Safe E-Mailing for Dummies

Citibank is worried about you.

PayPal is peeved and is about to pull the plug on your account unless you take action right now. EBay is perturbed about your latest auction purchase, Visa is fretting that someone may be up to no good with your credit card, and some bank named SunTrust needs your mother's maiden name immediately if not sooner.

Plus, at least a dozen of your friends and colleagues have apparently sent e-mails promising you love, lust, a cool game or access to vital information if you'll just click on the attached file. Yes, it's just another happy day in your spam- and scam-packed inbox.

Happily, help is available. Ciphire Mail, a new and soon-to-be-open-source application, aims to put an end to these sorts of annoyances with strong and user-friendly e-mail authentication and encryption.

E-mail authentication -- confirmation that the stated sender actually sent the message in question -- could make many e-mail hassles fade away, since most scams and computer viruses rely on bogus sender information to lull recipients into a false sense of security. Encryption is also a good idea, given the increasing prevalence of snoopy software.

The Ciphire Mail application, free for individual users, nonprofit organizations and the press, works in conjunction with all standard e-mail programs. It operates almost invisibly in the background, encrypting and decrypting e-mail missives and digitally signing each message to confirm its source.

Ciphire Labs didn't develop new encryption algorithms or authentication methods for Ciphire Mail. The idea was just to make the best existing technology "way easier to use," said Laird Brown, chief strategist for the Zurich, Switzerland-based company.

In close to a month of testing, Ciphire Mail performed almost perfectly on computers running Windows XP and Mac OS X version 10.3, with Outlook 2003, Eudora and the Thunderbird mail clients on the Windows box, and Eudora and Thunderbird on the Mac.

Setup was a snap: Just download and install the client, choose which e-mail addresses you want to associate with Ciphire, enter a password, and the application sets itself up.

Working with the program is just as simple. When two people using the Ciphire client exchange e-mails, the client intercepts e-mail right after the Send button is pressed, and before it leaves the computer. The recipient's security certificate is retrieved at the Ciphire Certificate Directory, security checks are performed, and then the message and any attachments are encrypted with the recipient's key.

Incoming e-mail is also intercepted before it appears in a user's inbox, the message is decrypted (if necessary) and the sender is authenticated using the corresponding certificate from the Ciphire Certificate Directory.

What Ciphire Mail is doing in the background is automatically managing each user's set of public and private cryptographic keys. The public key is sent to Ciphire's servers and the private one is stored on the user's machine. This allows two users to communicate using encryption without having to exchange public keys, as they must do using other e-mail encryption programs. No delays in sending or receiving e-mail were noticeable during testing.

"The difference between Ciphire Mail and other technologies in our zone is the difference between using and learning how to use," Brown said. "And none of this has been done at the expense of security. If anything, we're more secure than the others."