|
Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere. |
|
Thread Tools |
30 Nov 2008, 07:03 AM | #16 | |
Essential Contributor
Join Date: Oct 2008
Posts: 275
|
Quote:
|
|
30 Nov 2008, 07:17 AM | #17 | |
Cornerstone of the Community
Join Date: Jun 2003
Posts: 551
|
Quote:
If I'm sending my credit card number out over what I thought was a secure connection and its not secure then I'm very disturbed that this information can be intercepted and easily read. I thought this was the whole idea behind httpS - secure transmission. Sorry if this is off-topic but it is important to clarify. |
|
30 Nov 2008, 07:18 AM | #18 |
Member
Join Date: Dec 2006
Location: Finland
Posts: 93
|
If you do not always need to use email, you may also want to look at OTR, http://www.cypherpunks.ca/otr/
for encrypted instant messaging. It is very easy to use and very well done. You can actually trust your data on this one, which is not true for all "encryption" software and stuff out there. Pairing it with Pidgin is an easy and reliable approach for secure IM. If you're going to exchange files, be sure to use something stronger than plain .zip encryption, which can be broken quite easily. RAR offers AES-128, which is more than anyone needs. Your data is then as secure as your password is. Read more about choosing secure passwords here: http://www.ephesus.com/Encryption/Passphrase.html It discusses PGP / GPG, but applies equally to any application using passphrases. Read this too: http://www.schneier.com/blog/archive...ng_secure.html Of the compression software out there, 7-zip is also an option: http://www.7-zip.org/ It employs AES-256 and is opensource, which RAR is not; however, there is no reason to expect any weaknesses in the RAR encryption routines, even though no-one can study their implementation as such. RAR is not expensive. 7-Zip is free, though, and compresses better. RAR may be more familiar to some users. For reliable encryption, I'd still go for PGP / GnuPG. You do not necessarily need to use keypairs, if that approach confuses you -- PGP and GPG can encrypt by password as well (i.e. symmetrically) and PGP/GPG is the most trusted of the options you have. Encryption is very easy to do badly or plain wrong. Hence, use only well-known software. I'd prefer going for real email encryption with either a specialised service or with PGP / GPG. GPG is an opensource alternative to PGP, used mainly on Linux and other UNIXes, though some kind of windows port exists too. WinZip support AES encryption now, too, but in the past there were some concerns over the cryptographic soundness of their approach. I do not quite trust it, especially as better software exists (WinRAR and 7-Zip, if you are on Windows) For *NIX, GPG + Tar + GZip or Bzip2 is the way to go. That's what I use. I also opt for asymmetrical encryption for my backups etc. as it is much easier than using symmetric encryption. Whatever symmetric encryption you choose to use, remember that your data will only be as safe as your passwords are strong. People generally use very weak passwords, foolishly thinking AES or similar is going to protect them despite this. Also, whether the symmetric encryption algorithm in use is AES-128 or AES-256 is irrelevant -- in case you encrypt symmetrically, you probably won't be providing enough key entropy to fully use even a 128-bit keyspace, so anything higher is just going after a "megahertz myth." |
30 Nov 2008, 07:29 AM | #19 |
Ultimate Contributor
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
|
Secure POP and IMAP download are secure only between the server and your local machine (as is the case with secure SMTP as well)
Everything is unencrypted while in transit (or when on the server at either end) Conventional email is not a secure protocol..... unless you encrypt (and decrypt) the message at both ends. |
30 Nov 2008, 07:33 AM | #20 | |
Member
Join Date: Dec 2006
Location: Finland
Posts: 93
|
Quote:
Of course, you still want to use https etc. But the vendor holding your card data is your weakest link, really. |
|
30 Nov 2008, 09:33 AM | #21 | ||
= Permanently banned =
Join Date: Sep 2005
Location: 1 Microsoft Way
Posts: 2,119
|
Quote:
Not that it can't happen, but sometimes I think we get caught up in posts and start promoting situations that maybe true, but not in reality. I do get a kick out of these "security" discussions though.... cool.... lol Quote:
Yup.... |
||
30 Nov 2008, 12:18 PM | #22 |
Junior Member
Join Date: Apr 2007
Location: Boston, USA
Posts: 19
Representative of:
LuxSci.com |
This is true, but I have seen many cases of people's email and other login credentials stolen when they used insecure email (pop/imap/smtp) or web (http) connections in an Internet hotspot. These folks learned the hard lesson too late that they need to be vigilant and use SSL/TLS for everything they can.
It is certainly true that SSL/TLS only encrypts the communications between servers and does not encrypt ANYTHING once it is on a server. In fact, use of SSL implies that the data is decrypted by the target server so that the processes there can read and manipulate it. In the context of email, this means that SSL and TLS can be used to negate the possibility of eavesdropping; however, you still have to inherently trust the people running the servers through which your email travels. The only way to eliminate that need for trust is to use PGP or S/MIME message encryption starting in your client (or at an encryption gateway that you trust) and ending with the recipient. I wrote an article a while ago that goes into detail on many of the inherent insecurities in email (from smtp to pop and imap) and some of the possible things that can be done to mitigate them (like ssl, pgp, s/mime) and why. See http://luxsci.com/extranet/articles/email-security.html |
30 Nov 2008, 02:15 PM | #23 |
Cornerstone of the Community
Join Date: Jun 2003
Posts: 551
|
I found your article very helpful Ekangas1. Informative and easy to understand. Thankyou.
|
1 Dec 2008, 01:23 AM | #24 | |
= Permanently banned =
Join Date: Sep 2005
Location: 1 Microsoft Way
Posts: 2,119
|
Quote:
Good post... |
|
1 Dec 2008, 02:11 AM | #25 |
Essential Contributor
Join Date: Oct 2008
Location: Europe
Posts: 474
|
I don't know enough to really be of help in an accurate way but the owner of Woomail.com did create that service cause he and his customers did have that need too. To know that only they can read what they write to each other. Everything stays within that server. It never leaves it. Unless you decide to contact somebody outside of it.
The con is that all you have to use it but one can set it up in very secure ways so do at least give it a look. Maybe other such services are even better but it was good enough for him and his partners and they have the same need as the OP. |
1 Dec 2008, 02:58 AM | #26 |
Cornerstone of the Community
Join Date: Jun 2003
Posts: 551
|
Botolo is concerned about the administrator of the office email server reading his mail.
From what we have learned here is that he should be secure from the admin's scrutiny if he uses any secure ssl connection other than the company's email server. For instance: if he uses gmail's ssl servers he should be ok from local eyes. In an office situation I would be more concerned about remote desktop access. The admin could be watching his desktop at any time and thus, would have no privacy in any situation. Non work related projects via the company system may get him into a lot of trouble. I, personally, would never do anything over the company's system I did not want them to know. |
1 Dec 2008, 04:54 AM | #27 | |
Member
Join Date: Dec 2006
Location: Finland
Posts: 93
|
Quote:
That's like a red flag. I'd not do it. |
|
1 Dec 2008, 05:21 AM | #28 | |
= Permanently banned =
Join Date: Sep 2005
Location: 1 Microsoft Way
Posts: 2,119
|
Quote:
My guess is "we" are taking this entire "security" thing to another level... lol Some good posts in this thread though... some downright wrong. lol |
|
1 Dec 2008, 05:28 AM | #29 |
Member
Join Date: Oct 2006
Posts: 73
|
if you don't want administration to read e-mails, then you should really go back to pony express, or passing notes to one another...
honestly, if you begin to use a company connection or vpn, then your stuff no matter what will be scrutinized.... |
1 Dec 2008, 06:49 AM | #30 | |||
Member
Join Date: Dec 2006
Location: Finland
Posts: 93
|
Quote:
Quote:
I'd not go down that path without first consulting the system admins and getting their OK for such practises. Quote:
|
|||