Not too long ago, I recommended getting a free personal e-mail certificate from Thawte for e-mail security. It has now come to my attention that Thawte will stop offering Personal Email Certificates on November 16, 2009. This is now posted on the Thawte web-site. According to their web-site, Thawte is offering a free one-year VeriSign Email Certificate for each active Thawte Personal Email Certificate you own as of 24 September 2009. If I remember correctly those normally go for about $20 US.

Tags: e-mail, encryption, security

I was just interviewed by Lisa Diaz of iDiaz Marketing. The subject of the interview was: “Internet Security Sense for Mere Mortals”. The whole interview was conducted on-line using the “Tweeterview” service which uses the Twitter micro-blogging service. You can follow Lisa on Twitter at: @lisadiaz and you can follow me on Twitter @diazconsulting.

This was an interesting experience as each question and answer was limited to 140 characters. Here is a link to the actual transcript at tweeterview.

Here is a transcript of the interview.

LD: Hello, I’ll be interviewing Hector Diaz of Diaz Consulting.

LD: Hector will be telling us about how trust for e-commerce is established through passwords, digital certificates and encryption.

LD: He will also tell you how you can get a digital certificate to secure your e-mail.

LD: Hi Hector, can you tell us about your background?

• I am an IT executive w/extensive experience running multiple data centers in international environments. That includes internet security.

LD: Where have you worked in the past?

• 21 years at Hewlett-Packard/Agilent Technologies and most recently at CaridianBCT, a medical technology company.

LD: OK, so why is security important?

• Trust is a necessary pillar for commerce and in particular electronic commerce. You have to trust the identity of the parties involved.

LD: Interesting. Any other thoughts on trust?

• Yes, you must trust the transaction to be private, that is safe from prying eyes.

LD: Like credit card information?

• Right, credit cards, bank account numbers, SSN numbers and other such data must be kept private and secure.

LD: How do you go about establishing trust? Can anyone do this or is it just for the big companies?

• Basically by setting up the ability to conduct e-commerce that allows for authentication, privacy, and non-repudiation.
• This applies to big companies, small companies, and you as an individual. I’ll explain shortly.

LD: Good! First, how do you define those terms you just used?

• AUTHENTICATION is all about proving you are who you say you are. This applies to both vendors and customers.
• PRIVACY has to do with keeping sensitive information (like credit card numbers) safe from prying eyes.
• NON-REPUDIATION keeps buyers/sellers from lying about legitimately placed orders/shipments. An electronic fraud-prevention paper trail.

LD: About non-repudiation. Do you mean proving you really meant to purchase or transact?

• Repudiate is to deny. A vendor should be protected from someone ordering goods and then refusing to pay claiming they did not place the or..

LD: OK, that helps. Thanks! so, how do you establish your identity on the web?

• Web-sites use digital certificates to establish their on-line identities. They verify identities of individuals upon account creation.
• Vendors buy digital certificates from companies like VeriSign. They provide a branding logo for your site.
• Individuals “prove” their identity when they supply a password. They too can get for-pay digital certificates from VeriSign.
• Free digital certificates are also available from companies like Thawte. They require showing an ID to a notary.

LD: I send emails and make purchases all the time. Why would you want to go through the trouble of doing that as a consumer or vendor?

• W/ a digital certificate you can “sign” your e-mail to prove it actually came from you and was not forged (authentication, non repudia..
• W/ a digital certificate you can encrypt your e-mail to keep it from prying eyes (privacy).
• Modern e-mail clients like Outlook and Mac Mail allow you to use these certificates to secure your e-mail.

LD: So, if I want to send an email to someone with a password, I should consider this authentication system. Right?

• Yes. I would use e-mail encryption to send someone a password in an e-mail.

LD: And if I’m not encrypting my e-mail, does that mean anyone can read it if they know how to hack my email?

• In a nutshell, Yes. No hacking required. System administrators at any site your mail goes through can read your e-mail.
• You should NEVER assume e-mail is private unless it is encrypted.

LD: So, to send encrypted emails, get that taken care of at a site called Thawte?

• At Thawte you can get a digital certificate that will allow you to sign all your e-mails and encrypt e-mails to users who also have certs.

LD: Cool. What is the link to Thawte

• http://www.thawte.com/

LD: Thanks. One more question about purchases. Does that mean I need a digital certificate to buy with confidence or do e-banking?

• No, those transactions are encrypted “on the fly” Look for a small padlock or other indicator on your browser.

LD: Thanks. So, the security takeaways here are: “thawte” for emails, “security lock” or “https” for purchases and “Verisign” for vendors. Is ..

LD: ..that accurate?

• Yes. A small clarification, I’d say encryption for e-mail. In order to encrypt, you need a digital certificate. Thawte is a source for that

LD: Thanks for clarifying. And thank you for taking the time for this Tweeterview.

LD: This digest will be posted on the iDiaz Blog at http://www.idiaz.org/Blog/?p=96 and at the Diaz Consulting Blog at http://hdiaz.org/Blog.

LD: Thank you everyone! This concludes the Tweeterview.

Tags: authentication, e-mail, encryption, iDiaz Marketing, non-repudiation, security, Twitter