Menü

Encryption

We try to digitally sign our emails to prove that they really come from us. If you send us an e-mail, you can encrypt it so that nobody can read it in transit.

Digital signatures

If you receive an email from us that is digitally signed, you can be sure that the email has not been changed by anyone in transit and that it was actually sent by us (presumably from our ticket system). We normally use S/MIME signatures.

S/MIME

How exactly you recognise an S/MIME signature unfortunately differs depending on the mail client. Thunderbird displays the label “S/MIME” flush right next to the subject, with a stylised seal next to it. If you click on it, a pop-up appears with the text “This message includes a valid digital signature. This message has not been altered since it was sent.”. The email address must be “fs-coli@cl.uni-heidelberg.de”.

Screenshot of an email from fs-coli@cl.uni-heidelberg.de in the Thunderbird mail client. Flush right next to the subject is “S/MIME”, followed by a stylized seal.
An S/MIME signed mail from the Fachschaft in the mail client Thunderbird.
Screenshot of the same email from fs-coli@cl.uni-heidelberg.de in the Thunderbird mail program. Below S/MIME is a dialog with the following content: Message Security - S/MIME. Message is Signed. This message includes a valid digital signature. This message has not been altered since it was sent. Signed by: (empty) Email address: fs-coli@cl.uni-heidelberg.de Certificate issued by: GEANT Personal CA 4 Button: View Signature Certificate Message Is Not Encrypted. [...]
The pop-up with information about the S/MIME signature in the mail client Thunderbird.

Click on “View Signature Certificate” to get more details about the certificate used to generate the digital signature. For example, you can see the issuer (GÉANT, the European research network) and the automatically calculated fingerprints. You can use a fingerprint to check that the certificate used is really that of the student council: You will need a copy of the certificate that you know for sure belongs to us. Its fingerprints must match those in the email.

You can find our S/MIME certificate in the following GitLab repository: https://gitlab.cl.uni-heidelberg.de/fachschaft/keys

Alternatively, you can also ask someone from the Fachschaft in person to give you fingerprints. Depending on where your anchor of trust lies 🙂

OpenPGP

We not only have an S/MIME certificate, but also an OpenPGP certificate that we can use to sign emails. The idea behind this is the same (i.e. a digital OpenPGP signature confirms to you that the email really comes from us). However, OpenPGP is a different standard, and the issuing process is also different: in order to get an S/MIME certificate, one of us had physically go to the Universitätsrechenzentrum (University Computing Centre) to present a passport. We could just generate the OpenPGP certificate ourselves.

You can find our OpenPGP certificate on the the keys.openpgp.org keyserver or in the repository https://gitlab.cl.uni-heidelberg.de/fachschaft/keys.

Aren’t OpenPGP certificates totally unsafe if anybody can generate them at will?

No. As long as you have checked (e.g. using the fingerprint) that a particular certificate really belongs to the person specified, an OpenPGP signature is just as secure as an S/MIME signature.

S/MIME certificates have a hierarchical structure: Our certificate was authenticated by GÉANT. The GÉANT certificate was authenticated by “The USERTRUST Network” from Jersey City, USA. As long as you (or your operating system) trust one authority in the hierarchy (e.g. USERTRUST), you can also trust all certificates below it. The principle is known as “Public Key Infrastructure”.

With OpenPGP, there is no such certificate hierarchy, so you cannot trust just a handful of selected authorities, but must check each certificate individually. Exception: You know someone you fully trust and who confirms that they have checked a certain certificate. This is similar to S/MIME, except that the fully trusted person does not have to be generally known and trusted. It is enough that you personally trust the person. Someone else, on the other hand, will potentially trust completely different people. The principle is known as the “Web of Trust”.

Both the Public Key Infrastructure and the Web of Trust have advantages and disadvantages. If you want to read more about this:

  • Public Key Infrastructure
  • Web of Trust (German)
  • Fraudulently issued certificates from DigiNotar: Historical incident (2011) in which a certification authority from a public key infrastructure (from which you could have obtained S/MIME certificates) was hacked and issued certificates to fraudsters, which were then automatically trusted by operating systems.
  • Problem with signature spam in the Web of Trust (German): Fraudsters upload hundreds of thousands of nonsense certificates, all of which supposedly authenticate that a particular certificate really belongs to a person. The mass of signatures paralyses OpenPGP clients (and: the hundreds of thousands of certificates may make the key appear trustworthy at first glance, but this is a dangerous misconception).
How can I verify an OpenPGP signature?

You must download the OpenPGP certificate of the Fachschaft to your computer so that Thunderbird can check the signature. As long as this is not the case, Thunderbird will display a message similar to this: “This message contains a digital signature, but there is no guarantee that it is correct.”.

As soon as you have downloaded the certificate (e.g. from the repository or from a key server) and imported it into Thunderbird, Thunderbird will display a message similar to this: “This message contains a valid digital signature with a key that you have already accepted.”.

Screenshot of an email from fs-coli@cl.uni-heidelberg.de in the Thunderbird mail program. Below OpenPGP is a dialog with the following content (translated from German): "This message was signed with a key that you do not have. Button: Search. Non-secure digital signature. This message contains a digital signature, but there is no guarantee that it is correct. To verify the digital signature, you must obtain a copy of the sender's public key. Key ID of the digital signature: [...] Message is not encrypted [...]"
An OpenPGP signed mail from the Fachschaft in the mail client thunderbird, where the certificate has not been imported yet (German).
Screenshot of the same email from fs-coli@cl.uni-heidelberg.de in the Thunderbird mail program. Below OpenPGP is a dialog with the following content (translated from German): "Good digital signature This message contains a valid digital signature with a key that you have already accepted. However, you have not yet verified that the key really belongs to the sender. Key ID of the digital signature: [...] Message is not encrypted [...]"
An OpenPGP signed mail from the Fachschaft in the mail client thunderbird, where the certificate has been imported (German).

Encryption

When you send us an email, you can encrypt it. In this case, the email leaves your computer already encrypted and is only decrypted again in our ticket system. At least in Thunderbird, you need a certificate to be able to use encryption, so that you can sign your mails and we can encrypt mails to you. Theoretically, this is not necessary, but the software requires it. As you can easily generate OpenPGP certificates yourself, we would recommend encryption with OpenPGP.

Please note: We cannot guarantee that we will reply to you in encrypted form (as our ticket system does not enforce this). For confidential matters, it probably makes sense to let us know first that you want to send us an encrypted message, and we will then consider a channel on which encryption can be maintained for the entire conversation.

OpenPGP

We assume that you have already created an OpenPGP certificate. If not, you can do this in the Thunderbird account settings under end-to-end encryption using the “Add key” button.

You then need to import the OpenPGP certificate of the Fachschaft. You can find it either via the keys.openpgp.org keyserver or in the repository https://gitlab.cl.uni-heidelberg.de/fachschaft/keys. Once you have done this, you can send an email to fs-coli@cl.uni-heidelberg.de as normal. Before sending a mail, you can tick the “Encrypt” checkbox in the “Security” menu, and your mail will be encrypted.

S/MIME

It works very similarly to OpenPGP, except that you need an S/MIME certificate and have to import the S/MIME certificate of Fachschaft. Before sending, you can enable encryption in the “Security” menu.

This page (or parts of it) were translated automatically using DeepL.