So you think that viruses are going to know how to find and decrypt
the passwords of all email programs?
Any data that must be decrypted without user intervention can be
accessed in its unencrypted form without user intervention. If user
intervention is required for decryption, well, you pretty much just
have to be there when it happens. These are fundamental rules. A virus
needs no decryption feature per se.
A sniffer can readily isolate plain-text passwords as they go over the
wire. Alternately, yep, specific memory inspection routines could be
built for all email programs that are likely to be found on
compromised machines -- all, what, 3 or 4 of them -- regardless of
what happens on the wire. This part is child's play for a hacker,
relative to the harder part of finding new attack vectors for those
boxes that are lucky enough to get disinfected and patched.
Marc, I have some respect for your optimism, a rare trait in a place
where others have (themselves well-earned) chips on their shoulders
from pushing back a surging, inarguably criminal element from their
networks all day. I also think that the accusations that you're an
agent of some government, enterprise, NGO, etc., are ludicrous based
on the fundamental naïveté of your proposal (like the fact that you
suggested an enhancement which was already BTDT 8 years ago -- not
going to get you a lot of followers on such a technical list). Yet: I
concur that you don't have anywhere near sufficient knowledge of
current, let alone historical, technologies for mail sending and
retrieval to be suggesting... well, to be suggesting any enhancements
or improvements at all.
Look, it's okay to admit that you have to go back to school on those
subjects. From your bio, you have grounding in other technical areas
that many people here do not. I didn't know much about mail until 1999
or so, and that was after supporting mail systems (along with other
systems I actually understood) for, like, 6 years! But I also kept my
mouth shut until 1999. Because of that experience, I find myself
agreeing with the overall reaction of, in essence: Kill me now, if
his proposal is going to be disseminated by any entity who doesn't
have enough techies on staff to shoot it down.
Please, for the good of the world, take a couple of months to study
before your next proposal.
Warmly--
--Sandy