[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 01/05/2021 20:19, Simon Waters wrote: > On Saturday, 1 May 2021 12:09:56 BST maceion@xxxxxxxxx wrote: >> >> To read an attachment in a saved draft in the drafts folder, there are >> two options: >> "open" and "download". >> >> 1) "Open" This appears to open the relevant programme on the local >> connected computer to see and then act on the opened attachment. >> E.g. a draft saved attachment ".odt" file is opened in local >> Libreoffice Writer or local word processor programme. >> >> Is this a direct opening from the saved visible draft on email server to >> the local computer? Can you confirm? >> It does not appear to pass over the internet. > > My copy of RoundCube doesn't ungrey "Open" for any formats I tried (may depend > on configuration), but since you could be accessing the draft from a different > computer or mail client, it is clearly passed between mail server, and web > server, and then web server to browser. > > Obviously opening files straight from a mail server into an application is > pretty suspect if security is as big a concern as you suggest. > >> 2) "Download", >> 2.1 Here it is not obvious if the download is a local thing, that is >> from draft screen open on local computer to local computer download file >> storage OR > > Download is from the "Drafts" folder on the mail server, it is loaded to the > web server (using the settings configured for RoundCube mail access) and then > delivered to the browser by the web server. > >> 2.2 if like a sent email, it is passed by the programme to local >> machine over an exposed internet system of connections from 'compose >> page' with the saved draft to local machine. >> >> This could expose sensitive subjects to the internet traffic watchers. > > We don't know how your RoundCube web server talks to your email server. Or > which "Internet traffic watrchers" are a concern to you. > > But in general you should assume email can be intercepted and read unless you > know steps have been taken to prevent this. > > Save Draft on RoundCube, saves to a folder on the IMAP server via the web > server. It is likely there is also a temporary copy on the web server briefly, > but I haven't dug into how RoundCube does this. > >> In a received email both body text and any attachments would have passed >> over the internet to the local machine. >> >> This is what my contact does not want. >> They do not want 'draft saved attachments' to transit internet as does a >> normal email in delivery. >> >> 3. Any thoughts? > > As above, the attachment is loaded from client computer's browser to the web > server, then stored in the mail server's drafts folder. > > I don't know if this transitions the Internet without knowing where the > RoundCube server and Email server are that you are using. If they are both on > your network, then no, if they aren't, well magic doesn't happen it has to get > to the email server somehow. > > In most cases these days, mail clients require encryption for mail submission, > and so nearly all mail servers allow encrypted submission and retrieval of > email (and drafts). > > But without knowing how your copy of RoundCube is configured I'd be guessing > about if this is encrypted or not. between webserver and email server. > > Without knowing the threats of concern we can't say if it is secure enough or > not. > > If you are paranoid enough about file names and such like to not to want them > to transition the Internet unencrypted, I'd suggest you don't want to use > email (at least without encrypting it first). > > There are open source end to end encrypted comms tools, like Signal, which > don't introduce the vagaries of email. > > If email is a given, use GNUPG, and ensure the drafts are correctly addressed > and encrypted before they are saved on the server. But I expect great care > would need to be exercised to ensure things are done correctly. > > I use to make a living ensuring people had better tools than email for > collaboration on sensitive documents, if email is a given, perhaps security > isn't as important to them as they claim? > > If perhaps you are looking to communicate by saving drafts in a shared email > folder, well it is interesting approach ;) > > > > Thanks. Your guess is right. 1. email Server in London UK. Emails use London domain name. 2. Roundcube 'supposedly' encrypted to open program in browsers. i.e text in email is entered in plain text but stored encrypted on server. 3. The same log on and email address used from two computers. 3.1 one in UK 3.2 one in foreign country (FC) where 5% of population engaged in watching all the others full time. a) No permitted VPN outside foreign enclosed institutions, (e.g. international school in FC) b) No Google stuff whatsoever, no ProtonMail or similar available. No BBC or DW.de o rmany other sites available. c) Any and all normal emails automatically stored for police analysis (digital signatures cause problems with clear text emails). Encrypted text causes heavy mob at door! Reaction time shows emails are scanned in real time, as well as (like UK) stored for later use by authorities. They sometimes just do not get delivereed from some senders to others. If a draft is 'sent' it is likewise reviewed and stored exiting FC Incoming email to FC likewise actioned. 4. With a UK email address and Roundcube opened in (FC) the situation described in "If perhaps you are looking to communicate by saving drafts in a shared email > folder, well it is interesting approach ;)" has been used. Draft only exists for a few minutes . Input by one party and copied by receiving party , then draft cancelled and wiped. "innocent email text" may be sent after first draft is cancelled. Texts transfered in this way has been used. (timing is everything) 5 Question was about attachments. If used in same way. 6. Encrypted end to to end such as with Etherpad Lite not suitable due to reluctance of FC user. (e.g. crypt.fr not suitable) . 6.1 Encrypted email could cause problems so not used. (Mailvelope with Roundcube or GPG on other mail) 6.2 FC user has had 'acquaintances' ' disapear' [kindest interpretation] due to being found using 'non-permitted encryption'. Hence reluctance to use actual encrypted text in message or email encrypted end to end with GPG or other system. 7.0 Mass use of 'permitted encryption' takes place in every walk of life many encrypted chat programs, but only on government approved encrypted messaging programs. Socially all such chat is very 'innocent' by population 'self censorship'. Some take chances on local social media, but language is much 'patois' and indirect references used. 8. Question was movement of attachments to and from open browser Roundcube composition page for emails. Sorry I did not clarify fully. -- Regards Eion MacDonald -- The Mailing List for the Devon & Cornwall LUG https://mailman.dcglug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq