Due to "defect" in the design of the email system, the email sender’s name and email address can be forged or can be written arbitrarily, which leads to the flooding of a large number of spoofing emails, and makes all types of fraud and phishing emails be disguised as real-identity emails. These emails have made users impossible to defend them effectively and many users have been impacted negatively in various ways. Different types of the “Email Gate” incidents happen frequently, resulting in the loss of property, reputation and even endangering the society security. Email fraud has become one of the major public security issues of the global Internet, but there has been no good solution for this.
As shown in the figure below, this left screenshot is a fake HSBC Bank email, the sender email address is a correct HSBC Bank domain. The right screenshot is a fake Bank of America email, and the sender email address is also a correct domain. Therefore, normally most of users cannot recognize that this is a spoofing email. The URL of the bank website displayed in the email is correct as well, but once the user clicks the link in that email, the user will be redirected to the website of the counterfeit bank. Of course, the website of the counterfeit bank looks same to the website of the real bank, and another way to recognize the website of the counterfeit bank is to check the URL of the website and to find whether the website deployed an SSL certificate. However, some counterfeit websites have SSL certificates as well, and some browsers display the counterfeit websites are secure, which is very dangerous.
The problem of fraudulent emails had harmed many email users worldwide, and it is continuing every day. This Internet security hazard must be resolved as soon as possible! In fact, this problem can be completely solved by digital signature technology. It is to use S/MIME standard to digitally sign each email with an email certificate, so that each email is accompanied by a digital ID, which not only guarantees the content of the email will not be tampered with illegally, and it can ensure that the email address of the sender cannot be forged, and can clearly display the authentic identity information of the email sender, so that the user can identify whether it is a fake identity email at a glance, thereby completely solving counterfeiting email fraud problem.
But why has such a good technology not been widely used to solve the problem of email fraud? Because the threshold for using S/MIME technology is too high, not only the user's email client software is required to support S/MIME standards, but also the user is required to apply for a S/MIME email certificate from a CA, and the user is required to install the email certificate to all devices, and the email certificate can be configured correctly, and know how to send digitally signed email. That is to say, to realize the use of email digital signature technology to solve the problem of email fraud is definitely a time-consuming, laborious and costly hard work that ordinary users cannot complete.
MeSign R&D team start to research on how to make S/MIME signature and encryption easy to be used as early as 2015. In order to ensure that users can send signature emails just like sending cleartext emails, but also to facilitate users to use any device to send signature emails anytime, anywhere, without having to spend time and effort to apply for email certificates or import already-applied email certificates. The problem of automatic certificate application and automatic configuration must be solved.
MeSign’s solution is to split the one S/MIME email certificate into two certificates (one signing certificate and one encrypting certificate). The encrypting certificate private key is generated, securely encrypted, and hosted in MeSign Cryptography Infrastructure (MCI). After the user has been validated the email account, the encrypting certificate key can be auto-retrieved from the cloud MCI and used for decrypting the emails automatically, so that the user does not need to applying for the certificate and importing the certificate manually, which perfectly realize the email encryption and decryption automatically. The signing certificate has the user's identity information, so the user's signing behavior has legal effect. Therefore, the signing certificate key is generated on user’s local device and securely stores the key on the local device only. This is why the serial numbers of the user’s signing certificates from the different devices are different.
MeSign Technology splits a traditional email certificate into two certificates and adopts different key management methods according to the two different key usage of signature and encryption, which perfectly solves the ease of use of the S/MIME email encryption. At the same time, it inherits the characteristics of non-counterfeiting, non-forgery and non-repudiation of S/MIME email signatures, which makes S/MIME email signature technology truly seamless and can be used without any cryptography knowledge. Users do not need to care about how to apply for an email certificate and how to use the certificate, just write the email as usual and click send that it will be automatically sent as a signature email, automatically bind a digital identity to each email, and effectively solve the problem of email fraud.
MeSign Technology has finally overcome all the difficulties of email signature and email encryption taking for more than 4 years. We have built a secure and reliable cryptography infrastructure, and we share these facilities with all MeSign users worldwide, so that everyone can implement S/MIME email signature and encryption, meet all compliance requirements and solve the problem of email fraud without investing on these expensive facilities.
As shown on the below figure, MeSign Cryptographic Infrastructure consists of seven service systems: MeSign Certificate Authority (MCA), MeSign vCryptographic Key Management System (MKM), MeSign Public Key Exchange System (PKE), MeSign Certificate Revocation Status System (MCR), MeSign Identity Validation System (MVS), MeSign Timestamp Service System (MTS), MeSign Digital Signature Service System (DSS). These service systems in cloud work together with MeSign APP (email client APP) to constitute the "Cloud" and the "Client" collaboration system to provide the secure and reliable email encryption and digital signature service automatically for worldwide users. In other words, MeSign APP is not a traditional independent email client software, it is a user-oriented service agent which not only let users handle their own data locally to protect privacy, but also let users utilize the powerful cloud service for automatic email encryption and digital signature.
In other words, the reason why MeSign APP can fully automate email digital signature and encryption is that MeSign completely solve the cumbersome certificate application and usage issues. It makes users can obtain signing certificate for sending signature emails anytime, anywhere on any device. MeSign Technology completely make the S/MIME email digital signature and encryption simple and easy, so that users can use MeSign APP to send encrypting emails and signing emails easily. MeSign APP has already been implemented successfully in 171 countries and regions around the world. MeSign Technology makes every email has a digital trusted identity, to avoid email fraud completely. At the same time, displaying the authentic identity validated information of the email sender is very important for the business email communications without face-to-face communications, which can effectively enhance the online trust and promote more business cooperation.
The implementation principle of the email signature technology is shown in the figure below. The sender signs the email with the private key of the signing certificate (can encrypt this email at the same time). After receiving the signed email, the receiver will use the sender’s public key of the signing certificate to verify whether the signature is valid. If the signature is valid, which can effectively prove that the user's email is not a spoofing email address, and the identity information displayed on the signature is trusted.
MeSign APP not only realizes to digitally sign each email automatically, but also realize to timestamp each outgoing email to provide trusted time proofs for the email sending event automatically. This timestamp information can be used as law evidence that the sending time of the email cannot be tampered with and non-repudiation. Just as postal mail must be postmarked, sending e-mails should also be timestamped. MeSign provides free and reliable timestamping services for MeSign APP users worldwide.
As shown in the figure below, if the HSBC Bank use their own signing certificate to sign an email to all bank users, users can easily know that the email is indeed sent by HSBC Bank (Because the MeSign APP will show the identity is trusted). It is impossible for the counterfeit bank email to get a signing certificate bound to the HSBC Bank's domain email address, so the counterfeit bank email can only be sent without digital signatures. The bank only needs to tell their users that any email without a digital signature of the bank is a spoofing email, and the user will not be deceived. Therefore, the MeSign APP makes users identify the fraud emails easily and effectively!
MeSign Technology provides basic email encryption and digital signature service for free in Free Edition. MeSign APP auto-configure an email signing certificate for free that only validate the email address control, to provide users with a basic level of email signature service to ensure that users' email content will not be tampered with illegally and to ensure that the user's email address is not spoofed, but the authentic identity of the owner of this email address has not been validated, MeSign APP display V1 signing certificate signed email as “V1 Email Validated, Identity Not validated”, see below screenshot figure 1.
If the user wants to display the full name or organization name on the sent email after the recipients open the email to enhance online trust, the user could buy the Pro Edition service and finish the identity validation as required.
After the individual user passes the identity validation, the MeSign APP will display the V2 icon, the sender's full name and "Identity Validated and Trusted", as shown in the figure 2 below. After the organization user passes the identity validation, the MeSign APP will display the V3 icon, the sender’s organization name and "Identity Validated and Trusted", as shown in the figure 3 below, but it does not display the sender’s name since MeSign only validate the identity of the organization. After the organization passes the validation, if the organization employee has finished the organization employee validation, the MeSign APP will display the V4 icon, the organization employee full name, the organization name, the job title of the employee and the "Identity Validated and Trusted", as shown in the figure 4 below.
In other words, if user purchases the Pro Edition service, not only can the user be automatically configured the identity certificate of the corresponding validation level for free, but also the user can also automatically sign and timestamp every email with the signing certificate. Therefore, with this service the email receiver can recognize the sender's trusted identity at a glance to avoid being deceived. It is very important for business email communications without face-to-face communications before, which can effectively enhance the online trust and get more business cooperation. If all email users can correctly identify the true identity of the email sender using MeSign APP, then it is impossible for the user to be fooled after receiving the email fraud, because fake email cannot be signed by the authentic identity’s signing certificate.
MeSign Pro Edition service provides the following 10 services and functions:
MeSign Business Pro Edition service is charged according to the number of email address. The package price includes 10 employees automatically configure the Organization Employee Certificate containing the employee name, title, organization name, province/state, city, and country, and automatically configure the publicly trusted Vp Email Certificate, you can buy more according to the number of employees when purchasing the service. These certificates are assigned by the organization account administrator manually or automatically. At the same time, it automatically configures Organization Email Certificates for other employees for free, without limiting the number of email address and the number of employees. Welcome to purchase the Business Pro Edition service.