Co-Mail
By Keith Pasley

One of the challenges to the increased use of encrypted email is the sheer complexity of it all. Designing and managing a secure email infrastructure includes anti-virus, anti-spam/content management, secure web mail, DNS protection, and related policy. However, a potentially high value opportunity that is often missed by enterprises is the use of encrypted email.

Increased security regulations by governments, litigious society, high costs of recovery from cyber attacks, and competitive pressures are some contributors to recent interest in encrypted email.

The Co-Mail secure mail service, offered by Dublin-based NR-Lab, provides a web based secure email service that anyone can use. Co-Mail implements the concept of a virtual server. The virtual server concept allows for logical partitioning of a physical disk. The logical partitions are assigned to different users, a sort of apartment house analogy.

The web based user and administrator interface proved to be user friendly, highly intuitive, and well documented. Security professionals will be especially interested in the security components employed by the service.

The Co-Mail service is designed to provide communities of users from small to larger enterprises the ability to communicate securely via encrypted email with strong user authentication while maintaining data integrity. A company email administrator, known as a virtual administrator, signs up for the service by pointing a browser to the Co-Mail registration web page. After completing registration and entering an activation code a company is ready to being creating user mailboxes.

Initial email policy configuration is web based and intuitive. From the web-based administrative interface can be viewed the service statistics, by both service and by user. Logo / branding is applied by an upload feature of the administrative interface. Help information provided in surprisingly thorough detail. A handy feature for users is the option to drop a shortcut to the user desktop for easy access.

User registration was a snap to perform with the administrator or end user accomplishing mailbox setup in minutes. In both cases the same three steps are followed: Create new user name, generate the secret keys (via random mouse movements), and create the user pass-phrase. Managing a Co-Mail environment was made easy with such simple and efficient steps.

Another handy component of the Co-Mail service is the optional mail transfer agent, Co-Mail Express. This agent resides on the end-user's PCs to process mail before it is sent to or received from the desktop, it automatically configures the member's favourite mail client to work with the company mail system via POP/SMTP, and shows statistics of the user's communications. Co-Mail Express also can protect, via encryption, any files on the user's desktop or removable disks.

Co-Mail Express can be configured to download and install in one step. The application then installs on the user's computer without any significant user intervention or need for special knowledge, we felt this was quite effortless. There are two methods for distributing the agent; administrative sending of the executable as attachment through the corporate Co-Mail environment using the included address book or by sending of the file to any discrete email address. Co-Mail provides customizable user instruction text. This is another helpful element to make setup easier at the same time lowering the amount of administrative busy work.

As for user experience, the uncluttered user interface was easy to learn and, in terms of capabilities, packs a decidedly strong punch. Co-Mail provides the user with directly accessible encrypted file storage, the ability to verify signatures of both the sender and the message, option to save attachments in encrypted form right after downloading, automatically open the file after save, or the combination of both.

The user's private key is used to encrypt or decrypt a file on the user's computer. However, the private key cryptographic functions reside on the Co-Mail servers. A benefit of this is, potentially, increased security with the separation of key and target file. An attacker would have to subvert the Co-Mail servers that store the users private key. However, a drawback is the potential of wide scale access to secret key if the Co-Mail severs that store the private key is subverted. Private keys, though, are always transmitted and stored encrypted. Thanks to airtight security of the Co-Mail application environment, there is a very low probability of attacker success in this regard.

Additional features include user controlled anti-spam capability, user mailbox address book export function, an option to specify a preferred language (great for businesses with international-based users), and the usual mailbox user-based administrative house keeping items. Users are also assigned on-line file storage space via Co-Mail's secure storage platform, S-Disk.

Overall, Co-Mail answers the challenge of getting more users comfortable with using encrypted email as a service. In today's competitive market, with companies looking for better and more efficient productivity, Co-Mail secure email service provides an outsourced model that takes the cost, and the fear out secure email systems. It does this by providing low upfront costs, fast and simple implementation, no appreciable user technical expertise needed, flexible branding options and reliable service. Would you believe that the backend cryptologic framework is based on server implementations of OpenPGP and SSL?