General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-11-2010, 04:26 PM
|
#1
|
LQ Veteran
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,836
|
hushmail - secure email?
I know it's an old article but I just found it and would like to hear your views.
http://www.wired.com/threatlevel/200...crypted-e-mai/
Is it a case of 'much ado about nothing' are they blatantly lying to their customers?
I understand the difference between installing their java program on your computer so that your passphrase gets encrypted before travelling to their servers, and using their 'webmail' service with java disabled, but what about using it with IMAP (Thunderbird + enigmail) as I'm using it now?
Are we all getting too paranoid about security or is it high time to start your own webserver?
|
|
|
05-14-2010, 08:25 AM
|
#2
|
Member
Registered: Oct 2009
Location: England
Distribution: Kubuntu, Ubuntu, Debian, Proxmox.
Posts: 553
Rep: 
|
If you use PGP or GnuPG properly, your email can only be read by the intended recipient. Make sure you don't save any copies encrypted with your own public key, or the Feds can beat the passphrase out of you to access your private key and decrypt them.
What is reported in the article is the kind of thing that will always happen when people use ill thought out encryption systems, and place convenience over security.
|
|
|
05-14-2010, 08:25 AM
|
#3
|
Member
Registered: Oct 2009
Location: England
Distribution: Kubuntu, Ubuntu, Debian, Proxmox.
Posts: 553
Rep: 
|
If you use PGP or GnuPG properly, your email can only be read by the intended recipient. Make sure you don't save any copies encrypted with your own public key, or the Feds can beat the passphrase out of you to access your private key and decrypt them.
What is reported in the article is the kind of thing that will always happen when people use ill thought out encryption systems, and place convenience over security.
|
|
|
05-14-2010, 11:21 AM
|
#4
|
LQ Veteran
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,836
Original Poster
|
Thanks. That's what I thought about PGP. To the best of my knowledge (and tutorials I followed) I am using PGP in a correct way. Furthermore, I've never used hushmail webmail with java disabled so I hope I'm safe from the man in black.
They can beat the hell out of me - I'm not going to crack and reveal anything
The world is not ready yet to see the contents of my emails. They contain the ultimate wisdom, dangerous knowledge and secret locations for Friday drinks.
|
|
|
05-14-2010, 11:42 AM
|
#5
|
Member
Registered: Oct 2009
Location: England
Distribution: Kubuntu, Ubuntu, Debian, Proxmox.
Posts: 553
Rep: 
|
Of course, no matter what you do, an email is a two-way (or more) communication. You can be as secure as you like, but that's to no avail if the email is obtained from another correspondent.
|
|
|
05-14-2010, 12:11 PM
|
#6
|
LQ Veteran
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,836
Original Poster
|
Quote:
Originally Posted by cantab
You can be as secure as you like, but that's to no avail if the email is obtained from another correspondent.
|
They are all dead. My emails kill within 5 minutes after reading it.
Seriously speaking, it is pointless when the other side doesn't support encryption.
|
|
|
05-14-2010, 12:42 PM
|
#7
|
Member
Registered: Oct 2009
Location: England
Distribution: Kubuntu, Ubuntu, Debian, Proxmox.
Posts: 553
Rep: 
|
What I mean is, even if the other side DOES support encryption, there's nothing you can do to stop them accidentally or deliberately disclosing the email they received from you or sent to you.
The usual usage of GPG to 'sign' emails is a double-edged sword in this case. If you are discussing matters you do not wish to be made public, and you do not trust the recipient (hint: can you ever?), GPG is probably not an appropriate technology. Off-the-Record encryption, for instant messaging, is on the other hand deliberately designed so that a forgery is indistinguishable from a genuine message, meaning that if the recipient discloses the message you can deny having sent it, and the message itself carries no information on authenticity - though of course a court could use other evidence to decide whether a forgery could or couldn't have happened.
|
|
|
05-14-2010, 08:27 PM
|
#8
|
LQ Veteran
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,836
Original Poster
|
Quote:
What I mean is, even if the other side DOES support encryption, there's nothing you can do to stop them accidentally or deliberately disclosing the email they received from you or sent to you.
|
Yes, I know what you meant in the previous post.
Quote:
Off-the-Record encryption, for instant messaging, is on the other hand deliberately designed so that a forgery is indistinguishable from a genuine message, meaning that if the recipient discloses the message you can deny having sent it, and the message itself carries no information on authenticity - though of course a court could use other evidence to decide whether a forgery could or couldn't have happened.
|
I've never heard of it (not that I'm any expert in this field  ). I've googled it and it seems really interesting. Thanks for an idea.
|
|
|
All times are GMT -5. The time now is 08:08 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|