, personal data will be transferred to countries that do not provide an adequate level of protection under European law so we ensure your data is protected by entering into agreements containing standard contract clauses with each of our group companies a copy of which may be obtained by contacting us as outlined in section 15 below.
We may also transfer your personal data to trusted third parties in order to serve purposes that are specified in section 3 above. In circumstances where data is shared with such third parties, they are required to agree to confidentiality terms. This prohibits such third parties from selling, trading, using, marketing or otherwise distributing GlobalSign customer data.
We may also release your information when we believe release is appropriate to comply with the law or protect our rights, property, or safety.
It is our policy to notify customers of requests for their data from law enforcement unless we are prohibited from doing so by statute or court order. Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically precludes member notification, such as an order issued pursuant to 18 U.S.C. §2705(b).
We may also disclose your personal information to third parties who may take over the operation of our site or who may purchase any or all of our assets, including your personal information. We will contact you using the details you provide if there is any change in the person controlling your information.
8. Data retention
The personal information we collect is retained for no longer than necessary to fulfil the stated purposes in section 2 above or for a period specifically required by law or regulation that GlobalSign is obligated to follow.
To meet public CA audit requirements as detailed in the GlobalSign Certification Practice Statement, personal data used to fulfill verification of certain types of digital certificate applications will be retained for a minimum of 10 years depending on the class of product or service and may be retained in either a physical or electronic format. Please refer to the GlobalSign Certification Practice Statement for full details.
Even if you request deletion or erasure of your data, we may retain your personal data to the extent necessary and for so long as necessary for our legitimate business interests or performance of contractual obligations.
After the retention period is over, GlobalSign securely disposes or anonymizes your personal information in order to prevent loss, theft, misuse, or unauthorized access.
9. Opting out; withdrawing consent
If at any time you would like to unsubscribe from receiving future emails, we include unsubscribe instructions at the bottom of each email.
Renewal notices may be cancelled on a per digital certificate basis by logging into your GlobalSign Certificate Center (GCC) account and disabling renewal notices.
Email preferences for CIT related/collected information can be updated and changed within CIT.
If GlobalSign is processing your personal data based on your consent, you may withdraw your consent at any time by contacting us at one of the addresses shown in section 15 below.
10. Acess to your personal data
You are responsible for providing Globalsign with true, accurate, current and complete personal information. Also you are responsible to maintain and promptly update the information to keep it true, accurate, current and complete.
You have the right to access and modify your personal data stored on GlobalSign systems.
You can request to access or modify your personal information by contacting us in writing. We will require you to provide identification in order to verify the authenticity as the data subject. We will make reasonable effort to respond to and process your request in a timely manner.
If you provide any information that is untrue, inaccurate, not current or incomplete, or if we have reasonable grounds to suspect that such information is untrue, inaccurate, not current or incomplete, we have the right to suspend or terminate your account and refuse any and all current or future services.
11. How we protect your information
We implement a variety of security measures to maintain the safety of your personal information when you place an order or enter, submit, or access your personal information. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL).
After a transaction, your transaction-related information will be kept on file to meet audit requirements and facilitate renewals. We do not retain any credit card details.
GlobalSign uses a reputable third party to process credit card payments and needs to provide credit card numbers and identifying financial data directly to the third party credit card processor. Such information is shared securely.
12. Follow relevant laws
GlobalSign commits itself to protect the personal information submitted by applicants and subscribers for its public certification services. GlobalSign declares to fully respect all rights established and laid out in European laws and operates within the limits of the:
- European Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and
- Provisions of the GlobalSign CPS.
13. Your rights
In compliance with the European Union rules on privacy, you have the following rights established by law:
- We use the data you submit only for purposes identified in section 3 of this privacy policy.
- You have the right to review your personal data that GlobalSign holds and check it for accuracy.
- You have the right to correct data in the case that errors may be found in our records.
- You have the right to request that any of your personal data be erased. i.e. right to be forgotten.
- You have the right to obtain and reuse use your personal data for your own purposes
- You have the right to request that GlobalSign restrict the processing of your personal data under certain circumstances.
- You have the right to object to our processing of your personal data.
14. Changes to our Privacy Policy
If we make material changes to our privacy policy, we will inform customers by emailing a notice of the availability of a new version with a link to the new version.
15. Contact Us
If you have any inquires, or questions regarding our privacy policy, please contact us at:
https://support.globalsign.com/
https://www.globalsign.com/en/company/contact/support/
https://jp.globalsign.com/support/
or
Deputy Data Protection Officer
GMO GlobalSign, Ltd.
Springfield House Sandling Road
Maidstone, Kent ME 14 2LP
United Kingdom
dpo@globalsign.com
16. Our Office Locations
GMO GlobalSign K.K., Tokyo, Japan
GMO GlobalSign Ltd., Maidstone, Kent, UK
GMO GlobalSign N/V, Leuven, Belgium
GMO GlobalSign, Inc., Portsmouth, NH, USA
GMO GlobalSign Russia LLC , Moskva, Russia
GMO GlobalSign Pte. Ltd, Anson, Singapore
GMO GlobalSign Certificate Services Pvt. Ltd., Delhi, India
GlobalSign China Co., Ltd., Shanghai, China
GMO GlobalSign Inc., Manila, Philippines
GMO GlobalSign FZ-LLC, Dubai, UAE