I am huge into email security. Being an Information Security student, looking for professional work, it is my job to think security. Something that everyone can do that is relatively simple is to create a digital signature for their email address and use it to sign/share/encrypt emails from prying eyes and man-in-the-middle attacks.

Most larger companies require it of their employees and even set up their signature and mange it on their own servers.

Something I love about Hostmonster is the ability to create, and manage digital keys for all your site's email addresses. You can do this in Thunderbird as well (for free). Outlook and OE only use PGP, which is a paid service. I think they have a free trial, but it only lasts 30 days.

Hostmonster, Thundrbird, and other entities that allow for digital signatures use what is called OpenPGP and a component set called GnuPG.

If you go to your CPanel XP main page and click the main email link on top, at the bottom of the list of options for email is the OpenPGP link. Click that and follow the directions and links to create your very own signature, compliments of Hostmonster.

Once created, you can download your keys and install them in Thunderbird, or attach them to your email account through the web interface. You have to use Horde to do this as Squirrlemail does not support digital signatures (at least not with Hostmoster).

Something you will want to note is that to use your digital signatures through the web interface, you have to have a secure connection (SSL). After you log into your "domain.com/webmail" interface, click the "Click for secure site" link at the bottom of the table. You are ready to proceed to Horde and digital signature bliss.

Click on the Options link in Horde (Left side menu) and follow the Mail link. The last option in the page that displays is PGP Options. Once there, it is a matter of following the onscreen instructions and voila!! You are ready to rock-n-roll!

Send an email to all your friends and associates with your public key attached. Tell them to create their own and then you can start encypting emails, resting comfortably at night knowing your email is safe.

I'm willing to answer any questions you might have in this process. Respond here, or send me a Private Message.

~Kindest Regards
Shadmego

Is OpenPGP needed if you're only viewing your email through the web interface such as https://www.mysite.com/webmail/?

Is this already secure enough with the SSL in place?

Hello shadmego,

How to download the keys that I have created in HM Cp and install them in my Thunderbird?.

Thanks.

Hello shadmego,

How to download the keys that I have created in HM Cp and install them in my Thunderbird?.

Thanks.

I used Mozilla and opened two "tabbed" windows. Once I created the keys through the CPanel interface, I just did a "copy-paste" into Horde. If you have them downloaded to your computer, you can still install them into Horde by the same method.


regards

Is OpenPGP needed if you're only viewing your email through the web interface such as https://www.mysite.com/webmail/?

Is this already secure enough with the SSL in place?

OpenPGP is software that creates digital signatures (or keys) for use with your email. SSL is used in conjunction with digital certificates.

The difference between the two is:


SSL (digital certificates) are used to secure websites (pages). Most often for keeping puchase or other personal information away from prying eyes by encrypting the communication from the client browser (you) to the server (the website). A digital certificate has a website name (www.domain.com (http://www.domain.com)) attached to it.
Digital signatures are more private in nature as they are used to help authenticate and encrypt email communication. Most often, digital certificates have an email address (username@domain.com) attached to it. It helps with non-repudiation (a way of determining the authenticity of an email - it came from whom it says it came from and says what that person wrote.).I hope that helps clear things up a bit. Ask away if you have any other questions!

regards,
Shadmego

Hostmonster Does not provide this service anymore ... :-( .

Hostmonster Does not provide this service anymore ... :-( .

This statement simply is not true. I wrote this thread way back in 2006 and back then, Hostmonster was using a different CPanel version.

To update this tutorial for the current CPanel version and theme (CPanel 11 I believe), you will find the scripts to create your own digital signatures in the Security Tab. In there is a link called GnuPG. This link is where you will fill in the required information to create your own digital signature.

~regards

True,
My mistake, i did contact the support via live chat and asked them about it.
They told me they did remove the feature :-)
Glad to ear that the guy in front of me was wrong.... and somehow it is a clue about the reliability of this so called live support now.

marc [4:07:37 AM]: Hello,
I can not find the OpenPGP link on the cpanel anymore. Did you remove this feature? Same for horde
Dawson [4:08:01 AM]: Yes, we have removed it.
[4:08:04 AM]: What's your domain?
marc [4:08:31 AM]: ************
Dawson [4:11:17 AM]: How can I help you?
marc [4:12:15 AM]: :-) just answered your question about the domain, is it possible to install a key? i see that the link in horde has been removed as well
Dawson [4:14:56 AM]: A key for what?
marc [4:15:04 AM]: OpenPGP
[4:15:56 AM]: Simply need my emails to be digital signed
[4:18:43 AM]: are you there
[4:18:46 AM]: ?
Dawson [4:19:31 AM]: We don't provide that service, I'm sorry.
[4:19:41 AM]: We don't have keys for OpenPGP.
marc [4:20:26 AM]: So, there is no way to get a secured email?
Dawson [4:21:03 AM]: You can send and receive emails securely, through SSL.
[4:21:15 AM]: But that's a different thing...
marc [4:21:25 AM]: yes, thats the point
[4:22:12 AM]: doesnt protect against identity theefs, spoofing... and thats currently my problem.
[4:22:29 AM]: so, no options at all?
Dawson [4:22:37 AM]: Not from us.
marc [4:23:00 AM]: thank you.

Digital signatures are more private in nature as they are used to help authenticate and encrypt email communication. Digital signatures are NOT used to encrypt anything.

Nice post. I came here looking for "why does hostmonster (cpanel) have a means to great GnuPG key pairs?" Now I know why, so you don't have to find, download, install, GnuPG (PGP) software just to have your own key pair. Good work HM ;-)

Digital signatures are NOT used to encrypt anything.

Can I inquire as to what you mean by this statement?

In fact, digital signatures can be used to encrypt email.

To be more precise, the two parts of a digital signature (the public and private keys) are used for encryption and/or authentication.

For instance, if Bob uses Alice's public key, he can encrypt an email to her that only she can open (using her private key). Likewise, Alice can use her own private key to authenticate an email to Bob, who in turn uses Alice's public key to verify the message hash created when Alice signed her email.

In the case of authentication, if the email changed in any way before getting to Bob, he will know because the "digital signature" will be invalid. In the case of encryption, if anyone else (say Mel) get a hold of Bob's encrypted email to Alice, they will not know what is inside the email unless they have Alice's private key.

~regards

I think (and I could be wrong) that digital signatures are slightly different to what you're describing.

I believe digital signatures are used to verify the content of what has been sent not necessarily encrypt it. Encryption keys allow encryption.

Probably just a terminology thing (these things tend to get misused in various places!)

(As I say, could be wrong though!)

Yes, r2b2, you are slightly mistaken. Digital signatures are a type of asymmetric cryptography in which two keys (a public and private) are created. These public and private keys are probably what you are referring to as encryption keys, though they can be used in various ways:

1. Typically, digital signatures are used in cases of non-repudiation. This basically means that someone can be certain that an email, or message signed with someones private key and verified with that same persons public key actually came from them.

Example: If I give you my public key and I sign an email to you with my private key, you can be certain, if no errors occur when you open my message, that the email actually came from me. I also cannot claim I did not send an email that is signed with my key while also claiming my private key has not been stolen.

This use of digital signatures can be used to legally bind someone to an electronic contract because it is the equivalent of a hand-written signature.

2. Not very commonly, digital signatures can be used to encrypt emails. This is done by using someone's public key to encrypt an email to them.

Example: You have my public key again, but this time, you want to send me a message of vital secrecy. Only I should be able to read this message. In this case, you would use my public key to encrypt the message and I would use my private key to decrypt. Only I with my private key would be able to read the message. If someone was sniffing the traffic between you and me and happened to capture the email packets being sent, they would not be able to read the contents of the email unless they also had my private key.

This method of using digital signatures is not very common because there is not a lot of legal footing behind this use of digital signatures.

An interesting thing you can do to get around this is to use my public key to encrypt the message and then sign the encrypted message with your private key. Thus when I received the message, I can verify you sent it by checking your "signature" against the your public key, which I have and then I can decrypt the message with my private key.

Here is an interesting article from wikipedia about digital signatures (http://en.wikipedia.org/wiki/Digital_signature). I've spent the last few years studying different aspects of cryptography and information security in general. I'm confident I'm not steering you wrong here, but I am also willing to listen to anyone that thinks I'm wrong.

From reading your comments and the article, I think we're both on the same page - I think its just the way that I described my thoughts was horribly inaccurate! :D

Thanks for the info - even if we weren't quite on the same page before, I am now!

I think when you were talking about encryption keys, you had in mind the public/private key pair I mentioned in my response. I think the confusion, and rightly so, came from not realizing that those keys are what make up a digital signature.

I'm happy to help whenever possible.