There are quite a few freely (or cheaply) available tools that help you communicate and collaborate securely. Here are some:
Comodo offers free S/MIME email certificates.
MailDroid Pro is an excellent IMAP personal mail client for Android with S/MIME support. It also supports OAuth and Multi-Factor Authentication for Gmail, Outlook.com (formerly Hotmail/Live.com) and Yahoo.
Nine is an excellent Exchange Web Services/Exchange ActiveSync client for Android with S/MIME support.
Mozilla Thunderbird is a free cross-platform desktop email client with S/MIME support. It also supports OAuth and Multi-Factor Authentication for Gmail.
Secure Web Hosting
Let’s Encrypt is a free, automated web site SSL certificate authority.
Certify is a Let’s Encrypt GUI client for Windows and IIS. And SSL For Free is a very user-friendly web front end for requesting and managing Let’s Encrypt certificates.
Here’s a useful guide for setting up Let’s Encrypt for Apache on Ubuntu. (PDF)
GlobalSign offers a very comprehensive SSL server test.
Google hosts a Certificate Transparency project query tool so you can see certificates issued for any given hostname.
Secure Software Development
- K Software is a re-seller of discounted Comodo code-signing certificates. They also offer a Windows GUI tool called kSign that simplifies signing and timestamping files using either SHA256 or SHA256 and SHA1 for legacy OS support.
- Here’s a useful guide for setting up a code-signing certificate in Visual Studio. (PDF) – If you’re using Windows 10 Pro Anniversary Update and have BASH for Windows installed you can use its built-in openssl command instead of the Cygwin one mentioned in the guide. Using kSign does not require the steps in this guide. You can compile your apps as normal in Visual Studio and then sign them afterwards in kSign with the unmodified certificate file you received in the certificate delivery process.
- DigiCert also provides a convenient Windows GUI code signing tool.
In order to ensure that your signed apps remain valid after the signing certificate expires, you need to timestamp them. The kSign tool does this automatically but you can also do it yourself with the signtool.exe command line utility from the Windows SDKs. You’ll need to provide a timestamp server address to the command. Here is a list of a few RFC 3161 compliant timestamp servers run by major Certificate Authorities.
Tharr Be Monsters (a cautionary tale)
In my hunt for ever cheaper web hosting SSL certificates I stumbled upon a CA called StartCom who issues free 3-year SSL certificates under the StartSSL brand. I requested one and tried it out, but Chrome and Firefox kept throwing up errors about the test site. After a bit of searching I discovered I was not alone in my issues with the cert and the reason was that Google, Mozilla and Apple have all blocked or distrusted StartCom (and its new Chinese owners WoSign) in their respective browsers. StartCom is aware of this of course, but had no problem purporting to issue me a valid certificate. The moral here is test, test and test before using a new security product in a production environment. Keep your wits about you, and if it sounds too good to be true (free certs with 3-year validity), it probably is. Happy hunting.
Once you’ve signed your apps you should submit the executables and installer packages to popular anti-virus cumpanies for whitelisting so as to prevent false positive walware detections.
Kaspersky – The requirements for their whitelisting program apppear more strict than others, but if you fit the bill, have at it.
McAfee – Their requirements are also stricter than AVG and Avast so, as above, your mileage may vary.
Symantec has discontinued their whitelist program but they offer a link to dispute a false positive.
You should also submit your app to VirusTotal for it to be automatically fingerprinted and scanned by over 60 anti-virus scanners. This won’t whitelist your app, but it will establish credibility if someone later submits your app to be scanned. It will also let you know if any scanners find a false positive so you can have it rectified.
Useful OpenSSL Commands
To convert from PFX to SPC/PVK Pair
openssl pkcs12 -in cert.pfx -nocerts -nodes -out kep.pem
openssl rsa -in key.pem -outform pvk -pvk-strong -out key.pvk
openssl pkcs12 -in cert.pfx -nokeys -out temp.pem
openssl crl2pkcs7 -nocrl -certfile temp.pem -outform DER -out cert.spc