Dailydave mailing list archives
Exchange's privacy issues
From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Tue, 28 Aug 2007 11:49:00 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Over time, when I get more and more computers I really am starting to feel the need to migrate my Outlook's local .PST file to some server solution, like e.g. MS Exchange Server. I'm least concerned about mail (as I'm using IMAP4 anyway) but mostly about syncing my calendar, contacts, task list and memos. So, why I don't like Exchange (and other similar solutions)? After all one can buy an Exchange hosting for some $10/month... Well, I don't like it because the idea of somebody else (i.e. the hosting company) having full access to all my personal data (calendar, etc) is simply scary. Many people on this list will probably just shrug off and say that they are using their's company Exchange server, which they trust. But then again, would you place a "New Job Interview" appointment in your calendar if you knew that your corporate admin will be able to see it? So, the simple question is -- does anybody know an encryption solution that would work on the client-to-client level? I.e. I would like my Outlook program to encrypt all the fields in my calendar, todo list, etc and send them to the exchange server as encrypted base64. Simple, symmetric crypto, one shared key, will do. True, the server would still know that I have a meeting on Friday at 11.am, but it would not be possible to decipher what kind of meeting it is. Similarly they would see that I have 15 tasks on my todo list, and maybe they can also see that 3 of them are of an 'Important' priority, but they would not be able to read them. In other words I'm looking for something analogous to PGP. With PGP your adversary still can see who you got mail from or to whom you send it, heck, they can even see the subject of the mail (which is BTW really annoying), but they don't see the content. Would be nice if the solution also worked for BlackBerry devices. Yes, I know, that one solution would be to buy a collocation, put there my own server, disable FireWire ports and put some glue into spare PCI slots, so that nobody can get access to the machine's memory, even having a physical access... But that solution is too pricey. Not because of the hosting fee, but because the time needed to administer such a server. I would greatly appreciate all the feedback. Cheers, joanna. -----BEGIN PGP SIGNATURE----- iQEVAwUBRtPviMwG7MOLAMOlAQIUTQf/W3hjSz+jliH747g0HRDiHp2ihl1Yb+A0 c5gR9U7syooSgGachP6RxcaqzXgG/R5P/9QNpPvueCGaTWeJyjjESgvtRgnmZOgc kgRRCi6hI5VmDp5axW0jTbYVAEsW2V7TDzCgkB70/ZAqAKu1tLy7mylHGBWiYvoH TW6bBccx+vxClJr5f2GtJW5ho+cul+ajxZYFqyY+VZn/7sTByr/p+X5unn5EIzLO 12H14eoLKpqqiuDb9CkgwgACDWHuKFJiQafMCIZMOv7HA/kBYuPfBi6DHe0siiKp 83hm5UyLWqy6ngRTq8kPD+d2REEvw4GSG455O+UhUhT7K6ZY/3lKxg== =yRKD -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Exchange's privacy issues Joanna Rutkowska (Aug 28)
- Message not available
- Re: Exchange's privacy issues Joanna Rutkowska (Aug 28)
- Message not available