Educause Security Discussion mailing list archives
Re: File Hosting/Sharing Services [dropbox, mobile me, etc.]
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 14 Jan 2011 10:30:34 -0500
On Fri, 14 Jan 2011 07:23:36 CST, "Pratt, Benjamin E." said:
Sending password over e-mail, unless that e-mail is encrypted with something like GPG or PGP, is an incredibly scary thought.
All depends on the value of the password and what your threat model is. Assume we're talking about a one-off password that decrypts exactly one encrypted file. The total risk isn't all *that* high. Remember, although it's *possible* to intercept an e-mail, it's *likely* to happen in only a few major cases: 0) We can operate under the assumption that the e-mail isn't being specifically targeted, as this would mean that somebody *already* monitors your business process in enough detail to know that you are about to hit 'send' on that e-mail. At that point, do you want to trust the phone? (Serious question, that one is). So, we conclude that the danger is "intercepted accidentally or in bulk and used opportunistically". 0A) The possibility of the e-mail getting stolen as it sits in the mail spool of the e-mail provider is vanishingly small. If the other end runs their own mail server and it gets hacked, they have bigger problems. If they're using a reputable outside provider and it gets hacked, we *all* have bigger problems. 1) Somebody is *already* monitoring all your packets and happens to hoover up the e-mail as well. Unless you forgot to secure your wireless connection, this is really not that common these days as most Ethernet is cat-5 rather than thinwire and passive sniffing is harder than it used to be. Thus, if your traffic is being monitored to that level already, you have bigger problems. 2) One of the endpoints is already compromised. If the bad guy is able to intercept the mail with the password as it is processed on the PC, they're *also* able to intercept the password when it's used to decrypt the data (and the now-decrypted data as well). Again, you have bigger problems... 3) The password ends up saved on the same PC as the data, and the PC is stolen. Now, it's a safe bet that the user at the other end will end up saving the now-decrypted data, and you're going to wish you had full-disk encryption in place. But again, if you weren't doing that and the PC was stolen, you have bigger problems... Yes, it is indeed a mildly scary thought, but if you find it "incredibly" scary, I wonder what words you use to describe the truly bad news stuff, like "140 million compromised PCs". Now *that* is a scary thought - that no matter what care you take to get the data safely to the other end, there's like a 1 in 5 or 1 in 10 chance that it will be processed on a computer under somebody else's control. Now, given that - how hard do you *really* need to try to get the password there safely? :)
Attachment:
_bin
Description:
Current thread:
- File Hosting/Sharing Services [dropbox, mobile me, etc.] Chris Kidd (Jan 13)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Adam Nave (Jan 13)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Alexander Kurt Keller (Jan 13)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Ben Marsden (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Justin Azoff (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Jeremy Vight (Jan 13)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Pratt, Benjamin E. (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Valdis Kletnieks (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Pratt, Benjamin E. (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Jones, Dan (Jan 13)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Russ Leathe (Jan 14)
- <Possible follow-ups>
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] John Hoffoss (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Valdis Kletnieks (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Adam Nave (Jan 13)