Penetration Testing mailing list archives
Re: sniffing plaintext protocols
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Date: Fri, 11 Aug 2006 07:34:00 +0200
Salut, While this discussion doesn't quite seem to match the list subject, I have something to say here. On Thu, 2006-08-10 at 10:27 -0700, Gary E. Miller wrote:
How about pop3 and smtp? There is no secure alternative beside using pgp, isn't it?Most modern pop3 and imap clients and servers support TLS. That protentially gives you a certificate protected channel between the client and server. A nice setup is dovecot server and thunderbird client using all TLS.
This doesn't protect your mail at all if one of the mail servers underway demands to receive the mail unencrypted, which a lot of mail servers still do these days. Even worse, this gives anyone with the desire to crack your local TLS certificate for pop3s/imaps a huge opportunity for a known plaintext attack. The only real way to secure the contents (not the sender and receipient!) of your mail is to use PGP encryption on it. If you want to hide the metadata (who sent mail to who and about what) as well, you'll have to go for mixes, but they're pretty uneasy to get right... Tonnerre -- SyGroup GmbH Tonnerre Lombard Loesungen mit System Tel:+41 61 333 80 33 Roeschenzerstrasse 9 Fax:+41 61 383 14 67 4153 Reinach BL Web:www.sygroup.ch tonnerre.lombard () sygroup ch
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: sniffing plaintext protocols itsec.info (Aug 01)
- Re: sniffing plaintext protocols Dotzero (Aug 09)
- Message not available
- Re: sniffing plaintext protocols Dotzero (Aug 10)
- Re: sniffing plaintext protocols Gary E. Miller (Aug 10)
- Re: sniffing plaintext protocols Tonnerre Lombard (Aug 11)
- Re: sniffing plaintext protocols itsec.info (Aug 11)
- Re: sniffing plaintext protocols Joachim Schipper (Aug 11)
- Re: sniffing plaintext protocols Tonnerre Lombard (Aug 15)
- Re: sniffing plaintext protocols killy (Aug 18)
- Message not available
- Re: sniffing plaintext protocols Dotzero (Aug 09)
- <Possible follow-ups>
- Re: sniffing plaintext protocols Shreyas Zare (Aug 09)
- Re: sniffing plaintext protocols dfullert (Aug 10)
- Re: sniffing plaintext protocols Shreyas Zare (Aug 10)