Re: sniffing plaintext protocols

[Tonnerre Lombard <tonnerre.lombard () sygroup ch>]

Salut,

While this discussion doesn't quite seem to match the list subject, I
have something to say here.

On Thu, 2006-08-10 at 10:27 -0700, Gary E. Miller wrote:
> > How about pop3 and smtp? There is no secure alternative beside using pgp,
> > isn't it?
>
> Most modern pop3 and imap clients and servers support TLS.  That protentially
> gives you a certificate protected channel between the client and server.
>
> A nice setup is dovecot server and thunderbird client using all TLS.

This doesn't protect your mail at all if one of the mail servers
underway demands to receive the mail unencrypted, which a lot of mail
servers still do these days. Even worse, this gives anyone with the
desire to crack your local TLS certificate for pop3s/imaps a huge
opportunity for a known plaintext attack.

The only real way to secure the contents (not the sender and
receipient!) of your mail is to use PGP encryption on it. If you want to
hide the metadata (who sent mail to who and about what) as well, you'll
have to go for mixes, but they're pretty uneasy to get right...

                                Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Loesungen mit System
Tel:+41 61 333 80 33    Roeschenzerstrasse 9
Fax:+41 61 383 14 67    4153 Reinach BL
Web:www.sygroup.ch      tonnerre.lombard () sygroup ch

Attachment: signature.asc
Description: This is a digitally signed message part