Re: PGP email encryption

[Alvin Oga <alvin.sec () Virtual Linux-Consulting com>]

hi ya meni

> The reason I asked this question in the first place was because the answers
> I got (and keep getting) from the technical team and sales team at PGP were
> inconclusive, and certainly WAY off what you are saying.

way off ???
        - is it because i'm off and insane etc...

        - or that i say there is a dozen solutions to the same problem
        in addition to the one the sales droids are pushing

        - there could be a "terminology" differences too 
        ( sales droid english vs whacky semi-techi details )
                eg "catch emails" is sales droidish .. 

> There IS a web client to PGP

good ... i'll have to go find it one day

> , and one way to use "email encryption" in PGP
> (according to the tech team at PGP) is to have the PGP server catch the
> message after it passed through, say, my exchange server, and instead of
> sending that message, send another message (notification message) to the
> receiving end - with a link.

that is the bogus part, in my view, pgp cannot catch the message per se ...
        
the email sending program ( mta ) can pipe its ascii email message thru
pgp  before it does whatever it's supposed to do with the outgoing email message
        - save locally on itself and send out a url reference to come
        in via web_mail to fetch their encrypted email etc
        ( this is sorta okay, since the  encrypted message is supposedly
        ( stored encrypted in your secure outgoing server and not sniffable
        ( from the outside 

> The link will lead the user to read the message
> off the "web messenger" on the PGP server through HTTPS.

https is bad ... it uses ssl which is relatively easily breakable and crackable
compared to cracking/deciphering pgp messages

good idea and bad idea here is based on how important is the message,
that if some competitor was able to decrypt your message, what would
be the consequence

        - the trick/problem is how many different ways can they break in 
        and see your encrypted messages

> The access is done
> using a user entered pass phrase (which according to what you said - is very
> bad.)

the recepient entering login and passwd is good if its done via ssh
and web-login with https is extremely bad idea

> So again - that's the answer I got from the tech team to PGP - are THEY
> wrong? Cause I am going out of my mind trying to understand how this works.

they are wrong in the sense that they assume https ( ssl ) is secure

i doubt that pgp  can "catch" the outgoing emails 

there are mail servers that have pgp built into it that does send out
pgp encrypted email ... but pgp itself does NOT catch the outgoing emails
        - the way to send outgoing emails in an ecrypted form is
        to take the incoming email and pipe it thru pgp and send that
        encrypted output to the destination ( the recepient or other servers )

i think it's just a difference in terminology ...
 
> There are, of course, 2 other ways of using "email encryption" in PGP. One
> is to use what they call the "Satellite" and the other is to send the email
> as an encrypted attachment that requires a pass phrase to open. 

a pass phrase ( the private key ) should always be used to open the encrypted message
that you receive, that supposedly on you know the "pass phrase"

there are dozens of ways to read or send an encrypted message with pgp
        - 90% are open source ..
        - a couple of commercial vendors that selling $25K - $100K encryption servers

- the entertaining part of encrypted email servers:

        - why do you care about antispam and antivirus ??

        - why would those strangers be sending you an email at your supposedly
          secret account that you supposedly trust, since you are encrypting 
          all your emails

        - both the sender and receiver needs to have the proper and equivalent
          levels of security of the server and their networks

        - if your other end is susceptible to virus, there's already a major
          security problem ... that has nothing to do with encrypted emails
          which probably will not help hiding the secret messages

c ya
alvin