Mozilla 1.3b is out today. I really have high hopes for this project – not so much for the browser part, but for the email client. With this release, Mozilla now supports junk mail filtering. Also, Mozilla has supported S/MIME for several releases now. What I really wish is that there were a Chimera-like project for the email/newsgroups portion of Mozilla, with a Cocoa front-end and a Unix backend, and that both Chimera and this wishful email client would share centralized key management to allow seamless participation in standards-based public key infrastructures. Anyway… this release of Mozilla looks promising – performance seems better, bugs keep getting fixed, and overall – though it still has a ways to go – I think it’s going in the right direction.
While PGP seems to be a common and useful method of authentication and encryption of email communications on Mac OS X, there are a dearth of options when it comes to S/MIME.
S/MIME is a protocol that provides for encryption and authentication of email messages using X.509-based keys and certificates. Using certificates based on X.509 means that your identity can be verified against a public certificate authority in the same way that an SSL-secured website is authenticated. When you receive a signed message in an S/MIME-capable email client, your client verifies the identity of the sender and integrity of the message against the certificate authority (CA) that issued the certificate used to sign the message. Trust is inherited from these certificate authorities, and you can (or at least should be able to) examine, verify, and edit that trust within your email client, web browser, or I think optimally at the OS level from a central application.
The only email client that natively seems to work with Mac OS X is Mozilla. I’ve tested it using Mozilla 1.2 and 1.3a and it works well. On Mac OS X, it is missing from all major clients: Microsoft Entourage, Apple Mail, Lotus Notes, and Qualcomm Eudora. (There is an S/MIME plugin from Entrust for Eudora on pre-Mac OS X versions.) There is a command-line program called ‘smime‘, but who is going to use that? I truly wish this worked in Entourage.
Why do Mac OS X users need S/MIME? Because we need to be able to encrypt for the same reasons that you don’t write all of your correspondence on the back of post cards. Because we can begin to make use of trusted, authenticated, and privately encrypted communications. Because it can be seamlessly integrated with email clients, making it easy, automatic, even behind-the-scenes. Because this functionality is available to all major Windows email clients: Outlook, Outlook Express, Eudora, Netscape, Mozilla, and Lotus Notes all either support it natively or through plugins. Because PGP is great, but not perfect, and it’s nice to have options. Because a key used to sign a message can be verified against a trusted certificate authority. Because we have the right to know beyond a reasonable doubt that the sender is who they say they are, and what they said is authentic. Because we have the right to private, encrypted, person-to-person communications, free from the prying eyes of thieves, perverts, libelous paparazzi, and corrupt governments.
When I discuss this with people, I often hear the same response: “I have nothing to hide.” These are the same people that will send their passwords and credit card info through email. It is trivial for someone with malicious intent to write a script that filters out and downloads credit card patterns or messages that contain the text “User ID” or “Password”. Ugh… Do you think it’s OK for someone to intercept your personal mail, steam open the envelope, and read the contents without your knowledge? Of course not! Email should have the same level of privacy, and this can be ensured through person-to-person encryption schemes such as PGP or S/MIME. The primary factors limiting widespread adoption of this technology are a general lack of understanding and a misplaced sense that somehow one’s email communications are private. Did I mention that it’s just a script?
You can purchase certificates for use in your email from various issuing Certificate Authorities, and some, such as Thawte, are free. It doesn’t take that much work to set up, and once it’s installed and you understand the security features of your email client it’s quite easy to use. If anyone enrolls in the Thawte personal certificate program and wants to get their certificate signed, I’m happy to do it for you free of charge. There are plenty of other notaries out there who can do this worldwide, and most also do not charge a fee. Contact me if you are in or plan on being in the San Francisco Bay Area and would like to have this done.
The only way Mac OS X users will get this functionality in our favorite email clients is if we request the feature. But then, to get people to request it, people have to understand why they need this. Hopefully this rant helps get the message out there a little.
So, Iraq is alleged to have nuclear, biological, and chemical weapons, but no such weapons have been found by the U.N. weapons inspectors currently working in Iraq. Bush wants to invade Iraq ASAP, and to hell with world opinion, our allies, and the U.N. North Korea has kicked out all of the nuclear weapons inspectors from their country and is actively moving fuel rods out of storage and to a reactor, and is threatening to build nuclear weapons for use against South Korea, the U.S., and Japan. Bush is downplaying North Korea’s standoff and says he is seeking a diplomatic solution. This is second page news compared to the Iraq situation. So the thing I don’t understand is: Has this screwed-up set of priorities arisen out of pure greed, or pure stupidity? Perhaps both? Yes, Saddam Hussein is an asshole. But he is not stupid enough to launch an attack against the United States. He knows that any American response to an attack would be overwhelming. There is weak justification for war here, where containment would do just fine. However, North Korea is being run by a bona-fide psycho, Kim Jong Il, and I wouldn’t put it past him to launch missle attacks on South Korea, Japan, and any U.S. territories within reach. Kim Jong Il lives in a fantasy world. I think that our national efforts should be on disarming this freak instead.
If you are fed up with security problems with Microsoft, you should seriously consider using a Mac. As a former webmaster for Xcert, RSA Security, and Certicom, I find overall security experience on Mac OS X to be far superior to my experience on Windows. Mac OS X security is built on OpenBSD, which is one of the most secure operating systems out there; and having that as the foundation goes a long way towards ensuring that I am running a secure computing environment. But don’t take my word for it…
In the meantime, Schneier said he was thinking of switching from Windows to the Macintosh platform because of all the security issues. “My wife has a Mac and she doesn’t worry about viruses, trojans, leaks…, ” he said.
A Consumer Reports survey last year found that virus infection rates on Macs are half what they are on Windows, noted Smith. “Is that because Macs are safer? I think the answer is yeah.”
I have trouble believing that Macs were half the infection rate of Windows. I think it is more like one tenth. I haven’t seen a Mac virus since working at the NEC computer lab back in 1995.
Also, Kevin Mitnick recently mentioned on his return to the Internet that he was interested in getting a Mac. I believe he was given a PowerBook by Steve Wozniak soon thereafter. For those of you who don’t know Kevin, he did some excessively hard time for breaking in to some corporate networks, and he now works an information technology security consultant.
I just get sick of hearing day after day in the news about how much Microsoft Windows is a complete failure when it comes to security, and yet somehow they are still 90% of the operating system market. Outlook viruses… SQL worms… network security holes… There is a better way. You have choices.
I was deeply saddened this morning to learn about the Space Shuttle Columbia loss and the loss of it’s seven crew members. I have always been fascinated by space exploration since I was a kid. I can remember watching the first shuttle liftoff. I can remember watching the Challenger disaster, like it was yesterday. I used to watch for shuttle and satelite orbits with my telescope and sky binoculars in the evenings, in-between spotting planets and Messier Objects, and even began my college career intending to major in astronomy before switching to music. To this day I frequent the NASA website and several other websites based on astronomy and physics. So what happened this morning to Columbia was for me very troubling. I do hope that NASA looks forward from this tragedy to the next milestones, the next advances, and the next generation of space exploration. We have a lot to be proud of so far, and there is a big universe out there waiting to be discovered.