Luke B writes "According to news.com Yahoo! will be offering users encrypted e-mail. This comes through the support of Zixit (www.zixit.com). Head to C|Net for the full scoop." Interesting.
The issue of in-transit security is a small one. What if someone hacks into their server to get the mail. To keep your boss (ISP) from reading the email is already there -- SSL. If you are concerned about packet sniffing, large quantities and packet splitting will help hide it (a little bit). What about keystroke monitoring?
If the keys are not secure, the data is not secure. Now, what if the keys are suppeoned from the provided?
What about compatibility with pop3 clients and operating systems?
Danger of Using Mail Providers
by
pbryan
·
· Score: 4
I'm not sure what kind of cryptographic technology is being employed natively, but they appear to support S/MIME, PGP and their own (proprietary?) cryptographic protocols.
The danger of using mail service providers like Yahoo! is that you must trust that your mail is being stored securely, and that their staff is honest and trustworthy. I'm afraid that's just too much for me.
Now, third-party service providers are going to be trusted with secure communication? I'm going to entrust my S/MIME or PGP private key to some company - a company that can be easily armtwisted by government or corporate interests?
It seems to me putting all of the eggs (in this case, messages and private keys) in one basket is far from prudent. Depending on how popular this service becomes, it has the potential to be the target of numerous cracker attacks.
Also, there's not much point in using encryption any stronger than what your browser is using to communicate with the service provider. Because, after all, the chain is only as strong as its weakest link. So, if you're using 40-bit RSA, why have stronger encryption used in encrypting the message for delivery?
While this service may be useful to help those who want to keep local packet sniffers at bay, I wouldn't seriously trust my private keys to anyone but myself, using software that has undergone countless peer reviews and gives me the option to compile it - not depend on someone's binary distribution.
I'm not paranoid, everyone is just out to get me!:)
The one thing they might have going for them is ease of use. Today, the most significant obstacle to the wide use of cryptographic technology seems to be its difficulty of use. If they solved this problem, they might incur some mindshare...
--
My car gets 40 rods to the hogshead, and that's the way I likes it!
Slashdot Mirror
2. Who has the keys?
3. Is it compatible with anything else?
4. How effective is the encryption?
The issue of in-transit security is a small one. What if someone hacks into their server to get the mail. To keep your boss (ISP) from reading the email is already there -- SSL. If you are concerned about packet sniffing, large quantities and packet splitting will help hide it (a little bit). What about keystroke monitoring?
If the keys are not secure, the data is not secure. Now, what if the keys are suppeoned from the provided?
What about compatibility with pop3 clients and operating systems?
Fight Spammers!
I'm not sure what kind of cryptographic technology is being employed natively, but they appear to support S/MIME, PGP and their own (proprietary?) cryptographic protocols.
:)
The danger of using mail service providers like Yahoo! is that you must trust that your mail is being stored securely, and that their staff is honest and trustworthy. I'm afraid that's just too much for me.
Now, third-party service providers are going to be trusted with secure communication? I'm going to entrust my S/MIME or PGP private key to some company - a company that can be easily armtwisted by government or corporate interests?
It seems to me putting all of the eggs (in this case, messages and private keys) in one basket is far from prudent. Depending on how popular this service becomes, it has the potential to be the target of numerous cracker attacks.
Also, there's not much point in using encryption any stronger than what your browser is using to communicate with the service provider. Because, after all, the chain is only as strong as its weakest link. So, if you're using 40-bit RSA, why have stronger encryption used in encrypting the message for delivery?
While this service may be useful to help those who want to keep local packet sniffers at bay, I wouldn't seriously trust my private keys to anyone but myself, using software that has undergone countless peer reviews and gives me the option to compile it - not depend on someone's binary distribution.
I'm not paranoid, everyone is just out to get me!
The one thing they might have going for them is ease of use. Today, the most significant obstacle to the wide use of cryptographic technology seems to be its difficulty of use. If they solved this problem, they might incur some mindshare...
My car gets 40 rods to the hogshead, and that's the way I likes it!