Anyone could be:
- An administrator of the sender’s or the recipient’s email server
- A hacker who breaks into an email server
- Someone in a coffee shop eavesdropping on network traffic
- A government that doesn’t guarantee privacy of its citizens’ communications
- The United States government
The United States government?
Yes. Congress passed the 1986 Electronic Communications Privacy Act well before email communications were prevalent. The act treats any electronic communications stored on servers older that 180 days as “discarded” and therefore not private. Although the U. S. Constitution’s Fourth Amendment offers citizens protection from “unreasonable searches and seizures”, the ECPA has been upheld in recent court decisions simply because Congress hasn’t updated it to account for today’s electronic communications.
This post isn’t about government conspiracy theories but I provide the ECPA example so readers understand privacy isn’t guaranteed even by the U.S. government with regard to email. Certificates provide a means to protect email privacy and safeguard against fraudulent messages.
To make reading more digestible I’ve broken this post into multiple pages explaining how certificates work mixed with how to use them.
- Page 2 – How do certificates help me?
- Page 3 – Request and install a certificate
- Page 4 – Web of trust
- Page 4 - Add a certificate to an email account
- Page 5 - Certificate of authenticity
- Page 5 - Signing an outgoing message
- Page 5 - Verifying authenticity
- Page 6 - For your eyes only
- Page 6 - Enabling encryption
- Page 6 - Distributing the public key
- Page 6 - Sending an encrypted message
- Page 7 - Revoking a certificate
- Page 8 – Recap