[NBLUG/talk] [SM-PLUGINS] G/PGP Encryption Plugin for
Squirrelmail- v 1.0.1 released
ME
dugan at passwall.com
Wed Mar 5 21:49:00 PST 2003
augie said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ME wrote:
> | Some of you use SquirrelMail, and have wanted a gpg plugin for it. It
> | looks like work has started on one.
> | Use of just a "verify key" by using a public key from a server may be
> | tolerable when it comes to security, but use of encryption with such a
> | plugin should be treated much like ssh - only encrypt on a machine, from
> | which you are using the web browser, that you trust *to* a machine that
> | you trust.
>
> i had a discussion about such a plugin with Kevan from sonic, and we
> came to the same conclusion. to do any kind of encrypting or decrypting
> you'd have to store your private key on a public server, and regardless
> of the trustworthiness of that server, that still just sounds crazy.
And this does not even begin to discuss issues like:
SSL: what kind of cipher is used, how many bits in the key, is the cipher
for the SSL+keysize a "cheaper" problem to hack than the one of a
passphrase for unlocking the private key.
Depending upon implementation: if the client stores the private key and
encrypts from that (seems unlikely, but might be possible) then two copies
of the key exists - doubled exposure. If the server stores the private
key, then the client sends a plain-text copy (or if over SSL with
encryption of SSL) over the wire, with a plaiin-text version of an e-mail
message and an encrypted copy of the same message, with a sufficient
quantity of these, what can that help you find? (Yes, there are
assumptions here and this depends upon other things.)
And then again, if server based, what happens if there is no SSL on the
server? (oops.)
However, it is still a feature that some may be willing to use. At the
minimum, having verification of sigs for messages will be a nice addition.
:-)
(Nope, I am not using this yet.)
-ME
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
More information about the talk
mailing list