> On Apr 14, 2016, at 1:39 PM, Carl Byington <c...@five-ten-sg.com> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Tue, 2016-04-12 at 13:48 -0700, Steve Atkins wrote: >> It's also possible that Reflexion is just sending terribly structured >> mail that "looks like" spam - not unusual amongst companies who build >> their own mail software - but I'd need to see the mail they're sending >> before judging that. > > I just asked reflexion to send me an encrypted mail to test some of > this. > > They indeed send an email with an embedded link asking the user to go to > a web site to retrieve the actual content. But they don't send any > password in the email. I needed to "register" with them by picking my > own password, and could then read the mail. So anyone that can intercept > that first message owns that mail address as far as reflexion is > concerned. Also anyone that can guess what password the user picked.
Yup. The security against the most likely attacks on that first mail is comparable to just sending the mail in plain text, but with the added twist that an attacker can make it unreadable to the intended recipient. > > This particular message expires in two weeks, so presumably anyone that > grabs an entire mailbox won't be able to see very old messages, even if > they know the key. It also means that it's a bad idea to use for anything you might want to prove in the future. It's not that having a copy of text in a mailbox is particularly strong evidence, but it's vastly stronger than not having a copy at all. There are several other problems with the mail flow from Reflexion too, but nothing terribly exciting. > > It was dkim signed, but dkim=fail reason="key not found in DNS". It was > signed with s=default d=securemail.reflexion.net, so that should be > > dig default._domainkey.securemail.reflexion.net txt +short > > if I have done that correctly. You have. For the more web-inclined: http://tools.wordtothewise.com/dkim/check/securemail.reflexion.net/default Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
