LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-08-2013, 08:24 PM   #1
Brant
LQ Newbie
 
Registered: Oct 2007
Posts: 26

Rep: Reputation: 0
where is Opera e-mail hosted? and other questions about e-mail security


I have wondered if, faced with the NSA, Opera e-mail would be any more opaque than gmail, yahoo, or hotmail.
Any opinions?

I have also wondered if an add-on to a mail program would be possible, such that, once the message was composed, it was then split in two (odd words, even words?) and sent as two messages via two different companies. Obviously your correspondent would have to have the same add-on, or be very patient!
 
Old 10-08-2013, 09:01 PM   #2
evo2
Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Debian, SL
Posts: 5,247

Rep: Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129
Hi,

Quote:
I have wondered if, faced with the NSA, Opera e-mail would be any more opaque than gmail, yahoo, or hotmail.
Any opinions?
what exactly is "Opera e-mail". I know that they owned fastmail.net for a while, but not any more. Or perhaps it is an MUA (email client)? If so, presumably it is closed source like the browser in which case all bets are off, and they could be doing any number of nasty things with your mail.

Quote:
I have also wondered if an add-on to a mail program would be possible, such that, once the message was composed, it was then split in two (odd words, even words?) and sent as two messages via two different companies. Obviously your correspondent would have to have the same add-on, or be very patient!
I'd suggest using gpg if you want to encrypt emails. However, you have no control over what the recipient does after decryption, so even if things are secure at your end your mail can still be read by a third party if the recipient is sloppy.

Evo2.
 
Old 10-08-2013, 10:46 PM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,366

Rep: Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106
You don't need to "invent" nor to "re-invent" email security. If you want to secure the content of your email, there are already two well-supported standards for doing so:
  1. S/MIME, or PEM = Privacy Enhanced Mail.
  2. GPG/PGP (which may require an add-on to your email client)
In the first case, your message will appear as an empty message with two encrypted attachments. In the second, the body of the message will contain the (base64-encoded) encrypted message content. Either way, the message can be handled using the standard e-mail transport mechanisms.

Beyond this, well, I just think that you need to be realistic about what this technology (or any such technology) can, and cannot, do. "E-mail encryption" is basically "putting your email into an envelope." (Which is, in and of itself, a huge advance over "writing it on a postcard for any ol' Google to see.") Furthermore, it happens to be a very strong, very opaque indeed "envelope" ... unless you are a ghostly government agency with a three-letter acronym name and a #CLASSIFIED# budget.

But once again ... realistic. If you are actually trying to defend your mail against them, well, "your tax dollars at work."

... but you probably aren't. You just want (or need!) "a really good envelope." (Perhaps you are required to comply with an ever-growing number of data privacy and/or securities-regulation laws! You will be "compliant" today, if you use either of these technologies correctly.)

Both of these technologies will, without further ado, provide you with three extremely important advantages over "ordinary" e-mail:
  1. Message Integrity: The message that you received is "as tendered." It was not altered in-transit.
  2. Provenance: The message probably did come from the party who claims to have sent it (and, thanks to #1, it is the message they sent).
  3. Privacy (optional!): The message can't be trivially read by a third-party.
I say "(optional!)" because, in real life, you might not particularly care about this third point, whereas you might profoundly care about the first two. It frankly astounds me that businesses today send important client emails that do not bear any sort of digital signature.

You don't have to invent or to re-invent anything to obtain these three important benefits for your mail, on any system, and you can be sure that these technologies are equally and interchangeably supported on many systems. Right now. Today. Unix, Linux, OS/2, Windows, OS/X, proprietary mail-systems ... all of 'em.

Last edited by sundialsvcs; 10-08-2013 at 10:52 PM.
 
1 members found this post helpful.
Old 10-09-2013, 08:19 PM   #4
Brant
LQ Newbie
 
Registered: Oct 2007
Posts: 26

Original Poster
Rep: Reputation: 0
All this is very informative—I will be chewing it over for a while!
I shouldn't have wasted time on ideas for add-ons, that was just whimsy.

My understanding is that Fastmail is now a paid service (although early adopters were grandfathered in) and that opera has launched an opera e-mail, essentially similar to those offered by the other big players.

Since it might be the only one not hosted in the United States I am still curious about this. I have no idea how much practical difference it might make. . .but I am assuming that following all the recent publicity for the NSA that injured pride (at the very least) must be driving foreign governments and businesses to make some changes.
 
Old 10-10-2013, 08:57 AM   #5
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,366

Rep: Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106
I seriously doubt that any governments were seriously "surprised." What I hope will come of all of this, is a greatly increased awareness of the presence of wasteful spending. Things can be done "in the name of national security" that actually have the opposite effect. Or, they're simply done because they can be done, and because "Uncle Sugar" is paying for it all, and because you'd go to jail for 120 years if you even publicly acknowledged the program's very existence.

"When the cat's away, and very rich, the mice will play, and stuff their mouths with many dollars."

If you haven't read it yet, check out the book, Senseless Secrets. The "Room of Requirement," from the Harry Potter books, is very much like what "#CLASSIFIED#" has actually become. You've got to have someone looking out for the public purse.
 
Old 10-10-2013, 09:40 AM   #6
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,211

Rep: Reputation: 292Reputation: 292Reputation: 292
As far as I'm aware the NSA have already hacked gpg/pgp and I would suspect pem too, or was that just ssl?

Really, if you want to send private messages then you would need to go the route that has been used by spies for centuries and use a code that only the two of you know. Now, this does not mean computer encryption, because we have already seen that the NSA and others can crack that with the right software and enough time. This means meeting up somewhere private face to face and working out what keywords have which meaning etc. or some other method.

Have fun
 
Old 10-10-2013, 12:58 PM   #7
JWJones
Member
 
Registered: Jun 2009
Location: Cascadia
Distribution: Slackware, LinuxBBQ, OpenBSD, Mac OSX
Posts: 723

Rep: Reputation: 186Reputation: 186
Quote:
Originally Posted by sundialsvcs View Post
You've got to have someone looking out for the public purse.
Ah crap, I've been RRed!
 
Old 10-10-2013, 07:32 PM   #8
evo2
Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Debian, SL
Posts: 5,247

Rep: Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129
Hi,
Quote:
Originally Posted by dive View Post
As far as I'm aware the NSA have already hacked gpg/pgp
Really? Where did you read/hear this?

Thanks,

Evo2.
 
Old 10-10-2013, 08:07 PM   #9
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,366

Rep: Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106Reputation: 1106
Quote:
Originally Posted by JWJones View Post
Ah crap, I've been RRed!
I couldn't resist . . .
 
Old 10-10-2013, 10:07 PM   #10
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,211

Rep: Reputation: 292Reputation: 292Reputation: 292
Quote:
Originally Posted by evo2 View Post
Hi,

Really? Where did you read/hear this?

Thanks,

Evo2.
I was thinking about SSL/TLS. Plenty of news stories about it for thepast few weeks.
 
Old 10-25-2013, 02:11 PM   #11
jegpad
LQ Newbie
 
Registered: Oct 2013
Location: London
Posts: 2

Rep: Reputation: Disabled
Forum newbie here. I'm on Ubuntu 13.04 using Chrome and Firefox and both Yahoo (for years) and GMail (less than a year). I don't have the heebee geebees about security, but I'd welcome advice on which simple email web-based client you'd suggest I opt for as a move away from the total exposure that Yahoo and Gmail suffer. Many thanks in advance.

Quote:
Originally Posted by sundialsvcs View Post
You don't need to "invent" nor to "re-invent" email security. If you want to secure the content of your email, there are already two well-supported standards for doing so:
  1. S/MIME, or PEM = Privacy Enhanced Mail.
  2. GPG/PGP (which may require an add-on to your email client)
In the first case, your message will appear as an empty message with two encrypted attachments. In the second, the body of the message will contain the (base64-encoded) encrypted message content. Either way, the message can be handled using the standard e-mail transport mechanisms.

Beyond this, well, I just think that you need to be realistic about what this technology (or any such technology) can, and cannot, do. "E-mail encryption" is basically "putting your email into an envelope." (Which is, in and of itself, a huge advance over "writing it on a postcard for any ol' Google to see.") Furthermore, it happens to be a very strong, very opaque indeed "envelope" ... unless you are a ghostly government agency with a three-letter acronym name and a #CLASSIFIED# budget.

But once again ... realistic. If you are actually trying to defend your mail against them, well, "your tax dollars at work."

... but you probably aren't. You just want (or need!) "a really good envelope." (Perhaps you are required to comply with an ever-growing number of data privacy and/or securities-regulation laws! You will be "compliant" today, if you use either of these technologies correctly.)

Both of these technologies will, without further ado, provide you with three extremely important advantages over "ordinary" e-mail:
  1. Message Integrity: The message that you received is "as tendered." It was not altered in-transit.
  2. Provenance: The message probably did come from the party who claims to have sent it (and, thanks to #1, it is the message they sent).
  3. Privacy (optional!): The message can't be trivially read by a third-party.
I say "(optional!)" because, in real life, you might not particularly care about this third point, whereas you might profoundly care about the first two. It frankly astounds me that businesses today send important client emails that do not bear any sort of digital signature.

You don't have to invent or to re-invent anything to obtain these three important benefits for your mail, on any system, and you can be sure that these technologies are equally and interchangeably supported on many systems. Right now. Today. Unix, Linux, OS/2, Windows, OS/X, proprietary mail-systems ... all of 'em.
 
Old 10-27-2013, 05:16 PM   #12
sgosnell
Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian
Posts: 358

Rep: Reputation: 61
ISTR that Ubuntu comes with Evolution by default. Evolution will work with enigmail, IIRC, so that would be the easiest and most secure way to go about it. Thunderbird is another popular option. Which to use is largely a matter of subjective taste, so I have no real recommendation between the two. Both work, and there are others. I suspect that evolution is more open than the Mozilla side, but I'm not sure there is an issue with either.

The Achilles heel of public/private key cryptography is that your correspondents have to install private keys, post public keys, and download your public key. Once all this is done everything is pretty transparent, but most people will not go to that much trouble.
 
Old 10-28-2013, 01:19 AM   #13
jegpad
LQ Newbie
 
Registered: Oct 2013
Location: London
Posts: 2

Rep: Reputation: Disabled
Sgosnell - thank you for your reply. I'm not going to the extent of the labour-intensive cryptography, but I wanted to stop providing complete transparency to Google. I've plumped for an account with GoDaddy and paid for a domain name and email service. I'll run concurrent with my other email addresses and if it proves to be reliable I'll migrate completely and drop the free services.
 
Old 10-28-2013, 01:29 AM   #14
evo2
Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Debian, SL
Posts: 5,247

Rep: Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129Reputation: 1129
Hi,

this may be outdated news, but IIRC, godaddy does not have a particularly good track record in terms of respecting users privacy.

Evo2.
 
Old 10-29-2013, 02:14 PM   #15
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
Email is not very good for security or privacy.

You need to trust both your email provider and the email provider of the receiver.

You need to trusts every ISP involved, which is a hard matter when things go international.

You need to trust the receiver himself. It's a very stupid affirmation, but if you are sharing dirty secrets with someone, that someone is your most immediate worry.

You "may" need to trust certification authorities not to be playing dirty and performing MIT attacks in the name of, let's say, "Barack Osama".

You need to trust the hardware and software providers of all the systems involved not to have placed backdoors, security holes or other similar stuff somewhere.

By the way: when you use a free email service, you are not the client. You are most likely a product been sold to a third party. Food for though. You can try to look for a email provider with acceptable terms of service, but nothing is really guaranteed if you are really paranoid.


If you need security, encrypt a letter and send a snail-mail. Point-to-point encryption is also nice, depending on your circumstances. There are also interesting sites, such as https://lockbin.com/Messaging or https://onetimesecret.com/. The trust you place on them is up to you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Opera 10.0 mail search does not show sent mail (by default) neonsignal Linux - Software 2 11-23-2009 07:03 PM
Best Hosted Mail/ Groupware? Zimbra? Google? OpenXchange? yekibud Linux - Enterprise 2 04-20-2009 11:30 AM
How to set Opera Mail (M2) as Default Mail Program in Fedora 10 eoinjones Linux - Software 1 01-18-2009 11:50 AM
Sendmail - route mail off server for hosted domain SystemOverload Linux - Server 4 07-21-2008 10:32 PM
Sendmail problem (mail hosted elsewhere) 60s TV Batman Linux - Server 3 01-31-2008 06:52 AM


All times are GMT -5. The time now is 04:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration