S/MIME (Secure/Multipurpose Internet Mail Extensions) is a technology that provides end-to-end email encryption, allowing you to send and receive encrypted messages in a secure and private manner. In this blog post, we will discuss what S/MIME is, how it works, and why it is important for protecting sensitive information when sending emails.

What is S/MIME?

S/MIME is a widely-used standard for email encryption that enables secure communication over the Internet. It uses public key cryptography to encrypt and digitally sign email messages, ensuring that only the intended recipient can read the content of the message and that the message has not been altered in transit.

How does S/MIME work?

S/MIME uses a combination of public key cryptography and digital certificates to encrypt and sign email messages. Each user has a pair of keys – a public key and a private key. The public key is used to encrypt the message, while the private key is used to decrypt the message. The sender of the message encrypts the message using the recipient’s public key and signs the message using their own private key. The recipient then uses their own private key to decrypt the message and the sender’s public key to verify the signature.

Why is S/MIME important?

S/MIME is important because it provides end-to-end encryption, which means that the message is encrypted from the moment it leaves the sender’s computer until it reaches the recipient’s computer. This protects sensitive information from being intercepted or read by unauthorized parties during transit. Additionally, S/MIME also provides digital signatures, which ensure that the message has not been altered in transit and that it is indeed from the sender who claimed to send it.

Alternatives – GPG

S/MIME (Secure/Multipurpose Internet Mail Extensions) and GPG (GNU Privacy Guard) are two popular technologies used for email encryption. While both provide encryption and digital signatures, there are some key differences between them.

• Purpose: S/MIME was designed specifically for email encryption and is used to secure email communication over the Internet. GPG, on the other hand, is a general-purpose encryption tool that can be used for a variety of purposes, including email encryption.
• Key Management: S/MIME uses public key cryptography and requires users to obtain a digital certificate from a trusted certificate authority. This certificate contains the user’s public key and is used to encrypt email messages. GPG uses public key cryptography as well, but the key management is decentralized and users can generate their own keys without the need for a certificate authority.
• Compatibility: S/MIME is widely supported by popular email clients, such as Microsoft Outlook, Apple Mail, and Mozilla Thunderbird. However, it is not as widely supported as GPG, which has a large community of users and developers and is compatible with a variety of operating systems and email clients.
• Encryption Algorithms: S/MIME supports a limited number of encryption algorithms, including RSA and AES. GPG supports a wider range of encryption algorithms, including RSA, DSA, and ElGamal, as well as symmetric algorithms such as AES and Twofish.

S/MIME and GPG are both effective technologies for email encryption, but they are designed for different purposes and have different key management and compatibility characteristics. S/MIME is a good choice for organizations that need a secure and widely-supported email encryption solution, while GPG is a good choice for individuals and organizations that require a more flexible and decentralized encryption tool.

S/MIME in the Wild

While S/MIME is widely used in certain industries and organizations where confidential business data, financial information, and personal information are processed. Additionally, in the past many consumer email clients do not natively support S/MIME, so individuals may be less likely to use it for personal email communication including free mailers. Luckily, most newer clients support this (especially Microsoft Outlook, Microsoft Mail, Apple Mail and Thunderbird). However, you may sometimes see S/MIME signed (!) emails from your bank, insurance etc.. Some of them also offer a portal where you may provide your public key for further encrypted communication.

Free S/MIME certificates

As already written, S/MIME relays on a public key infrastructure where certificates must be signed by a known, trusted and public available CA (Certificate Authority) to work best. Yes, there are corner cases but you may not want to use them. As a result, you should have a look at this free or cheap S/MIME certificates that are still present in year 2023:

You can see, there aren’t many left anymore in 2023, additionally a big issue is that the private keys are often generated on foreign systems which should highly be avoided.

Conclusion

S/MIME is a crucial technology for anyone who needs to send sensitive information via email. It provides end-to-end encryption and digital signatures, ensuring that your messages remain confidential and that the integrity of the message is maintained. If you’re looking for a secure and private way to send and receive email, consider using S/MIME or GPG (there will be another blog post about GPG in detail soon).

Unfortunately, S/MIME lacks for individuals by giving out public certificates which may make it expensive to use or hard to handle by short living certificates. Within managed company systems this may be solved by running an own CA (Certificate Authority) which is trusted on all systems but may still lead into further issues on external communications. As a result, I’d recommend individuals to use GPG if possible.