Brussels / 3 & 4 February 2024


[Security] Analysis of the S/MIME ecosystem

We present an evaluation of all existing vendors of S/MIME certificates. We analysed the vendors' offering for their usability and privacy by measuring the time from zero to certificate as well as their privacy policies. We find that neither of the ten vendors provide a satisfactory offering. We finally sketch a way forward through ACME for S/MIME and present a prototypical implementation for Thunderbird.

We bought certificates from all ten vendors of S/MIME certificates with their CA in Mozilla's Trust Store. For each vendor, we recorded the procurement process and analysed the time and clicks needed, the number of requests and their sizes, and the number of privacy invading third-party requests. Further, we checked on the privacy policies and adjacent documentation to count the number of words and analyse the readability of the necessary documents.

Our results suggest that the market does not provide a satisfactory solution. The vendors either control your secret key, invade your privacy with well-known third-party trackers, or require a PhD to read their privacy policies. Some vendors did not even manage to create a valid certificate.

The best way forward is to establish ACME for S/MIME which allows for a (n)one-click solution. We have created a prototype to show that this is technically feasible.


Tobias Mueller