I am a software developer with an IT security background.
I love what your organization does, i.e. protecting users against IT vulnerabilities and giving free SSL to website owners.
As a well-known Certificate Authority, I recommend that you also provide free S/MIME certificates to users. Many businesses, especially start-ups, cannot afford the best cybersecurity experts or equipment, resulting in a higher risk for breaches and vulnerabilities.
With the rising number of viruses using email to infect users and entities, the need for using S/MIME, and the protection it offers has become crucial, thus my recommendation.
I totally agree with you; and would be willing to devote real time and resources into such an effort.
To me, this just seems like a continued missed huge opportunity by those that could champion it for much needed encryption, authentication, and repudiation - where it now hurts the most (emails).
In fact, I was up late last night/this morning researching and testing how to use Microsoft PKI for S/MIME. So far it hasn't been very fruitful
The cheapest S/MIME certs I found online are $55 for 3 years/per user.
So a small (50 user) email business would cost $2750 [$76/month (36 months prepaid)] and would not even include automated renewals.
There's a catch though: AFAIK, you cannot send your own CSR. They generate the cert + key and send it to you. That's extremly far from best practice... (Note that they're still bound by their own CPS, which clearly states that key material is not retained by the CA).
The certificates are valid for 1 year, are issued to anyone who can demonstrate control over an email and currently chains up to Actalis Authentication Root CA, which I believe to be in trust stores - Mozilla/NSS seems to trust them.
I haven't yet tried what happens after the 1 year expiry, but given that this looks like it has been around for a while I presume I can simply generate new certs after that.
Still, this is far from ideal and I would definetly like to see activity in this area from more CA's - especially Let's Encrypts involvement would be interesting, but it's a long road.
But, as mentioned, they create the entire cert for you.
And then send you a PFX file and the password to it via email.
So... anyone with that password and that file can get the same private key you hold.
[plenty of people that work for or with their company may have enough access for this]
OR... anyone with a copy of that file can likely break the password and also get the same private key.
As both the lock and the key were sent via email, it leaves very little for the security conscience to feel good about.
I applaud them for their intensions and for doing what no one else wants to do these days (for FREE).
But I must criticize them for their lack of a truly secure implementation.
