Benjamin Esham <[EMAIL PROTECTED]> wrote: >On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote: > >> And there is really no point in ecryptiong the whole access since the >> contents, the emails usually travel the rest of the net unencrypted. > >But wouldn't it be much easier for an attacker to intercept all of >your e-mail by listening in on an unencrypted webmail session than by >trying to intercept each e-mail individually somewhere else? I think >there certainly is a benefit to having SSL-encrypted webmail for >exactly that reason: less determined attackers will not have access >to the plaintext of the messages. (Although granted, it would be kind >of foolish to depend upon SSL webmail if the messages are sent in >plain text.)
Last then first. Generally, it is very difficult to intercept email en-transit. That was not always the case. There was a time when you had hubs and you could listen in to everything on a LAN. Those days are gone with switches (multi-port bridges) making it very difficult to listen in on communications since the only traffic you see now at the LAN level is the broadcast traffic. There are some switches and routers that have a listening port, and this is what the FBI and others want, but they are the exception, not the rule. Once packets start hitting the WAN pipes, the torrent of packets you have to sift through becomes almost impossible to manage, even if you know the person's WAN IP address, and it is just that - a person. If you have several hundred people sharing that WAN IP address, then en-transit capturing has to be done at the LAN level. How do you say this packet from WAN IP address 92.23.4.107 is Bob's and not Bill's when up to 100 people share that WAN IP address? You have to go inside the firewall where that IP address is and find out on the LAN. Lo and behold, when you do that, they are using DHCP, so you then have to know their MAC address (which used to be something you couldn't change, but now with MS Windows you can change it). So let's just go to Bob's machine and put something on it instead. And that is usually exactly what is done. Where your email is most easily compromised is on the mail server. There it sits until you start to pull it down. SSL isn't even a factor. All SSL does is secure the transmission, not the data at the end points. In fact, a hacker can pull down your email using SSL to cover their tracks - and that is usually exactly what they do. It is usually pretty easily done too, since ALL of the messages are usually in just one file. They just have to suck down that one file and now they have ALL of your messages. Now, if the email on the server is in plain-text, how secure is that? On the other hand, if it is encrypted with some OpenPGP package like GnuPG with strong encryption, how secure is that? Pretty darn secure. So the hacker pulls down your file. Whoopity doo. He gets to read all that crappy spam in plain text, but the juicy email messages that contain your financial information is encrypted. So, I repeat - SSL is not good enough unless all of your messages don't convey financial information or anything else important. If they are important, use GnuPG or other strong end-point encryption and the only thing you have to watch for now are those pesky key loggers. But even then if they get your passphrase, they still need your keyring, but if they have a keylogger working for them, then they probably have all your GnuPG DB files. HHH __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
