Security Basics mailing list archives
RE: PGP email encryption
From: Meni Milstein <meni () msec co il>
Date: Thu, 15 Sep 2005 23:32:34 +0200
Thank you for your detailed answer! The reason I asked this question in the first place was because the answers I got (and keep getting) from the technical team and sales team at PGP were inconclusive, and certainly WAY off what you are saying. There IS a web client to PGP, and one way to use "email encryption" in PGP (according to the tech team at PGP) is to have the PGP server catch the message after it passed through, say, my exchange server, and instead of sending that message, send another message (notification message) to the receiving end - with a link. The link will lead the user to read the message off the "web messenger" on the PGP server through HTTPS. The access is done using a user entered pass phrase (which according to what you said - is very bad.) So again - that's the answer I got from the tech team to PGP - are THEY wrong? Cause I am going out of my mind trying to understand how this works. There are, of course, 2 other ways of using "email encryption" in PGP. One is to use what they call the "Satellite" and the other is to send the email as an encrypted attachment that requires a pass phrase to open. Sincerely yours, Meni Milstein www.msec.co.il meni () msec co il P.O. Box 1124 Ramat Hasharon, Israel 47100 -----Original Message----- From: Alvin Oga [mailto:alvin.sec () Virtual Linux-Sec net] Sent: Thursday, September 15, 2005 9:52 PM To: Meni Milstein Cc: security-basics () securityfocus com; Alvin Oga Subject: Re: PGP email encryption hi ya meni On Thu, Sep 15, 2005 at 07:13:00AM +0200, Meni Milstein wrote:
This client is basically dealing with world-wide customers and is looking for the easiest way to send encrypted emails over the internet.
cat message | pgp | mutt -s "encrypted email" recipient.com
Looking at a project like PGP, where you install the PGP Universal on a dedicated server, I really can't find much of a difference between having
a
secured email server with web access. and here's why.
secured email server is NOT the same as a pgp server pgp servers: http://encrypted-email.net/Servers/ commercial encrypted email servers run say $25K - $100K range so your messages better be worth that expense ... or you can build almost the ssame identical system with open source for web access, i presume you mean mail over the web, like hotmail/yahoo http://www.Linux-Sec.net/Mail/WebMail/ - there's a couple of encrypted webmail apps
PGP works (basically) as a mail relay.
pgp works as a sender ( mta ) and/or as a receipient ( mua ) http://encrypted-email.net/PGP/ http://encrypted-email.net/Servers/ http://encrypted-email.net/Clients/
You send an email to someone and that someone receives a notification that a secure email message has been sent
to
him.
if that email did NOT go to the receipient directly, it means a 3rd party can attempt to decrypt the message if the encrypted email is sitting in the recepients mail servers, they'd presumably have those servers physically and electronically secure to minimized crackers
He then follows a link to read the message
bad idea ... for "security"
through some kind of web access client that is actually located on MY PGP dedicated server. So the message contents don't really leave my organization.
in that case, you're looking for them to come to your mail servers to get their email .. which means they have an account on your machine ( bad idea )
If I were to create a simple mail server,
good idea..
say on a linux box, with SSL capabilities, I would then theoretically have the same secure environment would I not?
secure as good or bad as your level of "security expertise"
After all, the encrypting possibilities provided by PGP are more or less standard, aren't they?
the encryption is standardized.. the key people use is easily crackable if "people" decide what it is vs basically not-crackable when using truely random keys and we'll ignore all the determined 2- and 3-letter agencies to read your encrypted emails
Also - what if I were to implement POP3 capabilities to that linux mail server? Wouldn't using SSL POP3 and SSL SMTP access give me more or less
the
same protection?
no ... that is just users loggin in to get their email vis secure pop the encrypted email is NOT the same protection as secure pop - ssl is semi broken - pgp encryption is mostly non-breakable
As far as I can see, aside for the fact that PGP sends a notification to
the pgp does NOT send notificaiton .. you are configuring your servers to do odd things
receiving user about the new message, PGP gives me no added value (for
protection).
pgp gives tons of added value to hide the content of the messages you can easily break the users login and passwd but it is still unlikely that you can decrypt the emails that was encrypted with truely random keeys and random pass phrases
Am I wrong?
yes and no .. depending on which part and methodology c ya alvin
Current thread:
- PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 15)
- RE: PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 19)
- RE: PGP email encryption AragonX (Sep 22)
- Re: PGP email encryption Harrison Holland (Sep 26)
- Re: PGP email encryption Mark Ryan del Moral Talabis (Sep 26)
- RE: PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 15)
- <Possible follow-ups>
- RE: PGP email encryption Jason Albuquerque (Sep 26)