Security Basics mailing list archives
Re: PGP email encryption
From: Alvin Oga <alvin.sec () Virtual Linux-Consulting com>
Date: Fri, 16 Sep 2005 19:02:46 -0700 (PDT)
hi ya meni
The reason I asked this question in the first place was because the answers I got (and keep getting) from the technical team and sales team at PGP were inconclusive, and certainly WAY off what you are saying.
way off ??? - is it because i'm off and insane etc... - or that i say there is a dozen solutions to the same problem in addition to the one the sales droids are pushing - there could be a "terminology" differences too ( sales droid english vs whacky semi-techi details ) eg "catch emails" is sales droidish ..
There IS a web client to PGP
good ... i'll have to go find it one day
, and one way to use "email encryption" in PGP (according to the tech team at PGP) is to have the PGP server catch the message after it passed through, say, my exchange server, and instead of sending that message, send another message (notification message) to the receiving end - with a link.
that is the bogus part, in my view, pgp cannot catch the message per se ... the email sending program ( mta ) can pipe its ascii email message thru pgp before it does whatever it's supposed to do with the outgoing email message - save locally on itself and send out a url reference to come in via web_mail to fetch their encrypted email etc ( this is sorta okay, since the encrypted message is supposedly ( stored encrypted in your secure outgoing server and not sniffable ( from the outside
The link will lead the user to read the message off the "web messenger" on the PGP server through HTTPS.
https is bad ... it uses ssl which is relatively easily breakable and crackable compared to cracking/deciphering pgp messages good idea and bad idea here is based on how important is the message, that if some competitor was able to decrypt your message, what would be the consequence - the trick/problem is how many different ways can they break in and see your encrypted messages
The access is done using a user entered pass phrase (which according to what you said - is very bad.)
the recepient entering login and passwd is good if its done via ssh and web-login with https is extremely bad idea
So again - that's the answer I got from the tech team to PGP - are THEY wrong? Cause I am going out of my mind trying to understand how this works.
they are wrong in the sense that they assume https ( ssl ) is secure i doubt that pgp can "catch" the outgoing emails there are mail servers that have pgp built into it that does send out pgp encrypted email ... but pgp itself does NOT catch the outgoing emails - the way to send outgoing emails in an ecrypted form is to take the incoming email and pipe it thru pgp and send that encrypted output to the destination ( the recepient or other servers ) i think it's just a difference in terminology ...
There are, of course, 2 other ways of using "email encryption" in PGP. One is to use what they call the "Satellite" and the other is to send the email as an encrypted attachment that requires a pass phrase to open.
a pass phrase ( the private key ) should always be used to open the encrypted message that you receive, that supposedly on you know the "pass phrase" there are dozens of ways to read or send an encrypted message with pgp - 90% are open source .. - a couple of commercial vendors that selling $25K - $100K encryption servers - the entertaining part of encrypted email servers: - why do you care about antispam and antivirus ?? - why would those strangers be sending you an email at your supposedly secret account that you supposedly trust, since you are encrypting all your emails - both the sender and receiver needs to have the proper and equivalent levels of security of the server and their networks - if your other end is susceptible to virus, there's already a major security problem ... that has nothing to do with encrypted emails which probably will not help hiding the secret messages c ya alvin
Current thread:
- PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 15)
- RE: PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 19)
- RE: PGP email encryption AragonX (Sep 22)
- Re: PGP email encryption Harrison Holland (Sep 26)
- Re: PGP email encryption Mark Ryan del Moral Talabis (Sep 26)
- RE: PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 15)
- <Possible follow-ups>
- RE: PGP email encryption Jason Albuquerque (Sep 26)