D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Email encryption, was Re: www.dcglug.org.uk

 

On Sun, 28 Apr 2013 12:52:09 +0100
Martijn Grooten <sweetwatergeek@xxxxxxxxx> wrote:

Hello Martijn,

>I've actually seen more people say "I've seen banks do [something bad
>email related]" than I've actually see banks do something bad. But if
>they did send passwords in plain text, it would possibly be bad.

It only takes one bank to do what I said, for the word to get round.
Most people don't see the problem.  With plain text, it's a good deal
easier for anyone that intercepts the mail to gain access to your
account.

>Possibly, because encryption wouldn't prevent anyone with access to
>your PC* (or wherever your private key is stored) from decrypting the

Most people keep a separate smart card with their private keyring on
it, and only plug it in when required.

>email. It would prevent your ISP from decrypting it, which is a good

The private key alone is (almost) useless.  The passphrase is also
required to actually decrypt any message.  Obviously, the stronger the
passphrase the lower the chance of anyone guessing it.

An example;  My wife couldn't remember the password to an email account
that she hadn't used in a few years.  She asked me to help her retrieve
the emails from that account.  I guessed the password on the first try.
Knowledge of her and the way she thinks was a big help of course.

>* if everyone would use email encryption, it wouldn't take long for
>trojans to start harvesting private keys.

I'm sure you're right.  In a similar vein, if many more people used
encryption, the public key servers would be far more likely to be
harvested for email addresses.

>What is a much bigger problem is authentication. If I send an email
>that only you can decrypt, how do I know that the 'you' is the 'you'
>the email is intended for? And if I send such an email signed in a way
>that only I could have signed, how do you know that the 'I' is the 'I'
>you think it is?

That's what public key signing and the web of trust is for.  Of course,
if I leave my passphrase lying around, or allow any Tom, Dick or Harry
access to my computer account, then there's still no guarantee that the
"me" you send an encrypted message to is the "me" that opens it.

-- 
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
This is the fifty first state of the USA
Heartland - The The

Attachment: signature.asc
Description: PGP signature

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq