Security Basics mailing list archives
RE: PGP email encryption
From: "Jason Albuquerque" <JAlbuquerque () northkingstown org>
Date: Mon, 26 Sep 2005 13:03:24 -0400
CipherTrust Iron Mail Appliance is an Email Proxy server that runs its own tweaked OPENBSD kernel. It has the email encryption you need plus a whole lot more!!! Check it out......... Jason Albuquerque GIS Manager Department of Information Systems 80 Boston Neck Road Town of North Kingstown, RI 02852 Tel. (401) 268-1516 Fax (401) 295-2594 www.northkingstown.org "There are 10 kinds of people in this world. The ones who understand binary and the ones who don't." -----Original Message----- From: Harrison Holland [mailto:harrisonholland () gmail com] Sent: Thursday, September 22, 2005 6:36 PM To: AragonX Cc: security-basics () securityfocus com Subject: Re: PGP email encryption Have you guys looked at ciphiremail. That's a program that may help. On 9/21/05, AragonX <aragonx () dcsnow com> wrote:
<quote who="Meni Milstein">Thank you for your detailed answer! The reason I asked this question in the first place was because the answers I got (and keep getting) from the technical team and sales team at
PGP
were inconclusive, and certainly WAY off what you are saying. There IS a web client to PGP, and one way to use "email encryption"
in PGP
(according to the tech team at PGP) is to have the PGP server catch
the
message after it passed through, say, my exchange server, and
instead of
sending that message, send another message (notification message) to
the
receiving end - with a link. The link will lead the user to read the message off the "web messenger" on the PGP server through HTTPS. The access
is
done using a user entered pass phrase (which according to what you said -
is
very bad.)I think the problem is PGP has been turned into more than it once was.
It
once was a simple public/private key encryption program. Now it's a company with a wide range of products. Personally, I would avoid PGP as a whole. The US government has been pressing hard to get a back door into their keys. I'm not sure if
they
have one yet or not. I'm not sure we would know if they did. Personally, I would suggest a solution based on gpg instead. http://www.gnupg.org/ The way I see it, there is an easy way, and a hard way. 1) Easy way - setup a web mail server using gpg encrypted messages. Disadvantages 1 - You are relying on ssl encryption to protect the data once the
client
logs on. You could setup a secure VPN to mitigate this threat. 2 - The security of your server is greatly diminished by allowing
these
external users access. Advantages 1 - Easy to setup. 2 - Emails remain local and completely under your control. 3 - Depending on the countries you do business with, they may not be allowed to use gpg. 2) Hard way - Send messages to your clients using gpg. Disadvantages 1 - You must work with your client's IT staff to get this setup
correctly.
2 - Messages are out of your control once they leave your server. Advantages 1 - You don't have to maintain the users on your server. 2 - Overall security of this setup is better. This is just the way I see it. I could be way off base on some things
but
I do feel you should avoid pgp and use gpg instead.
-- Harrison Holland
Current thread:
- PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 15)
- RE: PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 19)
- RE: PGP email encryption AragonX (Sep 22)
- Re: PGP email encryption Harrison Holland (Sep 26)
- Re: PGP email encryption Mark Ryan del Moral Talabis (Sep 26)
- RE: PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 15)
- <Possible follow-ups>
- RE: PGP email encryption Jason Albuquerque (Sep 26)