On Mon, Nov 04, 2002 at 12:58:55PM -0500, Trei, Peter wrote:
> Durden's question was whether a snooper on an IPSEC VPN can
> tell (for example) an encrypted email packet from an encrypted
> HTTP request.
>
> The answer is no.
>
> All Eve can tell is the FW1 sent FW2 a packet of a certain size.
>
On Sun, Nov 03, 2002 at 11:23:36AM -0800, Tim May wrote:
> - -- treat text as text, to be sent via whichever mail program one uses,
> or whichever chatroom software (not that encrypted chat rooms are
> likely...but who knows?), or whichever news reader software
http://www.invisible.net is sort o
ar Atlantic Avenue in Brooklyn (heavy Arab community), then all
> sorts
> of spyglasses could pop up.
>
The title of this thread is "What email encryption is actually in use?". I
posted
that a lot intra-company email often goes over encrypted VPNs between
worksites, and that th
since it seems to be the in-thing to do...
"The revolution is right where we want it: out of our control."
(Royal Family and the Poor)
From: "Trei, Peter" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], "'Major Variola (ret)'" <[EMAIL PROTECTED]&g
> Major Variola (ret)[SMTP:[EMAIL PROTECTED]]
>
>
> At 10:13 AM 11/4/02 -0500, Tyler Durden wrote:
> >This is an interesting issue...how much information can be gleaned from
>
> >encrypted "payloads"?
>
> Traffic analysis (who, how frequently, temporal patterns)
> Size of payload
>
> Is it pos
At 10:13 AM 11/4/02 -0500, Tyler Durden wrote:
>This is an interesting issue...how much information can be gleaned from
>encrypted "payloads"?
Traffic analysis (who, how frequently, temporal patterns)
Size of payload
Is it possible for a switch or whatever that has
>visibility up to layers 4/5/6
e no
global significance...
From: "Trei, Peter" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], "'Tyler Durden'" <[EMAIL PROTECTED]>
Subject: RE: What email encryption is actually in use?
Date: Mon, 4 Nov 2002 11:00:56 -0500
> --
> From: T
> Tyler Durden[SMTP:[EMAIL PROTECTED]] writes:
>
>
> "Most the ones I've seen are IPSEC over IPv4. You might be able to glean
> some info from packet size, timing, and ordering, but not much. IPSEC
> takes a plaintext IP packet and treats the whole thing as a data block
> to be encrypted."
>
> S
> --
> From: Tyler Durden[SMTP:[EMAIL PROTECTED]]
> Sent: Monday, November 04, 2002 10:13 AM
> To: [EMAIL PROTECTED]
> Subject: RE: What email encryption is actually in use?
>
> The ever-though-provoking Peter Trei wrote...
>
> "
at Monday, November 04, 2002 3:13 PM, Tyler Durden
> This is an interesting issue...how much information can be gleaned
> from encrypted "payloads"?
Usually, the VPN is an encrypted tunnel from a specified IP (individual
pc or lan) to another specified IP (the outer marker of the lan, usually
the
Ok, I have a working knowledge of 3.) It may be possible
for hardware that examines large numbers of communiques to pre-determine
that much is of no interest.
From: "Trei, Peter" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], "'Tim May'" <[EMAIL PROTECTED]&g
> Tim May[SMTP:[EMAIL PROTECTED]]
>
>
> On Saturday, November 2, 2002, at 08:01 PM, Tyler Durden wrote:
>
> > "Prior to that, the encrypted email I've sent in the past year or so
> > has almost always failed, because of version incompatibilities,"
> >
> > While in Telecom I was auditing optica
at Monday, November 04, 2002 2:28 AM, Tim May <[EMAIL PROTECTED]> was seen
to say:
> Those who need to know, know.
Which of course is a viable model, provided you are only using your key
for private email to "those who need to know"
if you are using it for signatures posted to a mailing list though
On Saturday November 2 2002 11:09, Adam Shostack wrote:
> I'd be interested to hear how often email content is protected by any
> form of crypto, including IPsec, Starttls, ssh delivery, or PGP or
> SMIME. There's probably an interesting paper in going out and
> looking at this.
I use GnuPG to th
-BEGIN PGP SIGNED MESSAGE-
If you signed your messages on a regular basis, it would let me know
whether or not you're the same Tim May, I've been reading since back
when toad.com was the only server for the list.
If you're key was signed by anyone I've dealt with, who I know will
actual
At 12:41 PM 11/02/2002 -0500, Steve Furlong wrote:
The only business environment I've ever worked in which successfully
used encrypted email mandated specific versions of mail client
(Outlook, ecch) and PGP (integrated into Outlook), had a jackbooted
thug to make sure everyone's keyring was up to
On Sun, Nov 03, 2002 at 11:23:36AM -0800, Tim May wrote:
| I think most users, even casual ones, would accept this advice:
|
| "Look, encrypted text is just a rearrangement of text. Compose your
| message in whatever editor or word processor you want, apply the
| encryption directly to that text
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sunday, November 3, 2002, at 10:29 AM, Steve Furlong wrote:
>
> Agreed. Setup should be pretty simple, but daily use for the unwashed
> masses has to be one-click. And version compatibility problems have
> _got_ to disappear. Actually, PGP's Outl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sunday, November 3, 2002, at 09:53 AM, Len Sassaman wrote:
> What's naive is trying to ram such products down the public's
> collective
> throat. Cryptographic solutions are not of "all or nothing" strength. I
> don't know why UI hasn't been the
On Sunday 03 November 2002 12:53, Len Sassaman wrote:
> On Sat, 2 Nov 2002, Tim May wrote:
> > PK crypto has made a lot of things a lot easier, but expecting it
> > all to work with a click of a button is naive. Of course, most of
> > us don't actually have secrets which make protocols and efforts
On Sat, 2 Nov 2002, Tim May wrote:
> PK crypto has made a lot of things a lot easier, but expecting it all
> to work with a click of a button is naive. Of course, most of us don't
> actually have secrets which make protocols and efforts justifiable.
> There's the rub.
I expect it to work with the
FWIW
In the Si biz, its quite common to encrypt files. I've
seen (albeit lame, and with guessable passwords)
zip encryption and the classic crypt used.
Between engineers, and between lawyers and engineers.
Typically the encrypted info is an attachment to unencrypted
email (often describing its co
On Saturday, November 2, 2002, at 08:01 PM, Tyler Durden wrote:
"Prior to that, the encrypted email I've sent in the past year or so
has almost always failed, because of version incompatibilities,"
While in Telecom I was auditing optical transport gear, and we adopted
the practice of encrypti
ile manager (or
whatever it's called now), so it was easy to do.
From: Steve Furlong <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: What email encryption is actually in use?
Date: Sat, 2 Nov 2002 12:41:55 -0500
On Saturday 02 November 2002 12:09, Adam Shostack wrote:
>
At 09:05 AM 10/01/2002 -0700, Major Variola (ret) wrote:
So yes Alice at ABC.COM sends mail to Bob at XYZ.COM and
the SMTP link is encrypted, so the bored upstream-ISP netops
can't learn anything besides traffic analysis.
But once inside XYZ.COM, many unauthorized folks could
intercept Bob's email
On Saturday 02 November 2002 12:09, Adam Shostack wrote:
> An interesting tidbit in the September Information Security Bulletin
> is the claim from MessageLabs that only .005% of the mail they saw in
> 2002 is encrypted, up from .003% in 2000.
>
> ... Last month, about
> 5% of my email was sent PGP
An interesting tidbit in the September Information Security Bulletin
is the claim from MessageLabs that only .005% of the mail they saw in
2002 is encrypted, up from .003% in 2000. (MessageLabs is an
outsourcing email anti-virus company.)
At this thrilling rate of growth, it will be on the order
at Monday, September 30, 2002 7:52 PM, James A. Donald
<[EMAIL PROTECTED]> was seen to say:
> Is it practical for a particular group, for
> example a corporation or a conspiracy, to whip up its own
> damned root certificate, without buggering around with
> verisign? (Of course fixing Microsoft's
--
James A. Donald:
> > I intended to sign this using Network Associates command
> > line pgp, [6.5.8]only to discover that pgp -sa file
> > produced unintellible gibberish, that could only be made
> > sense of by pgp, so that no one would be able to read it
> > without first checking my si
Peter wrote [about the benefits of STARTTLS]:
> As opposed to more conventional encryption, where you're
> protecting nothing at any point along the chain, because
> 99.99% of the user base can't/won't use it. In any case most
> email is point-to-point, which means you are protecting the
> enti
at Tuesday, October 01, 2002 3:08 AM, Peter Gutmann
<[EMAIL PROTECTED]> was seen to say:
> For encryption, STARTTLS, which protects more mail than all other
> email encryption technology combined. See
> http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix02_slides.pdf
> (towards the back).
I would di
> There have been episodes of spoofing on this list. If client
> side encryption "just worked", and if what is considerably more
> difficult, checking the signatures "just worked", there would
> be no bother, hence it would be rational to sign
Not "just work" but "opt out" is what you are looking
James A. Donald:
> >> > If we had client side encryption that "just works" we
> >> > would be seeing a few more signed messages on this list,
Major Variola (ret):
> But Ben is not spoofed here! So there is little motivation.
>
> [...]
>
> In the absence of any need, its not rational to bother.
On Fri, Oct 04, 2002 at 01:07:50PM -0700, Major Variola (ret) wrote:
> At 04:45 PM 10/3/02 -0700, James A. Donald wrote:
> >--
> >James A. Donald wrote:
> >> > If we had client side encryption that "just works" we would
> >> > be seeing a few more signed messages on this list,
>
> >Ben Laurie
At 04:45 PM 10/3/02 -0700, James A. Donald wrote:
>--
>James A. Donald wrote:
>> > If we had client side encryption that "just works" we would
>> > be seeing a few more signed messages on this list,
>Ben Laurie wrote:
>> Why would I want to sign a message to this list?
>
>Then all the people
--
James A. Donald wrote:
> > If we had client side encryption that "just works" we would
> > be seeing a few more signed messages on this list, and
> > those that appear, would actually be checked. Send an
> > unnecessarily encrypted message to Tim and he will probably
> > threaten to shoot
James A. Donald wrote:
> --
> Adam Shostack wrote:
>
>>>Whats wrong with PGP sigs is that going on 9 full years
>>>after I generated my first pgp key, my mom still can't use
>>>the stuff.
>>
>
> On 3 Oct 2002 at 17:33, Ben Laurie wrote:
>
>>Mozilla+enigmail+gpg. It just works.
>
>
> If we
On Thu, Oct 03, 2002 at 11:15:02AM -0700, James A. Donald wrote:
>
> On 3 Oct 2002 at 17:33, Ben Laurie wrote:
> > Mozilla+enigmail+gpg. It just works.
>
> If we had client side encryption that "just works" we would be
> seeing a few more signed messages on this list, and those that
> appear, woul
--
Adam Shostack wrote:
> > Whats wrong with PGP sigs is that going on 9 full years
> > after I generated my first pgp key, my mom still can't use
> > the stuff.
On 3 Oct 2002 at 17:33, Ben Laurie wrote:
> Mozilla+enigmail+gpg. It just works.
If we had client side encryption that "just works
Adam Shostack wrote:
> Whats wrong with PGP sigs is that going on 9 full years after I
> generated my first pgp key, my mom still can't use the stuff.
Mozilla+enigmail+gpg. It just works.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to
On Wed, Oct 02, 2002 at 07:45:47PM -0700, James A. Donald wrote:
> --
> On 2 Oct 2002 at 16:19, Adam Shostack wrote:
> > Whats wrong with PGP sigs is that going on 9 full years after
> > I generated my first pgp key, my mom still can't use the
> > stuff.
>
> The fact that your mum cannot use t
"David Howe" <[EMAIL PROTECTED]> writes:
>at Wednesday, October 02, 2002 3:13 AM, Peter Gutmann
><[EMAIL PROTECTED]> was seen to say:
>>As opposed to more conventional encryption, where you're protecting
>>nothing at any point along the chain, because 99.99% of the user base
>>can't/won't use it.
Ben wrote:
> Lucky Green wrote:
> > I also agree that current MTAs' implementations of STARTTLS
> are only a
> > first step. At least in postfix, the only MTA with which I am
> > sufficiently familiar to form an opinion, it appears impossible to
> > require that certs presented by trusted part
On Wed, Oct 02, 2002 at 09:12:47PM +0100, Ben Laurie wrote:
| Adam Shostack wrote:
| >On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote:
| >| Lucky Green wrote:
| >| >I also agree that current MTAs' implementations of STARTTLS are only a
| >| >first step. At least in postfix, the only MTA
Adam Shostack wrote:
> On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote:
> | Lucky Green wrote:
> | >I also agree that current MTAs' implementations of STARTTLS are only a
> | >first step. At least in postfix, the only MTA with which I am
> | >sufficiently familiar to form an opinion, it
James A. Donald wrote:
>> And PGP tells me "signature not checked, key does not meet
> validity threshold"
what version are you on? ckt never does that - it checks it, and marks the
sig status as good or bad - but obviously marks the key status as invalid
(due to lack of signing) on anyone I don't
On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote:
| Lucky Green wrote:
| >I also agree that current MTAs' implementations of STARTTLS are only a
| >first step. At least in postfix, the only MTA with which I am
| >sufficiently familiar to form an opinion, it appears impossible to
| >requi
--On Wednesday, 02 October, 2002 10:54 -0500 Jeremey Barrett
<[EMAIL PROTECTED]> wrote:
> Udhay Shankar N wrote:
>| At 10:04 AM 10/2/02 -0500, Jeremey Barrett wrote:
>|
>|> Amusingly, virtually none of them support STARTLS on any other protocol.
>|> :) IMAP and POP are almost all supported only
--
> > Once you start using it, it becomes part of hte pattern
> > by wich other people identify you.
On 2 Oct 2002 at 9:52, David Howe wrote:
> Exactly the intention, yes :) Just for the sake of it (anyone
> who cares will have seen my signature enough times by now) I
> will sign
Lucky Green wrote:
> I also agree that current MTAs' implementations of STARTTLS are only a
> first step. At least in postfix, the only MTA with which I am
> sufficiently familiar to form an opinion, it appears impossible to
> require that certs presented by trusted parties match a particular hash
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Udhay Shankar N wrote:
| At 10:04 AM 10/2/02 -0500, Jeremey Barrett wrote:
|
|> Amusingly, virtually none of them support STARTLS on any other protocol.
|> :) IMAP and POP are almost all supported only on dedicated SSL ports
|> (IMAPS, POP3S). Argh.
|
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill Stewart wrote:
|
| If your organization is an ISP, the risks are letting them
| handle your email at all (especially with currently proposed
| mandatory eavesdropping laws), and STARTTLS provides a
| mechanism for direct delivery that isn't as li
-BEGIN PGP SIGNED MESSAGE-
at Tuesday, October 01, 2002 9:04 PM, Petro <[EMAIL PROTECTED]> was
seen
to say:
> Well, it's a start. Every mail server (except mx1 and
> mx2.prserv.net) should use TLS.
Its nice in theory, but in practice look how long it takes the bulk
of the internet
at Wednesday, October 02, 2002 3:13 AM, Peter Gutmann
<[EMAIL PROTECTED]> was seen to say:
> As opposed to more conventional encryption, where you're protecting
> nothing at any point along the chain, because 99.99% of the user base
> can't/won't use it.
That is a different problem. if you assume
At 09:05 AM 10/01/2002 -0700, Major Variola (ret) wrote:
>So yes Alice at ABC.COM sends mail to Bob at XYZ.COM and
>the SMTP link is encrypted, so the bored upstream-ISP netops
>can't learn anything besides traffic analysis.
>But once inside XYZ.COM, many unauthorized folks could
>intercept Bob's
On Tue, Oct 01, 2002 at 01:20:28PM +0100, David Howe wrote:
> at Tuesday, October 01, 2002 3:08 AM, Peter Gutmann
> <[EMAIL PROTECTED]> was seen to say:
> > For encryption, STARTTLS, which protects more mail than all other
> > email encryption technology combined. See
> > http://www.cs.auckland.a
--
James A. Donald:
> > I intended to sign this using Network Associates command
> > line pgp, [6.5.8]only to discover that pgp -sa file
> > produced unintellible gibberish, that could only be made
> > sense of by pgp, so that no one would be able to read it
> > without first checking my s
The problem Mr. Howe describes is fundamental, folks:
encryption should be end-to-end even when the endpoints
are functionaries in a company. Because not all employees
are equal.
So yes Alice at ABC.COM sends mail to Bob at XYZ.COM and
the SMTP link is encrypted, so the bored upstream-ISP netops
At 11:52 AM 9/30/02 -0700, James A. Donald wrote:
>--
>What email encryption is actually in use?
PGP 5-7 on Win95+, using Eudora 3.05
talks to Mac whatever using 2.6.2
Signing is not generally necessary.
>The chief barrier to use of outlook's email encryption
Out
--
James A. Donald:
> > I intended to sign this using Network Associates command
> > line pgp, [6.5.8]only to discover that pgp -sa file
> > produced unintellible gibberish, that could only be made
> > sense of by pgp, so that no one would be able to read it
> > without first checking my s
Morlock Elloi wrote...
<<>>
> In other words, those that need crypto are taken care of, and
> in order to gain resources to make sheeple use crypto you
> have to become Them, in which case you don't really want
> sheeple to use crypto in the first place.
Please do not use the derogatory term 's
at Tuesday, October 01, 2002 3:08 AM, Peter Gutmann
<[EMAIL PROTECTED]> was seen to say:
> For encryption, STARTTLS, which protects more mail than all other
> email encryption technology combined. See
> http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix02_slides.pdf
> (towards the back).
I would d
at Monday, September 30, 2002 7:52 PM, James A. Donald
<[EMAIL PROTECTED]> was seen to say:
> Is it practical for a particular group, for
> example a corporation or a conspiracy, to whip up its own
> damned root certificate, without buggering around with
> verisign? (Of course fixing Microsoft's
"James A. Donald" <[EMAIL PROTECTED]> writes:
>To the extent that real people are using digitally signed and or encrypted
>messages for real purposes, what is the dominant technology, or is use so
>sporadic that no network effect is functioning, so nothing can be said to be
>dominant?
For encryp
--
James A. Donald:
> > We have tools to construct any certificates we damn well
> > please,
Joseph Ashwood:
> The same applies everywhere, in fact in your beloved Kong,
> the situation is worse because the identities can't be
> managed.
You are unfamiliar with Kong. The situation is bet
> What email encryption is actually in use?
PGP 2.6.*, 6.* & 7.* work like a charm across macs & windoze & unices provided
that one specs RSA-legacy keys and limit algo to IDEA. In other words, be 2.6.2
compatible.
If you need encryption, that is. If you don't need encryptio
On Mon, Sep 30, 2002 at 12:53:36PM -0700, Joseph Ashwood wrote:
> - Original Message -
> From: "James A. Donald" <[EMAIL PROTECTED]>
> > The chief barrier to use of outlook's email encryption, aside
> > from the fact that is broken, is the intolerable cost and
> > inconvenience of certific
67 matches
Mail list logo