When two individ-uals have digital IDs incorporated into their Outlook Express mail clients,one person can encrypt an outgoing message to the other person so thatonly the recipient can d
Trang 1to choosing a reliable e-mail service provider from the hundreds (actually,thousands!) of choices on the Internet, you can also choose from a variety
of e-mail clients Some are good, some are bad, some have a limited ture set with a small price tag, some are feature-rich and costly
fea-Two of the most popular and reliable e-mail clients are Microsoft’sOutlook Express and Qualcomm’s Eudora In addition to being solid mailclients with a long list of desirable e-mail features, these clients are avail-able in similar offerings for both PC and Macintosh computers OutlookExpress is a free e-mail client that comes bundled with Microsoft’s InternetExplorer, although it can be installed as a separate tool Eudora comes inboth free and pay versions, with the pay version adding some advancedfeatures not available in the free version (the average e-mail user does noteven necessarily need those features)
One other added benefit to using these two programs for e-mail is thatboth programs have Pretty Good Privacy (PGP) plug-ins available that inte-grate PGP security functions directly into the application interface By inte-grating PGP functions into the application, users of these clients can moreeasily and reliably take advantage of the extra security that PGP provides.Fortunately, both programs offer mail security options with their basicconfigurations This chapter will examine these two products on both plat-forms, showing how to configure the applications to help keep your mailsystem clean and secure At the end of the chapter, we will demonstratehow to incorporate PGP with these applications and provide a list of fre-quently asked questions related to the material presented in the chapter
Outlook Express for Windows
Outlook Express is a scaled-down version of Microsoft’s Outlook e-mailprogram, which is an update to their Exchange mail system OutlookExpress is designed solely for Simple Mail Transfer Protocol (SMTP)-basedmail systems and cannot interact with an Exchange mail server unlessPost Office Protocol (POP) or Internet Message Access Protocol (IMAP) ser-vices are enabled on that server Information about securing e-mail ser-vices using an Exchange mail system was covered in Chapter 2
Trang 2Outlook Express also relies heavily on other applications for some of itsconfiguration settings As described in the next few sections, you will seethat Internet Explorer plays a large role in determining how OutlookExpress will handle some content that it receives via e-mail.
Security SettingsThe security settings for Outlook Express can be found by selectingOptions under the Tools menu in the application and clicking on theSecurity tab of the Options dialog (see Figure 3.1) This tab is divided intotwo sections: Security Zones and Secure Mail The Security Zones section
is based on Internet Explorer security zone settings and will be described
in the next section of the chapter The Secure Mail section deals with ital IDs and is described next
dig-A digital ID, or security certificate, is a special file that uniquely andsecurely identifies an individual When a security certificate is incorporatedinto Outlook Express, the person using the certificate can sign outgoingmessages with the signature from the certificate This allows the recipient
of the signed message to verify that the message did come from the senderand that the message was not altered after it was sent When two individ-uals have digital IDs incorporated into their Outlook Express mail clients,one person can encrypt an outgoing message to the other person so thatonly the recipient can decrypt the message and view the contents
Figure 3.1Security settings in the Outlook Express Options dialog
Trang 3Because the digital ID security supported in Outlook Express will fullyinteract only with Windows-based Outlook Express and Outlook e-mailclients, a complete discussion on this topic will not be included in thischapter (details on securing Outlook 2000 with digital IDs can be found inChapter 2) If you want to support secure e-mail with a wider range ofpotential recipients, you will need to use a broader-based security packagesuch as PGP, which is described later in this chapter If you plan to imple-ment e-mail security using other security tools, you may skip to the nextsection of this chapter
Secure Mail
There are two areas in Outlook Express dealing with secure mail settingsusing digital IDs The first is in the Security tab of the Outlook ExpressOptions dialog, shown in Figure 3.1 In the Secure Mail section of thisdialog, there are three buttons dealing with digital IDs The Tell me more…button in the Secure Mail section of the Security Options dialog will openthe Outlook Express help system to the digital ID topics, allowing you toread more about digital IDs and how to use them in Outlook Express TheGet Digital ID… button opens your Web browser to Microsoft’s Web sitewhere you can sign up for a trial security certificate or purchase a full cer-tificate The Digital IDs… button will open the Certificate Manager, whereyou can manage the digital certificates you have received from other indi-viduals or companies
The Encrypt Contents and Attachments for All Outgoing Messagescheckbox will encrypt all outgoing content by default when a recipient’s e-mail address matches a certificate stored in the Certificate Manager If amatching certificate is not on file for a destination address, the messageand any attachments will be sent in clear text Likewise, the Digitally SignAll Outgoing Messages checkbox will sign every outgoing message with thesender’s digital signature by default This signature can be interpreted andauthenticated by mail systems supporting the digital ID, and other mailsystems will simply display the text representation of the digital signature.Unlike encrypting a message, applying a digital signature to a messagedoes not require a matching security certificate for the recipient
Clicking on the Advanced… button in the Security dialog will open theAdvanced Security Settings dialog, shown in Figure 3.2 These options areself-descriptive and can be left in their default state unless a specific situa-tion requires a setting to be modified
The other location for setting secure mail options is in the AccountProfile dialog box, shown in Figure 3.3 These settings are in the Securitytab of the Account Properties dialog box, which can be opened by selectingthe Accounts item from the Tools menu Clicking the Select… button in the
Trang 4Signing Certificate section allows you to locate the security certificate to beused for outgoing messages for that account Specifying the digital certifi-cate and encryption algorithm in the Encrypting preferences section willtransmit this information to others when digitally signing outgoing e-mail.With this information, others will be able to correctly encrypt messagesdestined for this account.
Figure 3.2Advanced Security Settings dialog box
Figure 3.3Security settings for the mail account
Trang 5Security Zones
As mentioned earlier, Outlook Express does not manage its own settingsfor security zones Instead, it imports this information from the InternetOptions for the system, which are usually configured through InternetExplorer In Internet Explorer, the Internet Options dialog can be openedunder the Tools menu Opening the Internet Options Control Panel willalso open this interface
Though it may not make much sense to handle e-mail security issuesthrough the Web browser’s security settings, there is a good reason for it.Much of the e-mail that is transmitted today includes HTML formatting forfont styles, text colors, and including images in the message body ratherthan as attachments Outlook Express, along with other mail clients, canreceive HTML files as e-mail messages and display them correctly withinthe mail browser This means that much of the media content that goesinto Web page presentation can now be sent in e-mail, including scripts,applets, and Java and ActiveX content Therefore, the same security thatyou want to apply to your Web browser should also apply to your e-mailclient
Figure 3.1 shows that Internet Explorer offers only two settings forsecurity zones from Internet Options The choice of which zone’s settings
to use will depend on how the zone is configured on the computer TheInternet zone is intended to be fairly unrestricted, so that most Web con-tent can be viewed with the browser The Restricted sites zone is intended
to identify sites with known bad or suspicious content and limit what thebrowser will do with content received from that site
Figure 3.4 shows the Internet Options dialog with the Internet zoneselected Internet Options has four pre-defined security settings for thezones: High, Medium, Medium-Low, and Low One of these four defaultsettings can be selected for each zone, or a custom security set can beassigned The High security setting is the most restrictive, limiting theautomatic activation of most media content The Low setting is the leastrestrictive, allowing content to be activated with very few prompts or warn-ings
The Internet zone is for all Web sites that haven’t been explicitlyassigned to another zone The only other zone used by Outlook Express isthe Restricted sites zone, whose settings are shown in Figure 3.5 As withthe Internet zone, one of the four default security settings can be applied
to this zone, or custom settings can be created Most Outlook Expressusers will choose to use the Internet zone for the e-mail security settings.However, as more and more interactive content finds its way into e-mailmessages, system administrators and others who are using Outlook
Express as the e-mail client may choose to implement more secure settings
on incoming mail messages
Trang 6Figure 3.4Internet Security Options settings for the Internet zone.
Figure 3.5Internet Security Options for the Restricted sites zone
Trang 7Although interactive content within e-mail messages is becoming moreprevalent, the main security concern of system administrators and end-users alike is e-mail attachments Many people don’t think twice aboutdouble-clicking an attachment in a mail message, especially if the message
is from someone they know It is this blind trust that has increased the
Using Technology to Solve Management Problems
Although great advances have been made in developing nology solutions to prevent the spread of e-mail viruses, technologysolutions will always be one step behind the virus writers Just as soon
tech-as a bulletproof solution is developed and implemented on a system,someone will take it as a challenge to find a way around the solution.More often than not, a way will be found around the fix, and the cyclewill start all over again
One of the best ways to prevent the spread of e-mail viruses withinyour company is to mandate that employees not open e-mail attach-ments received from outside the company Even the most up-to-datevirus scanner sitting on a mail server is going to miss the latest version
of an e-mail virus that is making its way around the world But if anemployee receives the virus in e-mail and does not open the attachment,the spread of the virus is stopped there In order for this approach to besuccessful, employees must be made aware of why they cannot openattachments
Another essential policy is that all outgoing attachments must bescanned and verified virus-free before being sent While you don’t wantemployees spreading viruses within the office, you also don’t want yourcompany to be the source of an infection in another company
Having protection technology in place to defend against virusattacks is insufficient on its own People must understand how to usethe technology, why they should use the technology, and what willhappen if they fail to use it Implementing a technology solution withoutuser education makes a company almost as vulnerable as not taking anyprecautions in the first place
For Managers
Trang 8spread of traditional and macro viruses over the last few years In fact,many new viruses specifically prey on this blind trust and are written tointeract with the mail system as soon as they are activated.
Most mail clients have responded to this issue by making it more cult to blindly open mail attachments For example, Outlook Express hasadded several warning messages that are activated when attachments areopened All these warnings do is add a few extra mouse clicks to the pro-cess of opening an attachment, but in some cases the display of the warn-ings has been enough to make people think twice about opening an
diffi-attachment
When a user receives a message with an attachment and tries to open
it, Outlook Express will present the user with the warning message shown
in Figure 3.6 The warning message is clear: opening the attachment couldunleash a virus on the computer The attachment should be saved to diskand scanned for viruses before being opened Unfortunately many peoplewill ignore this message and go ahead and choose to open the attachment,allowing any potentially harmful code to be executed on their system
If the attachment is an executable file, not a document, and the userchooses to open the file without saving it first, Outlook Express will pre-sent a second warning message, shown in Figure 3.7 The contents of thedialog box will change depending on the source of the file Figure 3.8shows the Security Warning dialog box when Outlook Express has recog-nized that a vendor has signed the attachment The vendor information isdisplayed in the message, along with the expected contents of the applica-tion When a signed file is damaged or altered before it is received,
attempting to open the file will generate the Security Warning messageshown in Figure 3.9 This warning indicates that something is wrong withthe attachment, and that the file should be deleted without being opened
Figure 3.6Open Attachment Warning message
Trang 9Some anti-virus software programs, such as Norton AntiVirus, nowoffer direct security integration with Outlook Express When installed andconfigured correctly, the anti-virus software sits between Outlook Expressand the e-mail server and scans file attachments as they are downloadedfrom the mail server The anti-virus software can then alert you if there areproblems detected with a file attachment before you try to open the filefrom within Outlook Express Of course this added protection is only asgood as the updates Adding automatic scanning of file attachments doeslittle good if the virus scanner definitions are months out of date.
Figure 3.7Attachment Security Warning dialog box for unsigned
executable files
Figure 3.8Attachment Security Warning dialog box for signed
executable files
Trang 10Outlook Express for Macintosh
Outlook Express 5 for Macintosh is the latest release in the series ofMacintosh-based POP and IMAP mail clients from Microsoft OutlookExpress has become increasingly popular in the Macintosh communityover the last few years because of its rich feature set and ease of use
Anyone who has used Outlook Express on both platforms will tell youthat the two programs are very different The differences are more thanjust user interface design and program operation There are key differences
in the way the two programs approach e-mail security For starters,Outlook Express for Macintosh does not make use of Security Zones likeits Windows counterpart Outlook Express for Macintosh also does notsupport digital IDs This does not mean that Outlook Express is an inse-cure mail client, but users of the mail program must perform more secu-rity steps for themselves, rather than relying on tools within the program.The remainder of this section will focus on message filtering tools,which can be used to help avoid unwanted or potentially dangerous mes-sages, and handling file attachments Information on sending and receivingsecure e-mail with Outlook Express for Macintosh will be covered in thePGP section at the end of this chapter
Junk Mail Filter
Outlook Express for Macintosh includes a junk mail filter, which helps youidentify incoming junk mail messages When enabled, the filter watchesmessages for signs of spam, such as potentially forged or obviously invalidsender e-mail addresses When the filter identifies a message as potential
Figure 3.9Security Warning message indicating a problem with theauthenticity of the file
Trang 11junk, Outlook Express can take several actions on the message, includingmarking the message to indicate it as junk mail and running a pre-definedAppleScript on the message The actions taken by the junk mail filter arespecified in the Junk Mail Filter Settings window.
To enable the junk mail filter and configure its responses, open theFilter window by selecting the Junk Mail Filter… item from the Tools menu(see Figure 3.10) To enable the filter and accept the default settings, selectthe Enable Junk Mail Filter checkbox and click OK The default settingswill look for potential junk mail in your incoming mail and set the displaycolor of the message in the browser window to a dark gray (instead of thedefault message display color)
If the default settings don’t identify and mark all the junk messagesyou are receiving, or if you want to change the way the junk messages arehandled, you can customize the behavior of the filter in its settings
window The Sensitivity slider will adjust the way Outlook Express mines a message’s junk status If a large number of regular messages thatcome to your inbox are getting incorrectly marked as junk, you can adjustthe slider towards the Low end If the filter is missing some junk messagesand not marking them for you, you can adjust the slider toward the Highend
deter-Figure 3.10Junk Mail Filter Settings window in Outlook Express
for Macintosh
Trang 12If you want to specifically exclude certain e-mail addresses from thefilter, you can enter the domain portion of the e-mail address into the DoNot Apply To Messages From These Domains text box Unfortunately, thisbox will filter only on an entire domain So if you configure the junk mailfilter so that your friend’s e-mail coming in from his or her hotmail.comaccount doesn’t get filtered, any spam sent from a hotmail.com addresswill also be ignored by the filter You can get around this by setting up spe-cific mail filtering rules described later.
Finally, you can specify the actions taken on junk messages in thePerform Additional Actions on Junk Mail Section of the Settings window
By default, the only action taken on junk messages is to change the play color of the message in the mail browser window Additionally, thefilter can mark a junk message as read, so it will not display as a newmessage in the mail browser A third option is to run an AppleScript on themessage Outlook Express does not provide many AppleScript actions to beused with junk mail filtering However, custom AppleScripts can be written
dis-to perform a number of actions on a filtered message
When the mail filter marks a received message as junk, the MailBrowser window will appear similar to Figure 3.11 The message display ismarked in the alternate color (gray by default) in the mail listing, and ayellow bar, indicating that the message may be junk mail, appears abovethe message in the Preview window If the filter catches a valid messageand marks it as junk by mistake, you can click This Is Not Junk Mail inthe yellow bar, and Outlook Express will remove the junk mail status fromthe message
Figure 3.11A Junk Mail Message in the Mail Browser display
Trang 13Message Rules
Though the Junk Mail filter only flags incoming messages as junk, thatflag can be used as a criterion for performing additional actions on themessage or messages with message rules The message rules that can becreated in Outlook Express for Macintosh are powerful and can accomplishmany tasks automatically
To set up a mail rule that will act on messages identified as junk by theJunk Mail filter, open the rules editor by selecting the Rules item from theTools menu Then click the New button in the upper-left corner to beginediting the rule The rule configuration shown in Figure 3.12 will take allmessages from the inbox identified as Junk and move them into a foldernamed Junk
After setting up this rule and applying it to the junk messages in theinbox, the messages are moved into the Junk folder, as shown in Figure3.13 As several of the messages that were moved to the folder are stillunread, the folder name appears in bold to indicate that it holds unreadmessages, and the number next to the folder name indicates the number
of unread messages in the folder The Junk Mail filter settings can bechanged so that messages marked as junk are also marked as read, sothat no unread messages will be displayed in the folder listing
While testing the rule to make sure it works as expected, you will ably want to avoid deleting messages automatically Instead, set up therule to move the filtered messages to a folder and ensure that all the mes-sages moved to that folder belong there After you have verified that therule and filter are working properly, you can modify the outcome of therule to the desired result For example, I set the rule to delete the message
prob-Figure 3.12Outlook Express Macintosh mail rule to move junk mail messages
Trang 14Outlook Express for Macintosh handles file attachments differently thanits Windows counterpart Because digital ID security works only forWindows files, there is no support for the security certificates in theMacintosh client Of course, only certain types of file attachments can beopened on a Macintosh The file types of greatest concern to Macintoshusers are Microsoft Office documents, as they can contain potentiallyharmful macro viruses Fortunately for the Macintosh community, mostmacro virus code is harmless to the Macintosh operating system, but theMacs are not completely immune In fact, the first few macro virusesaffected Macs as well as PCs So there are a few steps that can be taken tohelp protect your computer from these dangerous files
As with PC virus files, the virus code in the file is inactive until the file
is opened Unlike the PC client, Outlook Express for Macintosh does notpresent any warnings before opening attachments Users can double-click
on the file attachment, and the file will be opened immediately As withPCs, files of unknown origin should be scanned with a virus scanner prior
to being opened We can make use of mail rules to automate that process
Figure 3.13Outlook Express Macintosh mailbox display after filtering junkmail into a mail folder
Trang 15Many anti-virus software programs support a drop box concept A drop
box is a folder that is watched by the anti-virus software, and any file that
is placed in the folder is immediately scanned for viruses In many cases,this drop box concept is used in conjunction with Web browsers to scan allfiles downloaded by the browser This same approach can be used for e-mail
Case Study: Automated Virus Scanning of
1 Open the Rules dialog by selecting the Rules item from the Toolsmenu
2 Click the New button to create a new rule
3 Type the name for the rule in the Rule name: field
4 Select Attachment from the pop-up menu in the If box
5 Select Exists from the second pop-up menu in the If box
6 Select Save Attachments from the pop-up menu in the Then box
7 Click the Destination… button and choose the folder where theattachment will be saved
8 Make sure the Enabled checkbox is selected
9 Verify that the settings for the rule match Figure 3.14 and click OK.Now, when the rule processes incoming messages, attachments will besaved into the Drop Folder and the anti-virus software will scan the savedfile for malicious content
Trang 16Eudora for Windows and Macintosh
Qualcomm’s Eudora e-mail client is also available in both Windows andMacintosh versions Unlike Outlook Express, the programs share manysimilarities between the two platforms Issues for both programs will bepresented in this section, and cases where the programs differ will bepointed out
Security
Eudora for Windows does not make use of the same security concepts asOutlook Express for Windows In fact, there is only one application settingrelated to security, and that is the Allow executables in HTML content set-ting, pictured in Figure 3.15 This setting, which is accessed in the ViewingMail category of the Options… item found under the Tools menu, deter-mines how Eudora will handle executable content received in mail mes-sages containing HTML By default, this option is turned off, meaning thatany Java, JavaScript, ActiveX, or other in-line executable content
embedded within an HTML message will be ignored This security option isnot present in Eudora for Macintosh program settings
Figure 3.14Mail Rule to save attachments to a watched folder
Trang 17This warning is presented every time an attachment is opened withinEudora While the content of the warning is the best description I’ve seen
of why an attachment should not be opened, it has the same drawbacks asthe warning messages in Outlook Express After a few times reading thewarning, users begin to process the warning message as just anothermouse or key click before opening the file And, of course, users can savethe attachment to a folder on their hard disk to open it, or just browse tothe Eudora attachment folder and open the file from there
As described in the Attachments discussion in the Outlook Express forWindows section, some anti-virus software packages now support directintegration with Eudora for Windows In the case of Norton AntiVirus, thevirus scanner sits between Eudora for Windows and the mail server, scan-ning file attachments as they are downloaded from the mail server If aproblem is found with an attachment, the scanner alerts the user to theproblem and allows the user to choose the action taken Again, the level ofprotection is limited to how up-to-date the software is
Figure 3.15Eudora for Windows security settings for executable
HTML content
Figure 3.16Eudora for Windows warning on opening attached files
Trang 18Attachments in Eudora for Macintosh are handled a little differently.
Unlike the Windows e-mail client, Eudora for Macintosh provides nowarning message when opening attachments However, the program can beconfigured so that all received e-mail attachments are stored in a folderthat is monitored by anti-virus software This is similar to the attachmentmonitoring that was described in the Case Study for Outlook Express forMacintosh section, except that no message filtering is necessary The folderwhere e-mail attachments are stored by default is specified in the
Attachments section of the program options (see Figure 3.17) By default,incoming attachments are stored in the Eudora Preferences folder in theSystem folder, but an alternate folder can be specified in the settings If thesystem anti-virus software is configured to watch the attachments folder,then every incoming attachment will be scanned by the anti-virus software
as soon as it arrives If the anti-virus software finds any problems with theattachment, the recipient will be notified of the problem (or whateverdefault action is configured in the anti-virus software) This will not pre-vent the recipient from opening the attachment after it is received, but itcan at least notify the recipient that there is a potential problem and thatcaution should be used
Filtering
Eudora has a powerful message-filtering feature It allows for multiple tering rules to be defined, and these rules can be configured to filter onincoming messages, outgoing messages, manual filtering, or a combination
fil-of all three
Figure 3.17Eudora for Macintosh Attachment options specifying thelocation of the attachments folder
Trang 19Setting up a message filter is as simple as selecting the Make Filter…item under the Special menu with a message selected The filter template
is opened and pre-completed with key information from the selected sage (see Figure 3.18) The filter can then be triggered on information inthe From:, To:, or Subject: fields of the message If there is a match, themessage can be transferred to a new or existing mailbox (including theTrash mailbox)
mes-If the basic fields in the Make Filter template are not sufficient to filtermessages to the detail desired, clicking the Add Details button will openthe Full Filter Editor, shown in Figure 3.19 This editor template can con-figure complex filtering rules with multiple triggering mechanisms andmultiple resultant actions Table 3.1 lists some of the common Header andAction items that can be used in creating mail filters
Figure 3.18Eudora Make Filter template
Figure 3.19Eudora Filter Editor window
Trang 20Redirect ToReply withCopy ToTransfer ToMove Attachments (Macintosh only)Skip Rest
Enabling PGP for both Outlook Express and Eudora
The most recent PGP software integrates directly into the Outlook Expressand Eudora PC e-mail clients as well as Eudora for Macintosh Eventhough integrated support for PGP is not available for Outlook Express forMacintosh, many of the features of PGP can still be used through the inte-gration of the PGP tools in MacOS
When PGP has been installed on a system with support for the e-mailclients, several new buttons are available within the toolbars for differentmail functions In the main toolbar for each Windows application, there is
a button to open the PGPkeys applet (see Figures 3.20 and 3.21) Thisbutton gives the user easy access to manage the keys in the PGP user’skeyring
Table 3.1Common Message Filter Header and Action Items Used by Eudorafor Windows and Macintosh
Trang 21E-mail messages can be secured by PGP in one of two ways Messagescan be signed by PGP, which means that the contents of the message aresent in clear text, but the message is signed by the sender’s PGP key ThePGP signature is based on the contents of the message as well as thesender’s key, so that when the message is received and the recipient veri-fies the message, the verification will fail if the contents of the messagewere altered during transmission The sender and receiver know that thecontents of the message are intact when the signature is verified by therecipient, even though the contents of the message were readable byanyone during transmission When signing a message the sender does notneed a PGP key for the recipient, but the recipient must have the sender’sPGP key to verify the message.
Messages can also be encrypted by PGP, so that the contents of themessage are not readable by anyone but the recipient, and then only afterthe recipient has decrypted the message In order to send an encryptedmessage, the sender and recipient must have each other’s PGP keys Thesender uses the recipient’s PGP key to encrypt the contents of the mes-sage, and the recipient must have the sender’s key to correctly decrypt themessage Although encrypted messages can also be PGP signed, the extrastep of signing is not necessary The decryption of the message will fail ifthe contents of the message were altered during transmission
Sending and Receiving PGP-Secured Messages
The remainder of this chapter will cover the process of sending and
receiving signed and encrypted messages using PGP Since each tion handles the process differently, we will look at each application sepa-rately, discussing commonalities between the applications as they occur
applica-Figure 3.20PGP buttons in Eudora: PGPkeys is on the left, and PGP
decrypt/verify is on the right
Figure 3.21PGPkeys button in the Outlook Express toolbar
Trang 22The following discussion about securing e-mail messages with PGPdeals with plain-text message content issues A different set of rulesapplies when dealing with file attachments Using PGP to sign or encryptmail messages that contain attachments will often generate mail messagesthat have the attachment encoded within the body of the message in such
a form that the recipient’s mail client cannot detach the file Please see thesection at the end of the chapter, File Attachments and PGP, for informa-tion on handling signed and encrypted files via e-mail
WARNING
Remember: Using PGP to sign or encrypt a mail message with a fileattachment can render the attachment useless to the recipient
Eudora for Windows
Support for sending and receiving PGP-secured messages in Eudora forWindows is enabled by the application toolbars in the appropriate win-dows Figure 3.20 illustrates the PGPkeys button in the main toolbar forthe application There are also new buttons for PGP in the New Messagewindow and the Read Message window The options for incorporating PGPsettings into Eudora are handled through the Message Plug-ins Settings…item under the application’s Special menu All active plug-ins for Eudoraare listed in the window and can be modified from there
Sending PGP-Secured Messages
When creating a new message in Eudora, you will see two additional tons in the New Message window, shown in Figure 3.22 These buttons,when activated, will encrypt or sign the message as Eudora prepares it fordelivery Located immediately to the left of the Send button in the toolbar,the left of the two buttons is the Encrypt button, and the right button isthe Sign button In Figure 3.22, the Encrypt button is off, and the signbutton is on
but-In addition to the two buttons in the New Message window, PGP tions can be activated manually from the Eudora menu Once the outgoingmessage has been edited, the contents of the message can be signed orencrypted by selecting the PGP Encrypt or PGP Sign items from theMessage Plug-ins item of the Edit menu Figure 3.23 shows an outgoingEudora message that has been manually signed with the menu option
func-Figure 3.24 shows an outgoing Eudora message that has been manuallyencrypted
Trang 23Figure 3.22Eudora for Windows New Message window with PGP
buttons enabled
Figure 3.23Eudora outgoing message that has been manually signed by PGP
Figure 3.24Eudora outgoing message that has been manually encrypted
by PGP
Trang 24When manually signing or encrypting message contents, it is importantnot to modify the contents of the message window after PGP has per-formed its actions The encryption and signature are based on the con-tents of the window before PGP modified the message If the contentsare changed after PGP has done its work, the recipient of the messagewill not be able to verify or decrypt the message
When using the PGP Encrypt or PGP Sign buttons in the new messagewindow, PGP does not sign or encrypt the message until the message isbeing packaged for delivery The user will only briefly see the message con-tents modified right before the message window is closed when the mes-sage is sent
When the outgoing message is signed or encrypted, PGP will promptthe user to enter the passphrase for the signing key Subsequent
signed/encrypted messages may or may not need to have the signing keypassphrase entered, depending on the settings of PGP By default, PGPcaches the signing key passphrase in the system for two minutes Anymessages signed or encrypted within two minutes of the initial passphraseentry will not be prompted again for the passphrase
Encrypting messages requires that the sender have a PGP key for therecipient in order for the message to be encrypted If PGP cannot identifythe PGP key for the recipient based on the destination e-mail address spec-ified in the message editor, it will prompt the user to select the PGP key forthe recipient If the wrong recipient PGP key is selected, the recipient willnot be able to decrypt the message received
Receiving PGP-Secured Messages
Admittedly, PGP-signed and encrypted messages aren’t very pretty whenthey arrive in your mailbox But what the messages lack in aesthetics isredeemed in security When receiving a signed or encrypted message inEudora, there are two ways to verify or decrypt the message First, userscan click the PGP Decrypt/Verify button in the main Eudora toolbar oncethe message has been opened (see Figure 3.20 for the location of thisbutton) Alternately, users can select the PGP Decrypt & Verify item fromthe Message Plug-ins item under the Edit menu
Trang 25The PGP Decrypt & Verify button and menu item are active only whenthe signed or encrypted message has been opened in its own window.The functions will not work when the message is being viewed in thePreview window
When a PGP-signed message is opened and the PGP decrypt and verifyfunction has been activated, PGP will check the signature on the messageagainst the message contents and display the results of the verification inthe Message window This verification is shown in Figure 3.25 If the signa-ture matches the sender and the message contents, PGP will indicate thesignature status as good, identify the signer, and display what time themessage was signed and verified If the signature does not match the
sender or the message contents, the PGP signature status will display bad instead of good.
When the message contains encrypted contents, selecting the PGPDecrypt and Verify function will access the user’s PGP key to attempt todecrypt the message PGP will prompt the user for the passphrase to thePGP key to verify that the intended recipient is attempting to decrypt themessage If an incorrect passphrase is entered for the key, PGP will notdecrypt the message
When an encrypted message is decrypted, the contents of the encryptedmessage will be displayed in the message window with no additional verifi-
Figure 3.25PGP Verified message display in Eudora for Windows
Trang 26cation information that the decryption completed successfully If PGP isunable to decrypt the message, it will generate an error If that occurs, themessage can be deleted, and the sender of the message should be notifiedthat an error occurred when trying to decrypt the message.
Outlook Express for Windows
PGP integration into Outlook Express for Windows is not as seamless asEudora for Windows In some places, there are a few extra steps involved
in sending or receiving PGP-secured messages
Sending PGP-Secured Messages
As with Eudora for Windows, there are two additional buttons available inthe New Message window toolbar when PGP is enabled in Outlook Expressfor Windows These buttons are shown in Figure 3.26 Like Eudora, whenthe Encrypt (PGP) or Sign (PGP) buttons are selected in the New Messagewindow, the outgoing message will be signed or encrypted upon transmis-sion to the mail server By default, these buttons are displayed on theexpanded toolbar shown in Figure 3.26, but the toolbar can be customized
so the buttons are always visible on the toolbar
There are no menu options in Outlook Express for Windows to ally sign or encrypt message contents with PGP The appropriate buttonsmust be selected in the New Message window toolbar for PGP to sign orencrypt the outgoing message When the message is sent, the user willbriefly see the contents of the outgoing message modified by PGP rightbefore the message is delivered to the mail server
manu-Figure 3.26PGP buttons in the Outlook Express New Message window toolbar