Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello Folks.
I use Pidgin and Thunderbird for checking emails, My government used some deep packet filtering, Can they sniff my password?
In pidign I enable "Connection security" is it useful?
Do you have any suggestion for improving security?
TOR provides anonymity only to some extent. The TOR web site strongly suggests using end-to-end encryption always.
*There is an actively maintained and developed pre-configured-for-TOR Linux distribution: TAILS.
TAILS in essence is only a collection of tools. And while tools may make things easier (or more difficult, depending on how you look at it) they are limited in scope. While for example a browser may warn you about the servers cert not matching its FQDN it won't prevent you from using password authentication over HTTP and then switch to HTTPS. So the real problem with your question is that you shouldn't be satisfied with any "it's OK" type of answer anymore: you have to do your own research and actively gain knowledge about what SSL actually is used for (what it protects against and what not), be able to spot implementation flaws (for example SSL-ized connection but cookies not forced over HTTPS) and get to know a little about how SSL could be attacked (https://www.ssllabs.com/downloads/SSL_Threat_Model.png and the rest of www.ssllabs.com). Next to that you have to review your personal password hygiene (re-use mostly), device use wrt flaws, software (anything from browsers auto-completion to cross-site scripting attacks), be aware constantly when facing links, login buttons, URL bar changes, etc, etc and keep abreast of any vulnerabilities always. If for example BEAST, CRIME, TIME and Lucky 13 don't ring a bell then you should really step up your research. A good stating point may be http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openssl.
It is unlikely that anyone can sniff your passwords or decode other data that has been encrypted with current standards. As has been pointed out above, the difficult part is in ensuring that you're actually encrypting your data and talking to who you think you are.
To add a little perspective on the subject, you are the weak link in the system and if you do something to attract sufficient unwanted attention you will be the target and it won't likely result in attempts to sniff your network traffic. Instead you will probably face this: http://xkcd.com/538/
I find the "don't piss your government off" very funny. As posted, it can be reformulated as "If you have nothing to hide, don't worry if we watch you".
VERY BIG BROTHER, MEN!
Sorry, it is just that I have just read some news about portable scanners to spy on people, haha.
Other than that, I think there is not true Internet security and privacy against global attackers. Depending on the country and the cases, the Civil Guard, the Feds or whoever can kick some doors down and confiscate the equipment which handles your data, so you see... I have heard of cases in which that is what actually happened.
I mean, c'mon, asking Google to surrender your info is likely quicker for them than setting a sniffer scenario. Just saying.
"Yes, the government can sniff your passwords." Or, they can probably arrange for the e-mails to be transcribed and retrieved entirely without your knowledge or consent. Because, basically, that's what governments are tasked to do: to act on behalf (more or less) of hundreds of millions of people at a time. (Including you, BTW ...)
The comment, "just don't do anything that a government (or law-enforcement, etc.) would be interested in," is a perfectly-valid and appropriate statement, all things considered.
Your "expectation of privacy" with regards to e-mail in any case should be minimal. If you need to protect the content of your e-mail, you need to use PEM technologies. (And even then, you're not protecting against the guv'mint.)
I had an, shall we say, "interesting uncle." He was very expressive. One day he bought a police scanner. A few days later, he walked up to one of the local policemen (who he knew well, in his small town), and, very gravely, shook his hand. And said to him: "Thank you. I had no idea."
Last edited by sundialsvcs; 03-25-2013 at 09:25 PM.
I use Evolution for check my email and in the "Use secure connection" I choose SSL encryption, Is it a secure way to protect my password from third person?
Yes there is. In Evolution, you will want to select use secure connection, e.g. TLS (which works over port 25 using "plain" passwords).
Also, if you are connecting to your own POP/IMAP server (e.g. Dovecot / Cyrus) you will want to do the following. Create a self signed SSL key and Certificate Authority just like you do for Apache and you can follow the instructions in many of the how-to documents. I prefer the one by Van Emery personally. You can then tell your Pop/Imap server to listen for secure connections using these keys.
Last edited by unSpawn; 04-24-2013 at 12:17 AM.
Reason: //Fix quoting
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by Noway2
Quote:
I use Evolution for check my email and in the "Use secure connection" I choose SSL encryption, Is it a secure way to protect my password from third person?
Yes there is. In Evolution, you will want to select use secure connection, e.g. TLS (which works over port 25 using "plain" passwords).
Of course this only works if your mail provider is in another country and will not take money from your government. I'm assuming that's taken for granted but though it worth pointing out in case it wasn't.
I would suggest not using encryption though and simply never saying anything that you would not say in front of a police officer.
The reason I say this is because using encryption in any country could make the government take notice and, as has been pointed out above, it could fail in a number of ways. This means that if somebody sees your email is encrypted and decides to spend time getting into it if you have said anything even vaguely illegal you will be arrested and detained simply to justify the time and money spent getting into your email.
Here is a simple answer for the OP: use hushmail. I think that this has been suggested before. The servers are in Canada and per the terms of service unless a warrant signed by a Canadian judge with authority in British Columbia is presented, they will not turn over your email. Access to and from the site is encrypted via HTTPS. Mail to and from them may be encrypted if desired and there are multiple ways to do this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.