Secure Webmail Providers?

Rainier Wolfecastle asks: "I am looking for information on any webmail providers that support PGP/GnuPG encryption. Up until now I have been using Lok Technology's excellent service, but it appears that they have gone out of business, since their site has been unreachable for over two weeks now. I am aware of Hushmail, but that doesn't work well under Linux. I am considering using Name.Space's LokMail service (based on Lok Technology's..er...technology) but I was wondering if anyone out there has any other suggestions. Free email is coming to an end, and if I'm going to pay for it (which I don't mind at all) then I want a decent product."

Problems with Encrypted Webmail

[pete-classic]

Encrypted webmail is a tricky issue. In the final analysis you basically have to use a passphrase that is so good that you don't mind having your (encrypted) private key publicly available.

Consider that the webserver admin(s) will have access to the encrypted private key. Also consider that the webserver (process) has read access to the key. The upshot is that if anyone gets root access to the box, gets a shell under the webserver's UID, or convinces the webserver to serve up a file that it is supposed to have read access to, the only thing between your private key and an attacker is your passphrase.

I find all this unsettling to the point of believing that it can't be safely done.

If anyone knows any better, please fill me in.

-Peter

Re:Problems with Encrypted Webmail

[pete-classic]

Are you serious?

I can barely remember my phone number. It is only 10 digits, and the first three are a gimme. I'm supposed to remember "iDclyWnIxwaJcSOWNLcj" or some junk?

And this has no real impact on the trust issue. What prevents the webserver admin from having the webmail software log all incoming passphrases?

I harp on this becasue if I can trust my mail admin (and you trust yours) half the battle is already won.

-Peter