[Users] PGP in claws

Adam Burns adamb at free2air.net
Fri Apr 3 09:57:09 CEST 2015 

On Friday 03 April 2015 08:27:23 Johan Vromans wrote:
> On Thu, 02 Apr 2015 21:08:06 -0400
> 
> Mike Miskulin <mike.miskulin at leadingordersolutions.com> wrote:
> > a) A local computer really should not be considered "much more secure"
> > than the message transiting the internet as more and more email goes by
> > TLS server to server connection.

SSL/TLS is used more and more for mail transfer, arguably less securely than 
HTTPS with modern browsers (see Cert Patrol Mozilla plugin). It seems a large 
proportion of MTA's use self-signed X.509 certificates and because of that 
most connecting MTA's do not check certificate chains (or even attempt 
certificate stapling), making MITM compromises relatively easy.


> That is correct. The most common approach these days is
> 
>   [ME] <--{--> [ISP] <--> [OTHER ISP] <--}--> [OTHER]
> 
> The { } denote the internet. Even though all/most hops between the ISPs are
> eliminated, there's still a lot going on that is beyond my (and the OTHERs)
> control.

I think it is still often complex. Definitions of Internet aside (ME/ISP, 
NAT/no NAT etc), with large email providers, each [ISP] is likely a complex 
network of clustered hosts in the back end for in & outbound traffic. 
Outsourced mail service providers (Messaging Direct, etc) offer scrubbing and 
cleansing services that complicate paths even further.


> > b) There is a significant additional benefit to keeping messages
> > encrypted even on an encrypted hard drive - they are not vulnerable to
> > malware.
> 
> Yes. That's a trade-off you have to made depending on the situation.

Agreed. Trade offs do have to be made, hopefully with reasonable constructions 
of risk scenarios. I would note that, for the more paranoid, PGP has no PFS so 
exposing clear text is probably a "bad idea", even on your own 'totally 
secure' client. 

Regards,

Adam.

-- 
Adam Burns

XMPP: adam.burns at jit.si
51D2 CACB 3604 00E3 05D7  9AE0 E4C7 6DBF E283 909C
GPG  Server: keys.gnupg.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20150403/309a7c8c/attachment.sig>

More information about the Users mailing list