Archived from groups: alt.internet.wireless (
More info?)
"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
news:r4n1i05mhi92ce1vcmh6qr0afsh3utlspt@4ax.com...
> On Mon, 16 Aug 2004 15:50:52 GMT, "William Warren"
> <william_warren_nonoise@comcast.net> wrote:
>
> >If your friend has any secrets to keep and wants to send them via email,
> >tell him to go to
http://www.thawte.com/email/index.html and get a (free)
> >email certificate so his friends can encrypt email they send him. His
> >friends, of course, will need to do the same, and then he can send them
> >encrypted replies.
>
> One small problem... no self respecting hacker is interested in the
> contents of your email one message at a time. It's the login and
> password that is important and encrypting the payload does nothing for
> protecting the login and password. [snip]
>
> Never mind the payload, protect the passwords.
>
[snip]
> >Once that system is in place, the end points will be the only insecure
> >nodes: everything between them will be secure. Securing the originating
and
> >terminating computers is left as an excercise for the reader.
>
> Umm... Sniffing the ethernet connection, or even the tapping the DSL
> line is possible, but not very sporting.
But easy for someone who really wants what you've got: including phishers.
As I said, the endpoints remain insecure, and protecting them (and the
passwords) is a different topic. Although I concede that "everything between
them" only applies to the encrypted email, I was trying to make the point
that it's futile to secure only one link in a long chain. We have to think
end-to-end, and that includes end-to-end protection for sessions with your
IMAP/POP server.
I realize that POP ID's and passwords can be used to gain other passwords,
but don't forget that most services now require a challenge-reponse
transaction for "Lost Password" requests, where they ask (for example) the
name of your favorite pet. In any case,since my ISP doesn't support SSL for
POP sessions, I use a "sub" account for day-to-day email, which is set up so
that it can't change its own password, and I _never_ allow email from places
like Ebay or Billpay anywhere near it. If I want to check email on my other
account names, I use SquirrelMail (http://www.squirrelmail.org/) and SSL
connections to my home server, which is as secure as the various bills and
documents in my file cabinet.
> Having your own SSL certificate is kinda nice, but for my business
> communications and HIPAA, I use various PGP mutations.
>
http://web.mit.edu/network/pgp.html
>
http://www.pgp.net
>
http://www.gnupg.org
> http://www.pgp.com/products/
I like gpg for the Unix world: Mutt and Exim support it natively, but SSL is
built into OE, Netscape Messenger, Mozilla, etc., so I prefer it for my
Wintel clients who need Plug 'N Pray operation and "one click" simplicity.
> Actually, I've been getting lazy lately and using ROT-13 and UUCP over
> TCP to my own servers, which most sniffing hackers don't have a clue
> how it works. Security by obscurity is not at all secure, but I
> figure it's better than nothing.
It's better than tying a Garlic clove around your neck, since we can prove
it's inefective ;-J.
The point is that anyone wanting security, for passwords _or_ email or
anything else, has to think end-to-end.
HTH. YMMV.
William