What is S/MIME and should you use it for email on Windows Phone?

No matter how technically savvy you consider yourself to be, there's always a good chance you will come across something that you just don't know anything about. For instance, a few of us at Windows Central were chatting online, and someone asked what S/MIME is and whether they should enable in their email settings on their Windows phone.

Having worked in IT for a number of years, I had heard the term S/MIME before. However, I didn't know nearly enough about it to answer the questions. Immediately, we all agreed that it was a good idea for a post. What you now have before you is an attempt to explain what S/MIME is and help guide you in deciding if it is something you should use on your Windows phone.

You may or may not have the option to use S/MIME with your email. If you have a Hotmail or Outlook account on your phone, the option will appear in the Settings section of your email account.

Google and Yahoo accounts do not have these options on Windows Phone. If you are using a business email address through your employer, your IT administrator will tell you whether or not you need to use it.

What is it?

S/MIME stands for Secure/Multipurpose Internet Mail Extensions. To put it simply, it is a universal standard for securely signing and encrypting email. It is essentially used to prove that the email came from the person says it is from.

It works using a unique certificate, a fingerprint of sorts, issued by a third party. That certificate gets recorded in a database, be it a private company's server or a public registry on the internet. When an email is sent using S/MIME, it gets stamped with that digital signature. When the recipient receives the message, the signature gets checked against the sender information to validate that it indeed came from the person it claims to be from.

That same certificate can be used to encrypt email to avoid a third-party from viewing it. Much like encryption programs like PGP, the email gets encrypted using a "public key" derived from the user's digital certificate and a password. Once sent, the recipient uses their "private key," derived the same way, to decrypt the message to make it readable.

While identity validation is always part of a message sent using S/MIME, message encryption is optional.

Is it safe?

Since it was developed to be a universal standard of encryption, S/MIME has been put through its paces to ensure that it is an effective method of securing data. However, that same universality makes it a target as well. Finding a way to crack S/MIME would mean gaining access to an untold wealth of information.

However, there is good news. Firstly, in my (albeit limited) research, I could not find any record of S/MIME being breached. Private/public key-based encryption is difficult to crack by its very nature. That doesn't mean that the NSA hasn't secretly found a way to do it though.

Secondly, the forces behind S/MIME have improved it over time. It is currently in its third iteration, which has added measures of protection. There is no sign of that stopping anytime soon.

What's the downside?

Using S/MIME will indeed affect your current email routine, mostly in the form of some occasional added legwork. First and foremost, because it requires validation from a third party, you must obtain a certificate through a Certification Authority. There are many out there that provide certificates free of charge. The certificate expires, usually every year, so you also need to make sure you renew it.

If you are only using the digital signing feature of S/MIME, there isn't too much downside. A recipient who has S/MIME setup will get verification that you are the legitimate sender of the email. If they or their email provider do not use S/MIME, then they will likely see an attachment on your message named smime.p7s. This lack of support will not cause any issues, other than possible confusion on the part of the recipient.

This scenario is especially common with people who use web-based email services, like Gmail and Yahoo and access their mail from a web browser. If the account is accessed using an email application, like Microsoft Outlook, the S/MIME typically gets decoded correctly.

And if it doesn't, it's not a big deal because the email was sent in plain text. The recipient just can't be sure that you are the actual sender.

As far as encryption goes, there is some more added hoops. Encrypting an email requires that the person on the other end also uses it. Therefore, if you want them to be able decrypt your message that uses your private key, they must have your public key. Otherwise, they just get a garbled mess of an email.

Encrypting a message also adds data to that message, increasing the overall size of it. S/MIME encryption typically triples the size of your message. Given that most emails are pretty small, it shouldn't affect you too much. However, it should be taken into consideration when using S/MIME a lot, as it can pile up on a device with limited storage.

Also keep in mind that encrypting email not only keeps out the bad guys, but the good guys too. Attachments in encrypted emails cannot be scanned by anti-malware services, leaving you unprotected until opening them.

Sounds like a good idea. Should I use it?

For the overwhelming majority of ordinary users, there is no need to sign or encrypt our everyday email. Any email provider worth its salt uses SSL encryption to transmit data, so you are reasonably protected.

Even if we are sending sensitive information, like tax documents or health records, we may find it easier to password protect the documents or combine them into a password protected ZIP file. This situation is also one of the last places on Earth that fax machines are still useful.

That being said we are living in a world where more and more data breaches occur every day. If you feel so inclined, S/MIME can help protect your information and maintain your privacy.

S/MIME on Windows Phone

So why the heck is it even an option?

In a word, business. Microsoft is in the business of business and knows that if Windows Phone is going to have any chance in the smartphone wars it is going to have to accommodate enterprise users and technology.

S/MIME is a common component of corporate email, so Windows Phone needs to take that into consideration.

In Summary

S/MIME has been a universal standard in securing email for very long time, and rightfully so. But most of its usages has been in the business world, not the public realm. Implementing it for your personal email is not overly complicated, but does present its challenges.

In the end, it's up to you to decide how useful it would be to you.

Have any of you implemented S/MIME in your personal routine? What is your experience?

References: Wikipedia, Microsoft (opens in new tab), Mozilla, JustinRummel.com

Seth Brodeur
  • Anonymous!
  • Anonymous aka Old guys in their mom's basement. Sweet!
  • What a ignorant thing to say. You must not know what it stands for..
  • Anonymous never do anything
    They only attack people or groups they don't like on twitter and "hack" those accounts
  • *an
  • Wrong! Facebook users are the basement dwellers, not anonymous, anonymous works on Encyclopedia Dramatica doing it for teh LULZ... Edit: OK, After researching even more I stand wrong, Anonymous, Jewtube, Google+, Facebook and Tweeter users ARE the basement dwellers...
  • Careful whom you mock, my friend.
  • Normally, you encrypt the mail with the recipient's public key and he can decrypt it with his private key. Otherwise anybody knowing the public key could decrypt the mail.
  • Normally, you encrypt the mail with the recipient's public key and he can decrypt it with his private key.
    Yeah, that's how it works at least in the enterprise/domain.   I send an email from Outlook it goes out to the GAL and downloads the recipents public key.  The recipent then decrypts it with their own private key. Not sure how it works outside the enterprise/domain.    
  • Thanks for clarifying, I was reading that in the article and wondering, "So... If the key is public, couldn't just anyone decrypt it at the leisure?"
  • That description is incomplete. The mail is encrypted using the sender's private and the recipient's public key.
    The mail is decrypted using the sender's public and the recipient's private key. That's called asymetric encryption and it is virtually impossible to break. Those who have mangaged to compromise the encryption, have done it though back doors (or by "stealing" the sender's private key) and not by actually breaking the encryption. You can exchange public keys, by sending a digitally signed email to your counterpart.
  • It can be broken using the man in the middle attack. 
  • Wincentral@outlook.com is your email address?
  • What would give you that assumption?
  • The picture.
  • Ummm, no. You can name your email accounts. Derp.
  • I really need to look at this website more.
  • Nah he's just renamed that Inbox
  • You can name your account to make it easier to sort out which accounts are which. IE say you have 3 @outlook accounts. they all wouldn't be called outlook. Odds are that's his windcentral business email.
  • They are named after the username
  • You can rename those. Not everybody lives in a default world.
  • Thanks for this very insightful article, Seth! I'd noticed the option but didn't bother to look up what it was for. Now I know.
  • Ahem, Seth wrote it. But he says 'thanks' anyways ;)
  • Oh, I'm so sorry, thanks Seth!
    I must have mixed up the names because you told me earlier that Mark was going to review the Wolfram Alpha apps. :)
  • Great info. I saw that setting two days ago and wondered if its purposes. Thanks.
  • My company requires it and I have been using it since I got my Neo a year ago..
  • Great article! Thank you for doing it!
  • poor NSA, they are always the villians! mentioned in the negative sentences like "That doesn't mean that the NSA hasn't secretly found a way to do it though" I feel bad for them, they only want to protect you. Ugrateful humans... always ungrateful!!   Anyway, good article, not like I really cared to try to find it out what this feature was about. but it's good for people who need it. I rarely send emails from my phone anyway, usually it's send work stuff that is easier to do with a computer since I usually have to upload and send stuff through onedrive.
  • +925
  • even if bad or not its true, that sort of thing is part of their job and whatever exploits or tools they're sitting on, we wouldn't really know.
  • Emi I don't blame you for your ignorance, you probably think Snowden is a bad guy... But check this out seriously, its a TED talk so hopefully you understand its validity. http://www.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s... ( now noticing I can't copy past from the app, google search NSA TED talk and you will find it if your not afraid to have your opinion changed)
  • never go full retard.
  • i dont want them to protect me and grab all my personal stuff, there is no need for this but they do it anyway.   No offense at ppl who rly protect the ppl (police and so on) but the spcial agencies are not here to protect the people, they were never and they will never...thats why they act against the peoples will  
  • And that's why the OP said you are ungrateful. You always attack what you don't understand... it is humna nature, so you are in good company. 
  • Great helpful information thanks!
  • Me likes it!! Thanks for the S/MIME 101 tutorial and info!
  • This was like a light to a moth for any nerd in the vincinity :)
  • Your thumbnails are always the best.
  • Thanks for the article, really useful information! I think I'll give this a trial.
  • Didnt ms offer self signing?
  • Mr. Mime
  • I know that..
  • I do not have a use for it at this point but Thank you very much for writing this article and explaining it's use
  • I've tried to enable this option on my live account (hotmail), but no S/MIME settings? I've just have signature (added at the end of each message) autoresponses, etc. Do I have something else to activate on outlook.com?   thanks
  • I don't think you need to enable it outlook.com, you enable it on your mobile device.
  • My live.fr (ex hotmail) address is my primary account (Microsoft account). When I go in settings, I only see autoresponses, etc., signature, dark/light theme, but not these settings at all.   I run 8.1.0/Cyan, does this come with GDR1?
  • I have a Verizon 928 still with Cyan but running the latest developer preview build.. whatever that is.  It's there for that.
  • OK thank you. And it's your primary/MS account too, I presume? Anyway, it was more to test it out of curiosity rather than an urgent need.
  • Try scrolling down to the buttom? :P
  • yeah thank you for taking me for a noob lol. Of course I tried that, have you a more clever advice though? ^_^
  • Lol, I didn't take you for a newb. Was simply checking if you tried the obvious :P (old habits die hard unfortunately). You could try making a alias for your primary acct, then making that your primary, wait for the switch and check again. (I doubt this would work though). Have you tried making a outlook.com acct and checked the settings for that?
    If you don't have the s/mime settings then most likely you will need to reflash with the recovery tool, as I doubt you could force the setting without having any sort of root access (for instance I didn't have "show pictures automatically" option in ie which was added a awhile back until I reflashed cyan).
  • Seems cryptier.
  • I saw what you did there.
  • Guess he didn't encrypt it. :)
  • LOL
  • The speed at which I read this was...fast.
  • SSL now in not in IT but isn't SSL encryption what the heart bleed bug gets past?
  • Only if the server mail or other wise is misconfigured or unpatched.
  • GREAT Article! thank you so much, I am about to get my bachelors in CIS and I have covered MIME but very quickly, thank you for writing a post and then applying it. CONSIDER; maybe you can write more informational posts such as this one. Find other small tidbit technology being used on the operating system and explain it and apply it, it would be super awesome and great diversity to windows central :) hint hint: stuff like advanced Proxy settings under Wifi Sense or maybe explaining settings under internet sharing and difference between Bluetooth sharing or wifi sharing.
  • S/MIME encryption functionality is rubbish on Windows Phone. It doesn't even seem to do it on the phone, instead it just activates the option on Outlook.com or Exchange for you. They should have made it so you can use it on any email address, just like you can in the Outlook desktop client.
  • For it to work as you describe you still need the recipients public key. If they don't have one then no encryption. See my post below for a bit more detail on this. As an FYI I have setup this up a "few" times including a whole PKI or two or three or four in my time.
  • Only if you want to encrypt mail. S/MIME is also used for verifying the sender (which is how I use it with my IMAP accounts in Outlook desktop).
  • You still need their public key to do verification
  • Which is why the public key is attached to every outgoing email.
  • This article is a bit lite on some of the technical details. First in order for you to exchange encrypted emails you both need a certificate. This certificate for the purposes describes here creates two things. A private key and a public key. If I have the cert and want to send an encrypted message I need to already have your public key stored with your contact. I create the message and use my private and your public key to encrypt it. You then use my public key and your private key to decrypt it. As stated by someone above if you are using MS Exchange and Active Directory me acquiring you public key is automated as it is stored in the GAL (Global Address List). For Joe user, not so easy. These requirements make this generally unusable for most as not many of us have a user certificate that is issued by a cert authority that is publically trusted like Entrust or Verisign. While "self signed" certs are usable one would still have to "trust" that cert authority. Others have talked about SSL. SSL only encrypts data while it is in "motion" When that data is at rest in most cases it is not encrypted but stored in plain text. The advantage of S/MIME is that the message is encrypted at "rest" and can only be read if the user specifically sent it to you using the methods I have described above with the "public/private" key pair. Personally, I find the over simplification of this post to almost be a disservice as I imagine it has created a bunch of angst for folks now trying to use it. A much better post would have been to show how to get a cert and to show how you can help your friends get certs. Certs from a proper "root" authority as it makes things much more user friendly. My two cents......
  • I agree. For most users, encrypting email would be superfluous. How many of us are really worried that an email sent to our mothers was intercepted by a nefarious group? Tax stuff gets delivered to my accountant on an encrypted thumb drive. Sure there should be an expectation of privacy, but after recent events, if you expect total privacy in email, you're dreaming. Even with S/MIME it's still possible to see who the email is being sent to since that by definition can't be encrypted.
  • Yeah I agree. However, I don't think Seth necessarily said anything incorrect. It is just hard to explain public/private encryption and singing in a in an article like this. And as you said the lack of a GAL is a big issue. Perhaps a link to an external source could have been given. Other than that Seth did a great job, personally I never thought about the anti-virus problem.
  • As you sound to know what you're talking about, I'd like to know if for the couple private/public keys, I can use my GnuPG generated keys? My friends usually GPG to encrypt and or sign emails ; it would be nice if we could use it also on WP.
  • No, S/MIME relies on a certificate that is authorized by a certificate authority. GPG only relies on the chain of trust of those that use your GPG key. The two are completely incompatible.
  • It might work. As long as you have exchanged public keys and they are of the correct format you may be able to get this working. Only way to know for sure is to try.
  • BaritoneGuy, I appreciate the criticism and agree that it is a little light on the tech details. This article was not meant to be super in-depth on S/MIME. As I said in the intro, I am far from an expert on it. I researched it for the specific purpose of writing this article. My aim was to give readers enough information to explain the settings on their phones and give them an idea of whether or not it is something they would use. I assure you that it would be more of a disservice if I tried to walk them through the entire process. :)
  • My experience is
    1.Gmail, webmail user who does not know about SMIME will always ask what is that "attachment" and be scared it is a virus.
    2. Outlook web access requires recipient to install a component to open encrypted email
    3. When you open an old encrypted/signed email after the certificate expire, Outlook show a warning red line.., which also scare people. In short, I tried to use in office environment and was told NOT to because it is troubling the recipients, which include my boss.
  • Firstly?? Really?? I mean is this a word (firstly) ?
  • Yes it is very much a word. Usually it's used when you're making points.
  • It is indeed.
  • Not sure if want...
  • I leave you IT guys with your things.. I'm a medico
  • Thank you for the information!!
  • I just enabled it yesterday after seeing it under sync settings and I see an article immediately after that. Was this a new feature enabled by MS?
  • Nope, not a new feature, just an eerie coincidence.
  • The only annoying thing is, that S/MIME support is only available for Exchange accounts and that you cannot manually assign public keys to your contacts.
    Oh yes ... Outlook 2013 sucks hard when it comes to S/MIME support for only some of your accounts. The settings are extremely well hidden and very confusing.
  • Tried .cer n .pfx never worked
  • Fax machines are not secure at all.
  • I've had S/MIME enabled as far as I remember(even though I didn't know what it meant).
  • Good article. I don't use my email to send sensitive data so now I know I don't need to use this :-)
  • That same certificate can be used to encrypt email to avoid a third-party from viewing it. Much like encryption programs like PGP, the email gets encrypted using a "private key" derived from the user's digital certificate and a password. Once sent, the recipient uses the sender's "public key," derived the same way, to decrypt the message to make it readable.
    You actually have this backwards. You encrypt with the public key, and decrypt with the private key. That's how PKI works, whether you use PGP or S/MIME. The only difference between the two is that S/MIME uses certificates from certificate authorities, while PGP/GPG you make your own and are validated by the people you send the messages to, not validated by a CA. So when you send e-mail to someone using S/MIME, you don't encrypt it with your private key, and they decrypt it with your public key, you encrypt it with THEIR public key, and they decrypt it with THEIR private key. Think about it, if all it took was your public key to decrypt a message, how is S/MIME secure? Your public key can be accessible by anyone, so if it's used for decryption, it's pointless. The way you enable encrypted e-mail with S/MIME is by sending the person you want to communicate with an e-mail that's signed with your S/MIME certificate. If they're using an e-mail client (say, like Outlook for example) that public cert that you used to sign your e-mail with, will be automatically added to their certificate respository. They they send you a signed e-mail (doesn't matter what's in it, as long as it's signed) and your e-mail client automatically adds that public certificate to your e-mail client's certificate authority. After that, whenever you want to send that person an e-mail, you encrypt it with their public certificate, and they decrypt it with their own private certificate. The reverse is true if they want to send you an encrypted e-mail; they encrypt with your public cert, and you decrypt with your private cert. If PKI worked the way you described, it wouldn't be functional at all.
  • Thanks for the info. I will adjust the article. Like I said, I was learning as I went along, so there may be mistakes for sure.
  • Glad you updated! Encryption is hard to understand, even I only have a very basic understanding of it.
  • When you send an encrypted message it takes a combination of your private key AND their public key. Both are required. For decryption the reverse happens.
  • Unless you'd like to post a link to back your argument up - no, it doesn't. That's not how PKI works. It encrypts with the public, and decrypts with the private. It does not use a combination of both. Now, it's true that most e-mail clients won't activate S/MIME unless you have your cert, but that has nothing to do with the actual encryption process.
  • Fax needs to die. Password protected files are just as secure, and obviously the very paranoid past what HIPAA regulations recommend can use S/MIME if they want things more secure. I worked in a HIPAA compliant MSP and EHR Support/Vendor Co. and we would not accept faxes, we asked our customers to use secure email or electronic fax (which is essentially f*cking email!).
  • Everybody here is talking how this system can't be used in any practical way to encrypt mail outside of the corporate network system, ok ... But nobody in all these comments didn't even bother to see that SIGNING actually IS useful so that the recipient of my e-mail can verify that it was indeed I who sent him an e-mail! The setup for this in Outlook desktop software is easy: You import your email certificate, enable it on send and voila - the recipient Outlook shows a new icon next to the mail he received from you which says that sender is authentic, but... This signing system on windows phone, although present as an option if you use outlook.com, just does not work. I have tried it, and it never signs my outgoing e-mails. Did anyone managed to get it working? P.S. You can get yourselves free e-mail certificates from Comodo or StartSSL companies. It costs zero money for individuals.
  • Answering my own question; it appears that they can be installed wuing IE by browsing to them and downloading or via email as mentioned here: http://download.microsoft.com/download/D/B/2/DB2D539D-7F4D-46BC-944B-A69EDA43D975/Windows208%20Certificates.pdf I'll give this a go now.
  • Did you managed to do anything? I have had no problems installing the certificate, but signing does not work. Neither in auto or manual signing mode.
  • Nope, not working at all. Cert is installed fine but it's not being used when I have it manually selected. I've verified that it does work when sending mail from Outlook 2013 on the desktop through my hotmail account. No idea how to get it working on WP. :-(