LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 09-06-2009, 08:36 PM   #16
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57

Another concern is, strong encryption might arouse suspicion. What's your take on that?
 
Old 09-06-2009, 08:38 PM   #17
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
If only we could get everyone to use strong encryption for their emails. Then we'd cover each other.

Maybe someone nice would have to provide a service like lavabit and do it for free. They might pay for the bandwidth by advertising links at the bottom of each email.

The lavabit site says even their staff can't read the emails of their customers! If that's true, no agency can demand to read people's emails.

On the other hand, there's a law in the UK where if you use encryption for anything, the government has the right to demand the password from you. And you go to prison if you get asked and refuse to give the password. Something smarter is needed, perhaps the plausible deniability tactic of truecrypt with its two passswords, or maybe N passwords. Ever heard of that?

Last edited by Ulysses_; 09-06-2009 at 08:41 PM.
 
Old 09-06-2009, 08:55 PM   #18
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Ulysses_ View Post
Another concern is, strong encryption might arouse suspicion. What's your take on that?
From this (and your previous posts), I get the impression that you consider the standard SSL encryption currently in use worldwide to be weak. Is that really the case? If so, could you please elaborate on why you see it that way? So far you just seem to be making assumptions. Mind you, I'm not refering to implementation flaws which are well-known thanks to the research of people like Moxie Marlinspike, I'm referring to weaknesses in the algorithms themselves.

Last edited by win32sux; 09-06-2009 at 08:59 PM.
 
Old 09-06-2009, 10:35 PM   #19
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
The problem with public key cryptography is the CAs (certificate authorities) can't be trusted not to give your private key to the government. In such cases encryption can actually be used for non-repudiation in a court of law. So as to prove that you, and only you, could have sent the email. Which would be the exact opposite of plausible deniability.


http://en.wikipedia.org/wiki/Non-repudiation
 
Old 09-06-2009, 11:00 PM   #20
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Crito View Post
The problem with public key cryptography is the CAs (certificate authorities) can't be trusted not to give your private key to the government.
Uh, the CA never sees your private key (they sign your public key).
 
Old 09-07-2009, 02:10 AM   #21
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Quote:
Originally Posted by Ulysses_ View Post
Another concern is, strong encryption might arouse suspicion. What's your take on that?
If people encrypted everything, including the unimportant, then nothing would be "suspicious". All your private message would be hidden in a sea of mundane time-wasting random data for "inquiring minds" to sift though.
 
Old 09-07-2009, 08:33 AM   #22
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
Quote:
Originally Posted by Ulysses_ View Post
Another concern is, strong encryption might arouse suspicion. What's your take on that?
If you're talking about BEYOND just your LAN, then my take is that, if you're inside the US, and/or are sending emails to/from the US, and you use an encryption that has been deemed "too strong" by some 3-letter agency, then you *may* arouse suspicion.

NOTE: I'm not a lawyer, not an American, nor do I live in the U.S., but (only)to my knowledge, __very__ strong encryption is not allowed in the U.S. for the very reason that those 3-letter agencies can't break it in a timely manner.

In freer parts of the free world, this isn't an issue-- you can encrypt to your hearts' content.
 
Old 09-07-2009, 12:09 PM   #23
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Quote:
Originally Posted by GrapefruiTgirl View Post
but (only)to my knowledge, __very__ strong encryption is not allowed in the U.S. for the very reason that those 3-letter agencies can't break it in a timely manner.
We can use strong crypto within the country as much as we want. I think that strong crypto is still viewed as a munition and technically you're not allowed to export software that uses it outside of the country.

People use strong crypto to send message out of the country all day long.

<tinfoil hat>The NSA and friends gave up on trying to crack crypto long ago when they realized it's easier to coerce US companies to inject exploitable vulnerabilities into their OS where they can then capture what they need in plaintext.</tinfoil hat>
 
Old 09-07-2009, 02:46 PM   #24
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by win32sux View Post
From this (and your previous posts), I get the impression that you consider the standard SSL encryption currently in use worldwide to be weak. Is that really the case?
No, I do not consider it weak, just want to know what is the state of the art. I reckon some criminals must have managed to break the standard SSL algorithms, either that or found flaws in the commonest implementations of it. Because it is so widely used, and therefore there is so much return on investment in breaking it.
 
Old 09-07-2009, 02:59 PM   #25
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
The crypto in SSL (now TLS) is pretty strong/secure. There have been issues recently with some implementations of ssl libraries that weaken it, but I believe that's been cleared up for now. There have been issues with the logic of processing certificate chains that have created some vulnerabilities. I think those have been cleared up. Crypto is a very complex topic and there are so many things that can go wrong without any sign.

For the average joe that blends in with the rest of society's traffic, it's strong enough and the risks are relatively low.

I'm pretty sure it's been stated earlier in the thread, but there are many points in an email's life that are vulnerable to unauthorized reading. SSL only protects it during transit to your ISP. From there, chances are, it will be related through a number of SMTP servers in plaintext where anyone with admin privileges can read it. Once it's stored on the recipients computer, it can be left in plain text.

PGP offers the most protection in keeping the email private for the duration of it's life.
 
Old 09-07-2009, 06:17 PM   #26
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
Maybe there is an email provider that offers a PGP option too, or I install my own email server somewhere and add the best PGP encryption that there is.

Is the best PGP encryption stronger than lavabit's?

PS. I understand what you're saying about PGP, just want to protect the link to the email server only, people would be hard to persuade to use PGP anyway.

Last edited by Ulysses_; 09-07-2009 at 07:11 PM.
 
Old 09-07-2009, 11:36 PM   #27
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Quote:
Originally Posted by Ulysses_ View Post
Maybe there is an email provider that offers a PGP option too
PGP is a decentralized encryption scheme where each user maintains their own keyrings of people they communicate with. You're the sole owner and holder of your private key that is used to sign and decrypt messages sent to you. It would be ridiculous, for lack of a better word, to allow a third party to have control over your private keys, so no, there shouldn't be an email provider that provides a PGP service - unless it's just there to authenticate you and sign your keys to build the web of trust.
 
Old 09-08-2009, 03:02 PM   #28
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by Admiral Beotch View Post
It would be ridiculous, for lack of a better word, to allow a third party to have control over your private keys, so no, there shouldn't be an email provider that provides a PGP service
Would it be ridiculous if an email provider recommended SSL along the link to its user while there's no encryption at all at the other end where the receiver is not using SSL at all? That's what hotmail and gmail are doing - given that you cannot persuade people to swap encryption keys with you, you do the best you can. So why not encrypt this link with PGP, can't you swap PGP keys with your email provider? Remember, my LAN is more dangerous than the receiver's.
 
Old 09-08-2009, 03:24 PM   #29
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Ulysses_ View Post
Would it be ridiculous if an email provider recommended SSL along the link to its user while there's no encryption at all at the other end where the receiver is not using SSL at all? That's what hotmail and gmail are doing - given that you cannot persuade people to swap encryption keys with you, you do the best you can. So why not encrypt this link with PGP, can't you swap PGP keys with your email provider? Remember, my LAN is more dangerous than the receiver's.
If you want the message to remain private between sender and recipient, the sender will need to encrypt it using the recipient's public key. There's no getting around that (other than using a PSK), and giving keys to your email service provider isn't going to help in that regard. When you're using an SSL email service provider, your link to them is already encrypted, and I'm not sure what exactly you're hoping to gain by giving them your PGP keys. Could you clarify?

Last edited by win32sux; 09-08-2009 at 03:55 PM.
 
Old 09-08-2009, 07:22 PM   #30
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by win32sux View Post
When you're using an SSL email service provider, your link to them is already encrypted, and I'm not sure what exactly you're hoping to gain by giving them your PGP keys. Could you clarify?
If typical PGP ciphers are of equal strength to typical SSL ciphers, there's no reason to use PGP between yourself and the email server. But I am under the impression that the best cipher for PGP is stronger than the cipher typically used with SSL, eg by hotmail. If that is so, an email provider can communicate with me using PGP, we'd be like two people using PGP. They would send me data encrypted with my key, and I would send them data encrypted with their key. That's against anyone sniffing our link and only that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Use web-based email as preferred email app? Short.Cipher Linux - Software 3 07-22-2007 03:23 AM
Secure web based retrieval of files Micro420 Linux - Software 6 03-17-2007 09:07 PM
which web-based email interace kubicon Linux - Networking 2 02-01-2004 11:57 PM
Linux and Web Based Email rioch Linux - General 3 10-01-2003 09:52 PM
web based email thesnaggle Linux - Newbie 4 09-26-2003 12:06 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 08:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration