LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   where is Opera e-mail hosted? and other questions about e-mail security (http://www.linuxquestions.org/questions/linux-security-4/where-is-opera-e-mail-hosted-and-other-questions-about-e-mail-security-4175480094/)

Brant 10-08-2013 09:24 PM

where is Opera e-mail hosted? and other questions about e-mail security
 
I have wondered if, faced with the NSA, Opera e-mail would be any more opaque than gmail, yahoo, or hotmail.
Any opinions?

I have also wondered if an add-on to a mail program would be possible, such that, once the message was composed, it was then split in two (odd words, even words?) and sent as two messages via two different companies. Obviously your correspondent would have to have the same add-on, or be very patient!

evo2 10-08-2013 10:01 PM

Hi,

Quote:

I have wondered if, faced with the NSA, Opera e-mail would be any more opaque than gmail, yahoo, or hotmail.
Any opinions?
what exactly is "Opera e-mail". I know that they owned fastmail.net for a while, but not any more. Or perhaps it is an MUA (email client)? If so, presumably it is closed source like the browser in which case all bets are off, and they could be doing any number of nasty things with your mail.

Quote:

I have also wondered if an add-on to a mail program would be possible, such that, once the message was composed, it was then split in two (odd words, even words?) and sent as two messages via two different companies. Obviously your correspondent would have to have the same add-on, or be very patient!
I'd suggest using gpg if you want to encrypt emails. However, you have no control over what the recipient does after decryption, so even if things are secure at your end your mail can still be read by a third party if the recipient is sloppy.

Evo2.

sundialsvcs 10-08-2013 11:46 PM

You don't need to "invent" nor to "re-invent" email security. If you want to secure the content of your email, there are already two well-supported standards for doing so:
  1. S/MIME, or PEM = Privacy Enhanced Mail.
  2. GPG/PGP (which may require an add-on to your email client)
In the first case, your message will appear as an empty message with two encrypted attachments. In the second, the body of the message will contain the (base64-encoded) encrypted message content. Either way, the message can be handled using the standard e-mail transport mechanisms.

Beyond this, well, I just think that you need to be realistic about what this technology (or any such technology) can, and cannot, do. "E-mail encryption" is basically "putting your email into an envelope." (Which is, in and of itself, a huge advance over "writing it on a postcard for any ol' Google to see.") Furthermore, it happens to be a very strong, very opaque indeed "envelope" ... unless you are a ghostly government agency with a three-letter acronym name and a #CLASSIFIED# budget.

But once again ... realistic. If you are actually trying to defend your mail against them, well, "your tax dollars at work." :rolleyes:

... but you probably aren't. You just want (or need!) "a really good envelope." (Perhaps you are required to comply with an ever-growing number of data privacy and/or securities-regulation laws! You will be "compliant" today, if you use either of these technologies correctly.)

Both of these technologies will, without further ado, provide you with three extremely important advantages over "ordinary" e-mail:
  1. Message Integrity: The message that you received is "as tendered." It was not altered in-transit.
  2. Provenance: The message probably did come from the party who claims to have sent it (and, thanks to #1, it is the message they sent).
  3. Privacy (optional!): The message can't be trivially read by a third-party.
I say "(optional!)" because, in real life, you might not particularly care about this third point, whereas you might profoundly care about the first two. It frankly astounds me that businesses today send important client emails that do not bear any sort of digital signature. :eek:

You don't have to invent or to re-invent anything to obtain these three important benefits for your mail, on any system, and you can be sure that these technologies are equally and interchangeably supported on many systems. Right now. Today. Unix, Linux, OS/2, Windows, OS/X, proprietary mail-systems ... all of 'em.

Brant 10-09-2013 09:19 PM

All this is very informative—I will be chewing it over for a while!
I shouldn't have wasted time on ideas for add-ons, that was just whimsy.

My understanding is that Fastmail is now a paid service (although early adopters were grandfathered in) and that opera has launched an opera e-mail, essentially similar to those offered by the other big players.

Since it might be the only one not hosted in the United States I am still curious about this. I have no idea how much practical difference it might make. . .but I am assuming that following all the recent publicity for the NSA that injured pride (at the very least) must be driving foreign governments and businesses to make some changes.

sundialsvcs 10-10-2013 09:57 AM

I seriously doubt that any governments were seriously "surprised." What I hope will come of all of this, is a greatly increased awareness of the presence of wasteful spending. Things can be done "in the name of national security" that actually have the opposite effect. Or, they're simply done because they can be done, and because "Uncle Sugar" is paying for it all, and because you'd go to jail for 120 years if you even publicly acknowledged the program's very existence.

"When the cat's away, and very rich, the mice will play, and stuff their mouths with many dollars."

If you haven't read it yet, check out the book, Senseless Secrets. The "Room of Requirement," from the Harry Potter books, is very much like what "#CLASSIFIED#" has actually become. You've got to have someone looking out for the public purse.

dive 10-10-2013 10:40 AM

As far as I'm aware the NSA have already hacked gpg/pgp and I would suspect pem too, or was that just ssl?

Really, if you want to send private messages then you would need to go the route that has been used by spies for centuries and use a code that only the two of you know. Now, this does not mean computer encryption, because we have already seen that the NSA and others can crack that with the right software and enough time. This means meeting up somewhere private face to face and working out what keywords have which meaning etc. or some other method.

Have fun

JWJones 10-10-2013 01:58 PM

Quote:

Originally Posted by sundialsvcs (Post 5043422)
You've got to have someone looking out for the public purse.

Ah crap, I've been RRed! :D

evo2 10-10-2013 08:32 PM

Hi,
Quote:

Originally Posted by dive (Post 5043441)
As far as I'm aware the NSA have already hacked gpg/pgp

Really? Where did you read/hear this?

Thanks,

Evo2.

sundialsvcs 10-10-2013 09:07 PM

Quote:

Originally Posted by JWJones (Post 5043520)
Ah crap, I've been RRed! :D

I couldn't resist . . .

dive 10-10-2013 11:07 PM

Quote:

Originally Posted by evo2 (Post 5043644)
Hi,

Really? Where did you read/hear this?

Thanks,

Evo2.

I was thinking about SSL/TLS. Plenty of news stories about it for thepast few weeks.

jegpad 10-25-2013 03:11 PM

Forum newbie here. I'm on Ubuntu 13.04 using Chrome and Firefox and both Yahoo (for years) and GMail (less than a year). I don't have the heebee geebees about security, but I'd welcome advice on which simple email web-based client you'd suggest I opt for as a move away from the total exposure that Yahoo and Gmail suffer. Many thanks in advance.

Quote:

Originally Posted by sundialsvcs (Post 5042547)
You don't need to "invent" nor to "re-invent" email security. If you want to secure the content of your email, there are already two well-supported standards for doing so:
  1. S/MIME, or PEM = Privacy Enhanced Mail.
  2. GPG/PGP (which may require an add-on to your email client)
In the first case, your message will appear as an empty message with two encrypted attachments. In the second, the body of the message will contain the (base64-encoded) encrypted message content. Either way, the message can be handled using the standard e-mail transport mechanisms.

Beyond this, well, I just think that you need to be realistic about what this technology (or any such technology) can, and cannot, do. "E-mail encryption" is basically "putting your email into an envelope." (Which is, in and of itself, a huge advance over "writing it on a postcard for any ol' Google to see.") Furthermore, it happens to be a very strong, very opaque indeed "envelope" ... unless you are a ghostly government agency with a three-letter acronym name and a #CLASSIFIED# budget.

But once again ... realistic. If you are actually trying to defend your mail against them, well, "your tax dollars at work." :rolleyes:

... but you probably aren't. You just want (or need!) "a really good envelope." (Perhaps you are required to comply with an ever-growing number of data privacy and/or securities-regulation laws! You will be "compliant" today, if you use either of these technologies correctly.)

Both of these technologies will, without further ado, provide you with three extremely important advantages over "ordinary" e-mail:
  1. Message Integrity: The message that you received is "as tendered." It was not altered in-transit.
  2. Provenance: The message probably did come from the party who claims to have sent it (and, thanks to #1, it is the message they sent).
  3. Privacy (optional!): The message can't be trivially read by a third-party.
I say "(optional!)" because, in real life, you might not particularly care about this third point, whereas you might profoundly care about the first two. It frankly astounds me that businesses today send important client emails that do not bear any sort of digital signature. :eek:

You don't have to invent or to re-invent anything to obtain these three important benefits for your mail, on any system, and you can be sure that these technologies are equally and interchangeably supported on many systems. Right now. Today. Unix, Linux, OS/2, Windows, OS/X, proprietary mail-systems ... all of 'em.


sgosnell 10-27-2013 06:16 PM

ISTR that Ubuntu comes with Evolution by default. Evolution will work with enigmail, IIRC, so that would be the easiest and most secure way to go about it. Thunderbird is another popular option. Which to use is largely a matter of subjective taste, so I have no real recommendation between the two. Both work, and there are others. I suspect that evolution is more open than the Mozilla side, but I'm not sure there is an issue with either.

The Achilles heel of public/private key cryptography is that your correspondents have to install private keys, post public keys, and download your public key. Once all this is done everything is pretty transparent, but most people will not go to that much trouble.

jegpad 10-28-2013 02:19 AM

Sgosnell - thank you for your reply. I'm not going to the extent of the labour-intensive cryptography, but I wanted to stop providing complete transparency to Google. I've plumped for an account with GoDaddy and paid for a domain name and email service. I'll run concurrent with my other email addresses and if it proves to be reliable I'll migrate completely and drop the free services.

evo2 10-28-2013 02:29 AM

Hi,

this may be outdated news, but IIRC, godaddy does not have a particularly good track record in terms of respecting users privacy.

Evo2.

BlackRider 10-29-2013 03:14 PM

Email is not very good for security or privacy.

You need to trust both your email provider and the email provider of the receiver.

You need to trusts every ISP involved, which is a hard matter when things go international.

You need to trust the receiver himself. It's a very stupid affirmation, but if you are sharing dirty secrets with someone, that someone is your most immediate worry.

You "may" need to trust certification authorities not to be playing dirty and performing MIT attacks in the name of, let's say, "Barack Osama".

You need to trust the hardware and software providers of all the systems involved not to have placed backdoors, security holes or other similar stuff somewhere.

By the way: when you use a free email service, you are not the client. You are most likely a product been sold to a third party. Food for though. You can try to look for a email provider with acceptable terms of service, but nothing is really guaranteed if you are really paranoid.


If you need security, encrypt a letter and send a snail-mail. Point-to-point encryption is also nice, depending on your circumstances. There are also interesting sites, such as https://lockbin.com/Messaging or https://onetimesecret.com/. The trust you place on them is up to you.


All times are GMT -5. The time now is 10:59 PM.