Thursday, March 16, 2017

S/MIME interoperability videos index

Fossa Team has finished a filming season and is glad to supply our users with a full list of how-to videos demonstrating how to install Fossa certificates and start S/MIME mailing for the following platforms:

We try to follow the same scenario in all videos to simplify understanding:
  • User delivers PKCS#12 archive (with his private key and certificate protected by a passphrase) by sending it as an attachment to himself. 
  • User installs PKCS#12 archive into the email client User would like to exchange S/MIME messages from/to Gmail.
  • User installs Fossa Root F1 and Sub F2 certificates. Set Fossa Root F1 as a trusted certificate and ensure that certificate chain validation works correctly. 
  • User sends S/MIME signed and encrypted message between Gmail and selected email client demonstrating signature validness and decrypted (with attachments) content. 
Please let us know if you missed something while configuring S/MIME exchange for mail clients mentioned above.

Monday, February 20, 2017

Fossa Guard permissions explained.

Permissions FossaGuard requests often provoke questions about the reason and the necessity. Let us explain it in details.

0. Know your email address
Well, it sounds logical

1. Compose and send new mail. 
Looks reasonable once we would like to compose and to send signed / encrypted S/MIME messages. 

2. View, manage and permanently delete your mail in Gmail. 
View also looks normal since we gonna view S/MIME messages. Manage and delete sounds rather intriguing but it let us create and keep a single copy of encrypted S/MIME message in your Sent box when you send it to several recipients. It is your personal copy you can view when in fact each your recipient has got a copy encrypted specifically for him.

3. Create, update and delete labels. 
For your convenience, we create (if not exists) S/MIME label and mark S/MIME messages by it.

4. View your settings (e.g. filters and labels). 
Helps us to check if you already have S/MIME label or not.

5. Read and change all your data on the websites you visit. 
This is #1 reason for questioning us. The reason Fossa Guard requires this permission is the necessity to download Certificate Revocation List (CRL) from URLs discovered in your certificates. Fossa CRL is accessible at by the way. Certification validation vs actual CRL is a mandatory check according to the specification and it was introduced since V0.2.1.

One can also understand it as also the permission to read browser history, but it's not actually it. There is an interesting and sometimes funny discussion about the right sentence for the last permission.

Please do not hesitate to contact us for further explanations if you need.

Always yours,
Fossa Team

Thursday, February 2, 2017

Fossa Guard V0.3.1 Interoperability Mission

New V0.3.1 (aka beta 3) of free S/MIME solution for Gmail has been released with Interoperability mission on board. Below supported and tested scenarios:

Sent TO Gmail + FossaGuard from

Mozilla Thunderbird Outlook (desktop) iOS Mail Android CipherMail
multipart/signed OK OK OK OK
signed-data OK
enveloped-data OK OK OK OK
enveloped-data (multipart/signed) OK OK OK OK
enveloped-data (signed-data) OK

Sent FROM Gmail + FossaGuard to

Mozilla ThunderbirdOutlook (desktop)iOS MailAndroid CipherMail
enveloped-data (signed-data)OKOKOKOK

Documentation and video updates are coming soon ...

With love from Fossa Team 
on Groundhog day, 2017

Friday, January 13, 2017

Fossa Guard V0.2.7 CRL support restrictions

New V0.2.7 has been released to skip inaccessible Certificate Revocation List (CRL) during certificate validation procedure.
Full-featured CRL management has been requested to make User able to tune certificates validation preferences

Friday, December 30, 2016

Fossa Guard V0.2.6 Preview pane support

New V0.2.6 has been released to address following points:

  • Google preview pane support,
  • X.509 v1 certificate support based on VeriSign example.

Happy new Year!
Stay tuned for new Fossa Guard features like iOS Mail, Outlook interoperability.

Monday, December 5, 2016

Fossa Guard V0.2.3 Attachments 1 Mb. Thumbprint vs Fingerprint

New V0.2.3 has been released to address following points:

  • Bigger attachments support. File size limit has been increased up to 1 Mb with a 4Mb limit in total for all attachments. 
  • Passphrase dialog became more friendly allowing 3 attempts before closing email.
  • Fingerprint term replaced thumbprint which (as we discovered on the wiki) is Microsoft specific.
  • Minor typos and bugs have been fixed like accurate personal certificate status display.

Wednesday, November 23, 2016

Fossa Guard V0.2.2. Call for OCSP support

Fossa Team has updated Fossa Guard to V0.2.2 following requests from our users about extension hangs up while working with certificates issued by

A small investigation has been done with Certificate Revocation Lists (CRLs) available at and it was discovered that CAcert's CRL is the biggest one -  around 8Mb.

It contains certificates revoked since 2002 which looks reasonable only in the case when there are certificates issued for 14+ years which have a high probability of being revoked.

Unfortunately is not practical to handle such big CRLs in the browser thus we limited size of supported CRL by 512Kb to avoid time-consuming download and decoding.

So it looks like there is a strong request to implement Online Certificate Status Protocol (OCSP) support in new versions of Fossa Guard making possible to perform single certificate check if it has been revoked or not.