Security Basics mailing list archives
Re: PGP email encryption
From: Mark Ryan del Moral Talabis <talabis () gmail com>
Date: Fri, 23 Sep 2005 08:10:01 +0800
Yeah, I think you should try out gpg. We've been using it here (using the 'hard way'). We provided each machine with GPG, Thunderbird and the Enigmail plugin. On 9/21/05, AragonX <aragonx () dcsnow com> wrote:
<quote who="Meni Milstein">Thank you for your detailed answer! The reason I asked this question in the first place was because the answers I got (and keep getting) from the technical team and sales team at PGP were inconclusive, and certainly WAY off what you are saying. There IS a web client to PGP, and one way to use "email encryption" in PGP (according to the tech team at PGP) is to have the PGP server catch the message after it passed through, say, my exchange server, and instead of sending that message, send another message (notification message) to the receiving end - with a link. The link will lead the user to read the message off the "web messenger" on the PGP server through HTTPS. The access is done using a user entered pass phrase (which according to what you said - is very bad.)I think the problem is PGP has been turned into more than it once was. It once was a simple public/private key encryption program. Now it's a company with a wide range of products. Personally, I would avoid PGP as a whole. The US government has been pressing hard to get a back door into their keys. I'm not sure if they have one yet or not. I'm not sure we would know if they did. Personally, I would suggest a solution based on gpg instead. http://www.gnupg.org/ The way I see it, there is an easy way, and a hard way. 1) Easy way - setup a web mail server using gpg encrypted messages. Disadvantages 1 - You are relying on ssl encryption to protect the data once the client logs on. You could setup a secure VPN to mitigate this threat. 2 - The security of your server is greatly diminished by allowing these external users access. Advantages 1 - Easy to setup. 2 - Emails remain local and completely under your control. 3 - Depending on the countries you do business with, they may not be allowed to use gpg. 2) Hard way - Send messages to your clients using gpg. Disadvantages 1 - You must work with your client's IT staff to get this setup correctly. 2 - Messages are out of your control once they leave your server. Advantages 1 - You don't have to maintain the users on your server. 2 - Overall security of this setup is better. This is just the way I see it. I could be way off base on some things but I do feel you should avoid pgp and use gpg instead.
Current thread:
- PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 15)
- RE: PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 19)
- RE: PGP email encryption AragonX (Sep 22)
- Re: PGP email encryption Harrison Holland (Sep 26)
- Re: PGP email encryption Mark Ryan del Moral Talabis (Sep 26)
- RE: PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 15)
- <Possible follow-ups>
- RE: PGP email encryption Jason Albuquerque (Sep 26)