Re: [gentoo-user] encrypting emails on more than one email account with same keys
On Friday, 24 May 2019 04:58:02 BST Grant Taylor wrote: > On 5/23/19 9:49 PM, mad.scientist.at.la...@tutanota.com wrote: > > I suspect most lawyers would agree that email is just a bad idea > > if confidentiality matters, or the web in general frankly and it's > > getting worse fast. Yes, face to face seems to work best, but it is not always convenient/ possible. > I find that S/MIME works quite well for me. It's also largely > transparent once it's configured. ... And with 'eFail' the same could end up happening with the previously encrypted text! https://www.paubox.com/blog/pgp-smime-efail-flaw https://www.kb.cert.org/vuls/id/122919/ https://bugs.gentoo.org/683034 -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] encrypting emails on more than one email account with same keys
On 5/23/19 9:49 PM, mad.scientist.at.la...@tutanota.com wrote: I suspect most lawyers would agree that email is just a bad idea if confidentiality matters, or the web in general frankly and it's getting worse fast. I find that S/MIME works quite well for me. It's also largely transparent once it's configured. I also find that in general email's (and Usenet's) store-and-forward networking work quite well, even without being able to establish end-to-end connections.
Re: [gentoo-user] encrypting emails on more than one email account with same keys
sorry, obviously i mis-sent that. "We the People Dare to Create a More Perfect Union" May 23, 2019, 9:49 PM by mad.scientist.at.la...@tutanota.com: > I use Tutanota.com, they allow multiple open sessions, many people can look > at/use the same email address if they all have the email addr. and password. > I suspect other encrypted mail providers do the same. However, if it's > actually of value i'd use something more secure. You can always encrypt > documents and send them out over any old email, likely far more securely than > plaintext sent encrypted via mail server. They did have a security flaw in > the tutanota software months ago and people got into mail boxes, I've since > seen a small amount of spam (I usually get none, aggressive pursuit works!) > demonstrating again that humans are usually the weakest part of any security > system. So, how much do you trust people you haven't met? I suspect most > lawyers would agree that email is just a bad idea if confidentiality matters, > or the web in general frankly and it's getting worse fast. > > "We the People Dare to Create a More Perfect Union" > > > > May 23, 2019, 9:39 PM by gtay...@gentoo.tnetconsulting.net: > >> On 5/23/19 1:11 PM, Dale wrote: >> >>> I have to deal with a State entity for some communications and they do that >>> send a link thing to go to a Cisco site to get/send emails. I guess it is >>> somewhat better than just plain open email but as you point out, if they >>> have the email with the link, they do the same as the intended recipient >>> and get the encrypted email too. >>> >> >> Some of these types of sites, most that I've used, configure something out >> of band, usually a password, such that you have to have that to get logged >> in to see the message(s) in the future. >> >> I know that my insurance, my bank, and my CC company do this. Just having >> the link is not sufficient to be able to read the ""secure message. >>
Re: [gentoo-user] encrypting emails on more than one email account with same keys
I use Tutanota.com, they allow multiple open sessions, many people can look at/use the same email address if they all have the email addr. and password. I suspect other encrypted mail providers do the same. However, if it's actually of value i'd use something more secure. You can always encrypt documents and send them out over any old email, likely far more securely than plaintext sent encrypted via mail server. They did have a security flaw in the tutanota software months ago and people got into mail boxes, I've since seen a small amount of spam (I usually get none, aggressive pursuit works!) demonstrating again that humans are usually the weakest part of any security system. So, how much do you trust people you haven't met? I suspect most lawyers would agree that email is just a bad idea if confidentiality matters, or the web in general frankly and it's getting worse fast. "We the People Dare to Create a More Perfect Union" May 23, 2019, 9:39 PM by gtay...@gentoo.tnetconsulting.net: > On 5/23/19 1:11 PM, Dale wrote: > >> I have to deal with a State entity for some communications and they do that >> send a link thing to go to a Cisco site to get/send emails. I guess it is >> somewhat better than just plain open email but as you point out, if they >> have the email with the link, they do the same as the intended recipient and >> get the encrypted email too. >> > > Some of these types of sites, most that I've used, configure something out of > band, usually a password, such that you have to have that to get logged in to > see the message(s) in the future. > > I know that my insurance, my bank, and my CC company do this. Just having > the link is not sufficient to be able to read the ""secure message. >
Re: [gentoo-user] encrypting emails on more than one email account with same keys
On 5/23/19 1:11 PM, Dale wrote: I have to deal with a State entity for some communications and they do that send a link thing to go to a Cisco site to get/send emails. I guess it is somewhat better than just plain open email but as you point out, if they have the email with the link, they do the same as the intended recipient and get the encrypted email too. Some of these types of sites, most that I've used, configure something out of band, usually a password, such that you have to have that to get logged in to see the message(s) in the future. I know that my insurance, my bank, and my CC company do this. Just having the link is not sufficient to be able to read the ""secure message.
Re: [gentoo-user] encrypting emails on more than one email account with same keys
Re-sending because this didn't show up in the mailing list. On 5/23/19 9:40 AM, Dale wrote: Howdy, Hi, I'm trying to get some legal work done. I'm trying to do this over email with a lawyer. For obvious reasons, I want to do this encrypted but suspect they are not set up for this. They have two email accounts that I know of. Is it possible to have one set of keys and one password to work on two different email accounts with two different addresses? Example, one account is g...@hisisp.com and his paralegal helper is a...@hisisp.com. They are both on the same server and it is a private server, not yahoo, gmail or something. I don't know of any email based encryption techniques that support this. S/MIME can encrypt messages to both recipients if you have certificates for them. I think PGP can do the same. But both techniques use discreet certificates / key pairs per party. If you trust their server, and your server, you might be able to get by without dealing with encryption in the email and instead relying on encryption between the servers. - There are some more nuances to this, but it can be made to work. -- Grant. . . . unix || die
Re: [gentoo-user] encrypting emails on more than one email account with same keys
Rich Freeman wrote: > On Thu, May 23, 2019 at 12:49 PM Mick wrote: >> On Thursday, 23 May 2019 16:40:23 BST Dale wrote: >>> Howdy, >>> >>> I'm trying to get some legal work done. I'm trying to do this over >>> email with a lawyer. For obvious reasons, I want to do this encrypted >>> but suspect they are not set up for this. >> Have you asked them? If they have some setup they use to ensure client >> confidentiality and data privacy, you'd be much better off to jump onto their >> system, rather than trying to negotiate the configuration of PGP and S/MIME >> with legal staff who may have zero technical capability and >> poor/uncooperative >> IT support. > ++ > > >From what I've seen these sorts of systems are usually just security > theater, such as emailing you a link to go to an SSL website to view > the "secure" message, never mind that somebody else could do the same > thing if they intercepted your email. But, it probably satisfies some > box-checker because the actual message is transmitted over SSL. > > I think this is probably the best you're going to do if you're not > communicating with people who get crypto, which is just about > everybody. > > Otherwise the rest of the email already covered some of the details. > You can just add multiple identities to a single GPG key or x509 > certificate, but if they aren't already using PKI/etc that seems like > a huge uphill battle. > > I think a corporate environment is much more likely to be using > S/MIME/etc than GPG. When I've seen these there is usually a central > CA that has some way to systematically assign certificates to > employees. Often this is only done on request. > > Law firms are also notoriously bad at IT from what I've seen. I know > a lawyer or two and many of these firms just let every partner do > things their own way, and their individual staff follow the partner's > lead. They're as bad as doctors, especially since the whole EMR thing > hasn't hit lawyers in the same way. > Well, I got a reply. They are not set up for encryption and don't seem to be interested in it either. There is only two of them, that I know of. It's a small town lawyer but I like the guy. Rare for me to like a lawyer. lol What I was hoping is to have two email address, one for each, but a single password. I couldn't find anything that showed that as doable so I thought I'd ask, out of curiosity if nothing else. I have to deal with a State entity for some communications and they do that send a link thing to go to a Cisco site to get/send emails. I guess it is somewhat better than just plain open email but as you point out, if they have the email with the link, they do the same as the intended recipient and get the encrypted email too. They are building a new cell phone tower but have not turned it on yet. They working on it tho. I'm hoping I'm not so close that I can't get a signal from it, umbrella effect I think it is called. Anyway, the best way to get me is email. Most of the time my cell has no signal. For that reason, I wish Lawyers, Doctors and some others would use some sort of secure messaging system so that I can do things without being snooped on. Sadly, other than the State entity mentioned above, no one else does this. To be honest, the only reason I set up encryption is that I have one friend who wants to do it that way and won't send emails unless they are. It doesn't matter what is in it either. Since I have it tho, I wish more would use it. There are times when I need to do things or even send attachments that I wouldn't want everyone seeing. I'm not sure why people who deal with sensitive info won't get some secure way of emailing. It's weird to me. At least I have my answer and learned a few other things as well. Thanks to all. Dale :-) :-)
Re: [gentoo-user] encrypting emails on more than one email account with same keys
On Thu, May 23, 2019 at 12:49 PM Mick wrote: > > On Thursday, 23 May 2019 16:40:23 BST Dale wrote: > > Howdy, > > > > I'm trying to get some legal work done. I'm trying to do this over > > email with a lawyer. For obvious reasons, I want to do this encrypted > > but suspect they are not set up for this. > > Have you asked them? If they have some setup they use to ensure client > confidentiality and data privacy, you'd be much better off to jump onto their > system, rather than trying to negotiate the configuration of PGP and S/MIME > with legal staff who may have zero technical capability and poor/uncooperative > IT support. ++ >From what I've seen these sorts of systems are usually just security theater, such as emailing you a link to go to an SSL website to view the "secure" message, never mind that somebody else could do the same thing if they intercepted your email. But, it probably satisfies some box-checker because the actual message is transmitted over SSL. I think this is probably the best you're going to do if you're not communicating with people who get crypto, which is just about everybody. Otherwise the rest of the email already covered some of the details. You can just add multiple identities to a single GPG key or x509 certificate, but if they aren't already using PKI/etc that seems like a huge uphill battle. I think a corporate environment is much more likely to be using S/MIME/etc than GPG. When I've seen these there is usually a central CA that has some way to systematically assign certificates to employees. Often this is only done on request. Law firms are also notoriously bad at IT from what I've seen. I know a lawyer or two and many of these firms just let every partner do things their own way, and their individual staff follow the partner's lead. They're as bad as doctors, especially since the whole EMR thing hasn't hit lawyers in the same way. -- Rich
Re: [gentoo-user] encrypting emails on more than one email account with same keys
On Thursday, 23 May 2019 16:40:23 BST Dale wrote: > Howdy, > > I'm trying to get some legal work done. I'm trying to do this over > email with a lawyer. For obvious reasons, I want to do this encrypted > but suspect they are not set up for this. Have you asked them? If they have some setup they use to ensure client confidentiality and data privacy, you'd be much better off to jump onto their system, rather than trying to negotiate the configuration of PGP and S/MIME with legal staff who may have zero technical capability and poor/uncooperative IT support. > They have two email accounts > that I know of. Is it possible to have one set of keys and one password > to work on two different email accounts with two different addresses? > Example, one account is g...@hisisp.com and his paralegal helper is > a...@hisisp.com. They are both on the same server and it is a private > server, not yahoo, gmail or something. > > I tried to google this but didn't see anything that answers this, which > makes me think this can't be done or isn't a good thing to do. > > Thanks much. > > Dale > > :-) :-) GnuPG can be configured with various subkeys. So, one gpg master key can have multiple subkeys, each with different email addresses and different or the same passwords. However, why would you need the same key for two different email recipients? You may want to clarify what it is you intend to encrypt? Email content? Documents? Both? You could encrypt email messages with gpg or S/MIME which uses TLS certificates - neither are easy unless the recipients are technically clued up. You could encrypt word documents with TLS certificates - MSWord and LibreOffice can work with those, but the certificate will need to be imported and accepted as 'trusted' in the OS certificate manager, unless it has been issued by one of the expensive CAs which are included in the MSWindows OS (I am assuming they are using MSWindows). Adobe reader is more difficult with TLS certificates. From what I recall it wants one of its own associated (and expensive) CAs to be used, or it will refuse to work. There are other PDF readers, but I don't know how receptive they are to free or self-signed TLS certificates. You could also use a zip application with a pre-shared password - 7zip is free, easy to use and will work with strong encryption, assuming the lawyers can install it on their systems. Rather than trying to navigate the complexity of setting up gpg or S/MIME certificates, configuring email clients, individual OS' certificate managers, training lawyers to use them and hoping they will not at some point click the send button while forgetting to encrypt the message, it may be much simpler to use 7zip for documents sent in unencrypted email. Alternatively, if you/they have access to a file server you could set up a secure area for uploading/downloading documents to/from, rather than pinging messages over various email servers. A server at your home address would be best, as you could lock it down to only accept connections from specific IP addresses and user accounts, which you will set up and control yourself. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
