On Thu, Jan 06, 2011 at 02:05:29PM -0500, Michael Orlitzky wrote: > > This still doesn't work, because the administrator is the one who tells > the system to encrypt messages as they arrive. He can peek at the > messages before they're encrypted with the user's public key.
That's a small window of opportunity, compared to letting anyone who has access or can break into the filesystem/backup-system get access to all messages without any further complications. I.e. currently it takes a "read-any-file" vulnerability (or access) to read all users messages, with server-side encrypted mailfiles it will require "read-any-file" + strace processes while user is active. Then you no longer need to worry about anyone getting access to your backups, read dead/decomissioned drives, sysadmins "accidentally" reading files, etc.. > It's impossible to hide the contents of a plain-text message from the > person who receives it in plain text (the administrator). PGP/GPG is the > only option. Sure, end to end encrypted messages is the only way to be completely sure they're not read in transit.. But the fact that ~0% of our users send/receive encrypted messages doesn't mean that we should disable SSL for POP/IMAP connections. Sysadmin/network-admins can just read the incoming plain text message anyway, so why use SSL on the last mile ? ;-) -jf