[Security] Analysis of the S/MIME ecosystem

CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/71128 (DOI)

Publisher

FOSDEM VZW

Release Date

2024

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

We present an evaluation of all existing vendors of S/MIME certificates. We analysed the vendors' offering for their usability and privacy by measuring the time from zero to certificate as well as their privacy policies. We find that neither of the ten vendors provide a satisfactory offering. We finally sketch a way forward through ACME for S/MIME and present a prototypical implementation for Thunderbird. We bought certificates from all ten vendors of S/MIME certificates with their CA in Mozilla's Trust Store. For each vendor, we recorded the procurement process and analysed the time and clicks needed, the number of requests and their sizes, and the number of privacy invading third-party requests. Further, we checked on the privacy policies and adjacent documentation to count the number of words and analyse the readability of the necessary documents. Our results suggest that the market does not provide a satisfactory solution. The vendors either control your secret key, invade your privacy with well-known third-party trackers, or require a PhD to read their privacy policies. Some vendors did not even manage to create a valid certificate. The best way forward is to establish ACME for S/MIME which allows for a (n)one-click solution. We have created a prototype to show that this is technically feasible.