Re: Necessity of GPG when using SSL
On Fri, Feb 24, 2006 at 06:06:17AM -0500, Henry Hertz Hobbit wrote: Benjamin Esham [EMAIL PROTECTED] wrote: On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote: And there is really no point in ecryptiong the whole access since the contents, the emails usually travel the rest of the net unencrypted. But wouldn't it be much easier for an attacker to intercept all of your e-mail by listening in on an unencrypted webmail session than by trying to intercept each e-mail individually somewhere else? I think there certainly is a benefit to having SSL-encrypted webmail for exactly that reason: less determined attackers will not have access to the plaintext of the messages. (Although granted, it would be kind of foolish to depend upon SSL webmail if the messages are sent in plain text.) Last then first. Generally, it is very difficult to intercept email en-transit. No, it is not. You only need to get a intercept warrant against the uplink provider. How do you say this packet from WAN IP address 92.23.4.107 is Bob's and not Bill's when up to 100 people share that WAN IP address? There are commercial products to do so. It costs money, but most of the telcos have deployed them to comply with law regulations. Where your email is most easily compromised is on the mail server. There it sits until you start to pull it down. SSL isn't even a factor. All SSL does is secure the transmission, not the data at the end points. So? In fact, a hacker can pull down your email using SSL to cover their tracks - and that is usually exactly what they do. It is usually pretty easily done too, since ALL of the messages are usually in just one file. They just have to suck down that one file and now they have ALL of your messages. Now, if the email on the server is in plain-text, how secure is that? On the other hand, if it is encrypted with some OpenPGP package like GnuPG with strong encryption, how secure is that? Pretty darn secure. Against what? Put the recipient in the Guantanamo or equivalent and s/he will divulge all his passwords. And it is all legal. We have a war going, after all. So, I repeat - SSL is not good enough unless all of your messages don't convey financial information or anything else important. 95% of the web commerce doesn't agree with that statement (the other 5% doesnt use crypto at all). If they are important, use GnuPG or other strong end-point encryption and the only thing you have to watch for now are those pesky key loggers. But even then if they get your passphrase, they still need your keyring, but if they have a keylogger working for them, then they probably have all your GnuPG DB files. Again, you haven't defined the attacker, the threat model, or anything, you just put some out of context statements to support your four legs good two legs bad slogan. It is impossible to answer the question asked in the subject of the thread without defining the type of threat and the resources of the attacker you want to protect against. This was not done even in the form will my email be secure against the big evil governement? or will my email be secure agains my brother's snooping?, so the question of SSL/OpenPGP cannot be answered. A. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
On Wed, Feb 22, 2006 at 10:38:19AM -0500, Benjamin Esham wrote: On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote: And there is really no point in ecryptiong the whole access since the contents, the emails usually travel the rest of the net unencrypted. But wouldn't it be much easier for an attacker to intercept all of your e-mail by listening in on an unencrypted webmail session than by trying to intercept each e-mail individually somewhere else? I think there certainly is a benefit to having SSL-encrypted webmail for exactly that reason: less determined attackers will not have access to the plaintext of the messages. (Although granted, it would be kind of foolish to depend upon SSL webmail if the messages are sent in plain text.) Answering this question is impossible without actually describing the attacker's powers (defining a formal threat model). Clarify your question and ask again, now the answer is: Mu. A. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
On Tue, Feb 21, 2006 at 07:52:26AM -0500, Henry Hertz Hobbit wrote: Johan Wevers wrote: Henry Hertz Hobbit wrote: Usually, if you are using a web interface to access your email, only the initial authentication is done via SSL. After that if your URL address shifts to using an http://; rather than the https://; you made your initial connection with means that your communication just shifted from SSL (weak encryption) to NO encryption. That is the norm. Strange, I've never seen that happen. All webmail from Dutch providers that I've accessed (my own and some for people with problems where I accessed the mail to dump mails with large attachments that took too long to download) were https all the way. Thanks for the information. The reason I said what I said is because Netscape, Yahoo, gmail (the email account the original person was posting from) almost all do a shift from https:// to http:// after the connection is made. The only ones I have seen that continue using the SSL are small ISPs and only one of the local universities here. But then I have only seen three of the universities, and actually even the one that was using SSL all the time shifted after I showed an acquaintance how to make the connection that way and he spread the information to everybody he knew who spread it to Once that was done, even that school shifted to doing it with SSL for connection only. I realize that SSL doesn't have the overhead of more powerful encryption like that provided by OpenPGP, but it is still enough of an overhead that once the load of SSL all the time becomes noticeable to the ISP (or whoever), they feel that the authentication alone should be using SSL and they make the shift to using plain the rest of the time. In other words, consider yourself lucky IF you are getting SSL all the time if you need it all the time. On the other hand if you don't need SSL all the time there MAY be the possibility those long download times are partly being caused by the overhead of SSL encryption taking place on the server. [] SSL/TLS is not ,,much more powerful'' encryption, it is a connection level encryption. As for service providers using SSL to protect only the most sensitive data - computationally SSL on multiple connections is ,,heavy'' and supporting it continuously is expensive (specialized ,,SSL Accelerators'' cost tens of thousands of dollars). And there is really no point in ecryptiong the whole access since the contents, the emails usually travel the rest of the net unencrypted. Alex signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote: And there is really no point in ecryptiong the whole access since the contents, the emails usually travel the rest of the net unencrypted. But wouldn't it be much easier for an attacker to intercept all of your e-mail by listening in on an unencrypted webmail session than by trying to intercept each e-mail individually somewhere else? I think there certainly is a benefit to having SSL-encrypted webmail for exactly that reason: less determined attackers will not have access to the plaintext of the messages. (Although granted, it would be kind of foolish to depend upon SSL webmail if the messages are sent in plain text.) -- Benjamin D. Esham [EMAIL PROTECTED] | http://bdesham.net | AIM: bdesham128 Wikipedia, the Free Encyclopedia • http://en.wikipedia.org PGP.sig Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
Hello, I switched few years ago to fastmail.fm for several reasons : - https + advanced protections when accessing from public terminal (including url pseudo-scrambling) - IMAP with SSL - Text and only text for the webmail interface (no pop-up ad and no graphics), just plain speed - WebDAV (I don't use it) - IMAP access on non-standard port like 80 and 443 so you can go through some difficult firewalls I usually don't promote commercial products but as they offer a free plan as well I thought it might help some people. Dany PS: before writting this email I quickly started Ethereal and used the webmail in order to check that the connection was SSL protected even after login. Henry Hertz Hobbit a écrit : Johan Wevers wrote: Henry Hertz Hobbit wrote: Usually, if you are using a web interface to access your email, only the initial authentication is done via SSL. After that if your URL address shifts to using an http://; rather than the https://; you made your initial connection with means that your communication just shifted from SSL (weak encryption) to NO encryption. That is the norm. Strange, I've never seen that happen. All webmail from Dutch providers that I've accessed (my own and some for people with problems where I accessed the mail to dump mails with large attachments that took too long to download) were https all the way. Thanks for the information. The reason I said what I said is because Netscape, Yahoo, gmail (the email account the original person was posting from) almost all do a shift from https:// to http:// after the connection is made. The only ones I have seen that continue using the SSL are small ISPs and only one of the local universities here. But then I have only seen three of the universities, and actually even the one that was using SSL all the time shifted after I showed an acquaintance how to make the connection that way and he spread the information to everybody he knew who spread it to Once that was done, even that school shifted to doing it with SSL for connection only. I realize that SSL doesn't have the overhead of more powerful encryption like that provided by OpenPGP, but it is still enough of an overhead that once the load of SSL all the time becomes noticeable to the ISP (or whoever), they feel that the authentication alone should be using SSL and they make the shift to using plain the rest of the time. In other words, consider yourself lucky IF you are getting SSL all the time if you need it all the time. On the other hand if you don't need SSL all the time there MAY be the possibility those long download times are partly being caused by the overhead of SSL encryption taking place on the server. Do you need encryption all the time or not? My advice still remains the same - OpenPGP is still the best choice for the scenario presented, IF I indeed understood all the parameters. It puts the control of when to use it in your hands. It just depends on what is being transported. I could care less whether all that spam is encrypted or not. I also don't want all the redirected email on my comcast account (also spam, but with the worms removed) encrypted during transmission. The faster I get rid of it the better. Not having the transmission of it helps me get rid of it as fast as possible! HHH __ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
Johan Wevers wrote: Henry Hertz Hobbit wrote: Usually, if you are using a web interface to access your email, only the initial authentication is done via SSL. After that if your URL address shifts to using an http://; rather than the https://; you made your initial connection with means that your communication just shifted from SSL (weak encryption) to NO encryption. That is the norm. Strange, I've never seen that happen. All webmail from Dutch providers that I've accessed (my own and some for people with problems where I accessed the mail to dump mails with large attachments that took too long to download) were https all the way. Thanks for the information. The reason I said what I said is because Netscape, Yahoo, gmail (the email account the original person was posting from) almost all do a shift from https:// to http:// after the connection is made. The only ones I have seen that continue using the SSL are small ISPs and only one of the local universities here. But then I have only seen three of the universities, and actually even the one that was using SSL all the time shifted after I showed an acquaintance how to make the connection that way and he spread the information to everybody he knew who spread it to Once that was done, even that school shifted to doing it with SSL for connection only. I realize that SSL doesn't have the overhead of more powerful encryption like that provided by OpenPGP, but it is still enough of an overhead that once the load of SSL all the time becomes noticeable to the ISP (or whoever), they feel that the authentication alone should be using SSL and they make the shift to using plain the rest of the time. In other words, consider yourself lucky IF you are getting SSL all the time if you need it all the time. On the other hand if you don't need SSL all the time there MAY be the possibility those long download times are partly being caused by the overhead of SSL encryption taking place on the server. Do you need encryption all the time or not? My advice still remains the same - OpenPGP is still the best choice for the scenario presented, IF I indeed understood all the parameters. It puts the control of when to use it in your hands. It just depends on what is being transported. I could care less whether all that spam is encrypted or not. I also don't want all the redirected email on my comcast account (also spam, but with the worms removed) encrypted during transmission. The faster I get rid of it the better. Not having the transmission of it helps me get rid of it as fast as possible! HHH __ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
If you use Firefox, download the CustomizeGoogle extension and you can select Secure https mode for all gmail traffic and Remove ads and related pages Chris On 2/20/06, lusfert [EMAIL PROTECTED] wrote: Benjamin Esham wrote on 20.02.2006 7:50: John Clizbe wrote: Earthlink and Google's GMail use https on their signin page then then switch over to http once authenticated I saw a neat trick somewhere online... if you use https://mail.google.com; as your login page for Gmail, the entire session is encrypted. I haven't used the normal method since I learned how to do this. I hope someone finds this helpful! :-) This is even included in Gmail help and recommended by Google: https://mail.google.com/support/bin/answer.py?answer=8155 I don't understand why it isn't enabled by default. For example, at https://www.safe-mail.net/ you can use web-interface only via https:// -- Regards OpenPGP Key ID: 0x9E353B56500B8987 Encrypted e-mail preferred. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
Henry Hertz Hobbit wrote: Usually, if you are using a web interface to access your email, only the initial authentication is done via SSL. After that if your URL address shifts to using an http://; rather than the https://; you made your initial connection with means that your communication just shifted from SSL (weak encryption) to NO encryption. That is the norm. Strange, I've never seen that happen. All webmail from Dutch providers that I've accessed (my own and some for people with problems where I accessed the mail to dump mails with large attachments that took too long to download) were https all the way. -- ir. J.C.A. Wevers // Physics and science fiction site: [EMAIL PROTECTED] // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
Johan Wevers wrote: Henry Hertz Hobbit wrote: Usually, if you are using a web interface to access your email, only the initial authentication is done via SSL. After that if your URL address shifts to using an http://; rather than the https://; you made your initial connection with means that your communication just shifted from SSL (weak encryption) to NO encryption. That is the norm. Strange, I've never seen that happen. All webmail from Dutch providers that I've accessed (my own and some for people with problems where I accessed the mail to dump mails with large attachments that took too long to download) were https all the way. OF three major US providers I have experience with: Earthlink and Google's GMail use https on their signin page then then switch over to http once authenticated Comcast starts with a HTTP page, posts the info to a https URL to set a cookie then returns to http. Not a very good implementation. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 Be who you are and say what you feel because those who mind don't matter and those who matter don't mind. - Dr Seuss, Oh the Places You'll Go signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
John Clizbe wrote: Henry Hertz Hobbit wrote: Usually, if you are using a web interface to access your email, only the initial authentication is done via SSL. After that if your URL address shifts to using an http://; rather than the https://; you made your initial connection with means that your communication just shifted from SSL (weak encryption) to NO encryption. That is the norm. OF three major US providers I have experience with: Earthlink and Google's GMail use https on their signin page then then switch over to http once authenticated I saw a neat trick somewhere online... if you use https:// mail.google.com as your login page for Gmail, the entire session is encrypted. I haven't used the normal method since I learned how to do this. I hope someone finds this helpful! :-) Cheers, -- Benjamin D. Esham [EMAIL PROTECTED] | http://bdesham.net | AIM: bdesham128 Wikipedia, the Free Encyclopedia • http://en.wikipedia.org PGP.sig Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
Benjamin Esham wrote on 20.02.2006 7:50: John Clizbe wrote: Earthlink and Google's GMail use https on their signin page then then switch over to http once authenticated I saw a neat trick somewhere online... if you use https://mail.google.com; as your login page for Gmail, the entire session is encrypted. I haven't used the normal method since I learned how to do this. I hope someone finds this helpful! :-) This is even included in Gmail help and recommended by Google: https://mail.google.com/support/bin/answer.py?answer=8155 I don't understand why it isn't enabled by default. For example, at https://www.safe-mail.net/ you can use web-interface only via https:// -- Regards OpenPGP Key ID: 0x9E353B56500B8987 Encrypted e-mail preferred. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
On Tue, Feb 14, 2006 at 10:34:38PM +0100, Jim Berland wrote: Hi everybody, I understand the use of GPG end-to-end-encryption and use it with a few of my contacts. What I want to make sure is the following. I am going to move to China for some time. My email ISP is located outside China and I connect to it via SSL. So if I am only concerned about the Chinese (whatever the reason; maybe my doubts are unreasonable?) and not about the complete end-to-end-encryption of GPG, the SSL encryption alone will do the job. Is that correct? You haven't specified your threat model precisely enough, for the vague one you presented the answer is both yes and no. SSL webmail and GPG protect against different things. Yes - because SSL webmail access is good enough to prevent the operators of great chinese firewall of snooping into what do you do on your mailbox. No - because SSL protects only against eavesdropping of mailbox access. It doesn't protect your email in transit from server to server (unless all the servers in the way support SMTP/TLS and you trust the operators of the servers). For example, if you write from your SSL webmail to someone in .cn, the contentrs of the mail can be observed by the operatros of said firewall. Alex ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users