Slashdot Mirror
Ask Slashdot: Cryptography in Mail software?
Bartmoss asksL:
"Obviously, nobody will use encryption if two problems
occure: (a) your friends won't be able to read your mail
because they don't have crypto, and (b) your software
doesn't have crypto. I'm wondering - are there good HOWTO's
and info sites on how to plug encryption into leading mail
software for UNIX, Mac and Windows? What Windows-Software
supports PGP, and which can have PGP support added? Does
anybody have information on clients people could use for
crypted mails?"
A buddy of mine, Glenn Trigg, maintains Privtool, which is a GUI mailreader with integrated PGP support. The Motif version has been around for some years and the GTK version is just becoming usable. See http://www.netspace.com.au/~ggt/privt ool.html .
encryption is most definitely not illegal (in the US). besides, do you really want the government reading every piece of mail you send to anyone? don't you believe in privacy man?? governments have too much power as it is. everyone should use crypto all the time. if encryption ever is outlawed in the US, do you really think it's going to stop people from using it? it won't stop me. i have to believe in a law to respect it. that's what government is supposed to be about. by the people and for the people. when was the last time you mailed your senator about some issue you cared about you brainwashed piece of government propaganda? terrorists? i'm sorry, but the threat of terrorists being able to communicate without government interference is NOT enough to justify some faceless government automaton reading my private mail. if you want to live in a dictatorship, that's fine. i don't have a problem with you wanting to be controlled like a rat in a cage. just don't make me live there.
Leaving an encryption API in a product is the same as including the actual crypto software with the product thus making it fall under export controls. I remember this was an issue preparing the Mozilla source for publication. Of course it's a stupid regulation and compression/translation APIs serve exactly the same function. Go figure...
If a Web-based encrypted mail system will suffice, as opposed to a mail client program, then you might want to look at this :-
http://www.hushmail.com/
.. Debian GNU/{Linux/Hurd}
Pine is hardly secure itself. http://hhp.hemp.net/stuff.shtml has an exploit that causes pine to download code from a remote webserver and execute it (just like the IIS bug). Encrypting your mail is the least of your worries in this case! Go through the bugtraq archives and you will find several more exploits for previous versions.
I hate to break the news but the MIB's have better things to do than going through your private e-mail. The only practical use is nosy sysadmins and anyone with an ethernet sniffer from reading your mail. It's even going to stop accidental "discoveries" but your high-grade encryption offers little resistance to a court-ordered search warrant. And what's that? Your system is running off a magnetic media device? I hope you remembered to thoroughly overwrite the original file (writing a single pass of 0's won't even pass low-grade military standards for data destruction) but your nice editor may have decided to write a temp file or maybe the kernel decided to swap that page to disk for a while...
The real threat are those club cards at the grocery stores! God forbid "they" track what I buy and give me a discount for it. The really horrible part is when I get coupons in the mail to get the same things even cheaper! When will it stop?
Why not allow some plug-in to be distributed seperately?
Anyone know where we can actually get source for this, that isn't in the US or under some exports law?
That's exactly the reason why we all should use encryption for _all_ of our messages.
Public key systems like PGP have a big problem with key spoofing. Someone who is widely known has their keyID and fingerprint all over the place but a regular user wouldn't. If someone wanted to send an encrypted mail to this user, how could they tell the key was real and not forged by someone else.
Along the same line, your keyID and fingerprint together are only 160 bits (if my math is right at this time of night). I don't know that much about PGP algorthims but I would be willing to bet there are two or more unique 1024-bit keys which have the same ID and fingerprint. Now for someone to forge your key exactly, they only have to worry about 160 bits, which is somewhat of a task, but nowhere near 1024 bits as claimed by PGP. (Ok, so I did neglect the part about one-way algorithims but you get the point...)
Links always get /.ed. Bandwidth is free, even at 56k.
Now I've got what I was looking for.
Eudora Mail for Mac platform has had pgp plug-ins for quite some time.
That's the true litmus test when comparing mail clients.
All servers do, use stunnel to wrap the server when starting it from inetd:
/usr/sbin/stunnel /usr/sbin/imapd
simap stream tcp nowait root
take a look at IMP:
http://www.horde.org/imp/
--sam
Even PGP 2.6.x support? PGP 5 is irrelevant
J
Err, IMP is not a IMAP server.
So I assume that you will will be moving to MH soon? Two letters, as opposed to four ...
D'oh! you're right, I saw ssl and my brain fogged. IMP is still a nifty program, :-).
--sam
It seems that all the old farts are out this morning -- those of us who no longer take four days to recover from holidays -- judging from the email that I have gotten, and now /.! What MH needs is a good motto. "What the Rand Corporation Thought Was Cool Twenty Years Ago" doesn't quite appeal to the Linux demographic, despite the fact that MH is truly the best possible mailer out there, bar none. Yes, I am biased, I don't have time to screw around. I am a busy old man, dammit! And MH let me check mail from home so much faster ...
So, what we need is an MH motto contest. My vote:
"If you don't like MH, you are worthless and weak," but I think that most people won't get the Twisted Sister reference.
How about "MH: Twenty-Year-Old Technology -- Do It To Piss Off Bob." I like that.
Kids (kiddies?): do give it a try. MH kicks ass. I do not know any serious sysadmins who do not use MH, from 18 to 58. It is really the best out there.
No one wants to be sued by the Gov't.
I am not the above poster, but would like to note that the post is actually quite relevant and I would say interesting. In fact, it is quite insightful because it gives an idea why crypto won't be widespread for at least sometime. Now, WTF it is redundant? Just because it didn't feature word "Linux" in it doesn't make it less relevant, unless you read and think about it before moderating.
Pleasant surprise: first, my ISP has it (I have a shell account). :), which leaves a small dir structure and .newsrc that is close to 1 MB.)
Next, it's so well-designed that you don't need a
week of study, plus a day to assimilate what you've studied.
Finally, just running it on a trial basis
(no attempts to config. before using) left *no* files behind.
(Compare that with 'tin' (.tin
a
Nicholas Bodley / nbodley@tiac.net
Like they can't read your letter in envelope if *needed*. In fact in some countries mail is routinely checked. This is a flawed example, because there is no effort to open your envelope and read the letter, even less than required to intercept plain Email, however it takes damn a lot of efforts to brute force some 128bits.
In either case however serious guys would use other methods of making you give them what they want and THANK them for leaving your balls in place.
I'd swear that some keyboard-driven commands and such
were laid out by Dvorak users, because the keys are
conveniently placed. Sorry, no specifics for the
moment.
Nicholas Bodley
nbodley@tiac.net
Midnight hacker in 1960
Hi everybody,
sort of off topic, but not really: when you pop your email from the POP-server, your password + login go over in
clear text like with telnet/rlogin/r(anything), which are most likely the same for your shell-account (---> bad!).
My question: is there any secure mail popper/ POP-server software?
Roland
peetz.3@osu.edu
There's a commercial Eudora PGP plugin that works
fairly well - it's something like $20. I'd
recommend this combo for those in the Win9x ghetto.
Heaven help us if encryption becomes illegal.
However, there's steganography, the process of
hiding the fact that there's a message there to
begin with. Although it wastes bitspace, its very
obscurity is its asset. While I can imagine
programs/algorithms that search for messages hidden
in audio, image, or executable files, it would be
a big job. Ingenuity can hide the existence of a
message, particularly if it's encrypted to have the same
quasi-random statistics as such things as an image of lots of trees in summer, or a waterfall.
Heaven help us if encryption becomes illegal.
However, there's steganography, the process of
hiding the fact that there's a message there to
begin with. Although it wastes bitspace, its very
obscurity is its asset. While I can imagine
programs/algorithms that search for messages hidden
in audio, image, or executable files, it would be
a big job, imho. Ingenuity can hide the existence of a
message, particularly if it's encrypted to have the same
quasi-random statistics as such things as an image of lots of trees in summer, or a waterfall.
Not completely. I have never found an option in Mutt to turn off the anoying "move messages to mailbox?" question it ALWAYS asks when I quit. If there IS an option to turn that off, please tell me what it is! That's the only reason I still use elm.
I love mutt too, but I don't like its level of support for MH folders, so I moved to Mew (Messaging in the Emacs World), which supports MH uch better as has the best MIME support and almost as good PGP support as mutt.
If only mutt supported MH folders better I might have stuck to it....
> What about the fact that ALL news readers and IRC clients no longer have a rot13 function??
Geez. Even my netscape communicator newsreader has rot13 decoding. I guess that makes your whole post pointless doesn't it?
Damn,
this is the best algorearhythm ever. this guy must work for the gummnamitt or something.
PGP freeware/personal/desktop are all versions of PGP for WIN, I am only aware of PGP freeware for Mac. All of those programs support plug-in support for mail clients such as Eudora, Pegasus-Mail, Outlook/Outlook-Express, and Exchange.
It also has window support where it can use the top most window and encrypt whatever is there which makes it compatible with most other mail programs.
I would suggest checking out
http://www.pgpi.org
it has all of the versions on it... including plug-ins or
http://www.replay.com
Latest version is 6.0.2
If you're actually concerned about the message being sniffed or otherwise intercepted between end-points, the MTA might suffice, I suppose.
...
I would think the message is much more vulnerable to interception while sitting on either end-point system though.
SSL between MTA's would be a nice start, but it doesn't really address most security concerns.
Realistically, if you want to encrypt a message, it's because you want to know, for sure, that the only person who can read it is the intended recipient, not their sysadmin or their content filter or their girlfriend, or whoever
as the subject says: just wondering. Is tunneling pop/imap through SSL better/the same as through ssh?
I know ssh makes 1024-bit keys by default. How does that compare to say Netscape's 128bit ("strong") encryption? Since it is said you currently need 1024bit to be on the safe side, is 128bit SSL basically worthless?
Roland
Well, the subject says it all, but I'll add in some more.
I am currently using Outlook Express (although I do also use Pine) and PGP Desktop Security (which is a really nice package for creating PGP encrypted disks and key management) The two work very well together, and checking the About info on PGP, it says version 6.0.2
PGP Desktop Security is available at http://store.mcafee.com/product.as p?ProductID=16
Thanks. I had no idea mutt even HAD a web site, let alone a manual! The man page says nothing.
Pardon my ignorance, but could someone please explain how PGP/Encryption in mail would work? If I encrypted something, and then sent it to someone else; they would need to decrypt it. And, if they could decrypt it, what's to prevent anyone else from decrypting it? I think it has something to do with the keys?
Make sure your Mailer (MUA) is
PGP/MIME RFC2015 compliant.
E.g. mutt is and supports pgp and GnuPG, but
most versions of pine aren't.
Just a simple mail filter will not do it.
PGP/MIME lets you sends you encrypted or (even more important) signed multimedia
mail.
oh, what technical prowess. i am stunned by the depth of this comment.
now i shall immediately erase pgp and install gpg.
feh, loser.
About the Mac side of this, I'll mention some things, in the hope that they haven't already.
You can get the latest versions of PGP and PGPi for the Mac. Included in the package is a plugin for each Eudora and Claris Emailer, which allows you to encrypt/decrypt/sign/whatever a message. These allow "integration" (overused word of recent history, along with "paradigm") with the program.
If you are using a program which doesn't directly support this, you can always use the menu added by the PGP control panel, which (kinda' kludgily (sp?)) copies the selected text, encrypts or does whatever to it, and pastes it back.
About filters to do this automatically, the best way that I can think of would be through AppleScript, but I don't think that the PGP package includes AppleEvent/AppleScript capability, so...
Well, there's what I recall about the Mac shtuff.
Considering that Outlook is used in just about all Word macro virii involing e-mail and all IE security holes involving e-mail, I recomend you don't use Outlook. (Or any other MS product since the biggest securety holes from MS products come from using MS Windows, MS Outlook, MS Word, and MS IE in together various combinations.) For PGP, use Eudora. It plugs into Eudora very nicely.
The reason is that PGP2 uses RSA and idea, which are patented. If you live outside the us you can get rsa support for GPG, and if you are non-commercial you can get idea support.
ftp://ftp.gnupg.org/pub/gcrypt/contrib/rsa.c
and likewise idea.c
They have instructions for compiling them, then you have to load them as extensions.
If the key doesn't have a self signature it won't work, this is a *good* thing, all keys should be self signed but pgp does not require it so some are not. It is not gpg's fault
Just so the old farts aren't getting all the fun...
I'm a youngin' (23) and have been using nmh for the past 5 years. I've tried Pine, Netscape, mutt, etc etc but came back to nmh every time.
Thanks for the PGP links for mh... been meanin' to figure that out...
Doh... Most decent windows email clients have PGP support via plug ins. And some not so decent ones have plug ins too.
Go to www.nai.com and look for PGP.
If you're out of the USA look at www.pgpinternational.com
If you're out of the USA and noncommercial look at www.pgpi.com
As for S/MIME, I've tried it and it's crap (and would you use crypto programs made by such "security conscious" people like Netscape/Microsoft? ROTFL).
PGP is so much more flexible. The PGP industry has far more mature solutions.
-----BEGIN PGP SIGNED MESSAGE-----
1 488nvYxE64kAoKRh
Hash: SHA1
I use PGP 6.02 on my Mac with Netscape 4.6 and it seems to be fairly
well integraged. I just write the message in NS Mailer and then click
on the lock in my top toolbar and bingo, it signs it, or encrypts it.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2 for non-commercial use
iQA/AwUBN4FxASuag3Mi6fliEQIsdQCfSx1iDTikf9K2/WJ
GQbVgl0mOo2FgOUn1Lej+k2E
=01kI
-----END PGP SIGNATURE-----
It needs to be truly generic (you can spell check! route through other mail protocols! feed it through the jar-jargonizer!) or BXA will consider it "crypto with a hole", just as unexportable as if crypto were actually included.
The mail client that comes with KDE is pretty nice, and it
comes with PGP support built in. (But you have to turn it
on in the options tab).
Gnome probablly has something similar.
--------------------------
MS is infamous for security holes. If the source has been published and reviewed by truly independent third parties, I'll consider trusting it. Or at least I would if it were available for my platform....
Here's a URL that just went up last week for 1024 encrypted email. And they say that they have worldwide encrytion export approval. Hmmm...
http://www.zixmail.com/ZixFAQ/index.html
>Everyone in the GNU/linux world [bla bla bla]
Sorry, but I'm in the Linux world so I'll talk about PGP all I like.
Have a day, dude.
What about MUAs with SSL for Unix (except Netscape)?
There aren't any commercially available PGP modules that I am aware of for the palm OS. Shelling isn't a good solution for the palm either since emulators I have seen require at least a 75 MHZ processor. There are probably compilors that would allow you to create modules for the palm OS on your own.
A couple of years ago, I worked on the beta for PGPMail 4.5. That product did have a plugin for Netscape Mail (I think I was the only beta tester who actually used Netscape. Everybody else used Eudora. haha) as well as for Eudora. :)
5.0 also has Eudora and Outlook plugins. Beyond that, I don't know because I like and use 5.0.
There are free (or whatever. I don't want to debate semantics. the conventional definition of "free" works for me) versions of both of those (I think) available for download.
Many people have mentioned that PGP 6.0.2 has plugins for popular email clients. Well, I like to use Word 2000 as my Outlook 2000 editor (I get lexigraphical tools that way). Sadly, the PGP plugin does not work in this configuration. I'm going to try to develop a plugin to remedy the situation and will post here if I'm successful. Free, open source of course.
Either I know how to reach you or I don't. If I can't be sure that key is yours, how can I be sure that email address is yours?
Forging signatures is hardly trivial. Sure, there are around 2^(2048-128) keys with the same fingerprint, but since a cryptographic hash isn't invertible you'd have to generate some 2^128 keypairs just to find one, which isn't remotely feasible.
I was discussing this with my friends after watching Enemy of the State and the general consensus was that the usability issues combined with the goofy US laws were insurmountable for ordinary users, and that wide spread encryption was never going to happen on the MUA level. It's great that has [P|G]GP support, but realistically it's a very small subset of people who you can mail. The best solution IMHO is to patch sendmail such that it automagically encrypts your mail if the remote server supports it. I was looking into implementing this, when I found it was already done. It was done in Australia by some guy working at Qualcomm and it's called ssmail, and it's at:
http://www.home.aone.net.au/qualcomm/
and I think it's GPL'd. While it's not as good a solution if you just want to encrypt your mail to 1 or 2 others, it's a much better mass solution if you are the admin for a mail domain. I urge you to start using it.
--sam
I love MH and nmh and exmh -- they have supported PGP for years and do so transparently and securely and, unlike most other readers, allow you to manage gigantic volumes of mail. PGP, MH, and procmail -- I never even need to drop into X! It is a pity that more people don't use MH. It is a pity that O'Reilly dropped the MH book (although it was good of them to allow Mr. Peek's book to be GPL-ed). Oh well.
e nPGP and http://www.ics.uci.edu/~mh/book/mh/remime.htm#ReaP GP covers the use of PGP in MH. http://www.ics.uci.edu/~mh/book/exmh/thbuied.htm#P GP covers it in exmh.
...).
Kids: I know that a lot of you are pretty young. If you don't mind a bit of advocacy from an old fart, learn MH. Like many enduring things in the UNIX world, there is a reason that it has stuck around -- it works. elm and mutt (really what elm should be) are good, pine is good, albeit basic. But you should look at MH. Imagine being able to do anything that you can think of from the command line while working on other things. No shelling out, nothing. exmh allows you to do all of this in X. MH and exmh are both rock solid and very rewarding, and they both give you that nice feeling after a while that this really is The Right Thing.
Here are some URLs:
http://www.ics.uci.edu/~mh/book/ for a basic website.
ftp://ftp.gw.com/pub/people/jpeek/mh/book-ps/ is the book, still updated regularly, and a very good read. Pull it down and read it.
http://www.ics.uci.edu/~mh/book/mh/senove.htm#S
OK that is it for advocacy on this fine morning. The birds are singing, the s70s are at 2-3 (loafing, my children, loafing), and I think that I will go show the mainframers what REAL coffee tastes like.
Have fun. 'Cause if it ain't fun, you're doing it wrong (this can be applied to many things
Everyone in the GNU/linux world
should be talking about GPG instead of PGP
GPG aka GnuPG aka GNU Privacy Guard
fully openPGP compatible
http://www.d.shuttle.de/isil/gnupg/
http://www.gnupg.org
there is even a wrapper for compatibility with
pgp 2.6
http://www.nessie.de/mroth/pgpgpg/
For those using Emacs for email, Mailcrypt
is an excellent tool for integrating PGP
support. Also, the original author, Pat LoPresti,
is a nice guy.
Develop your own provably secure encryption algorithm, and then whenever you want to send email to a friend, encrypt it 3 or 4 times over with different keys, zip it using InfoZip but change the extension to ".tgz" or ".tar.gz" (very important!), then uuencode it and encrypt the result. Now split the file up into a thousand chunks and intersperse them in an MPEG animation as spurious frames. Take note of which frames have the real data in them and split the numbers up into groups of 4 (this will be important later on). Now place the MPEG on a zip disk, mislabel it as "holiday pictures" (sneaky!) and place in a regular postal envelope. Finally, hire out a Brink's truck and 4 guards to drive the package to the intended recipient. Make each of the 4 guards memorize one group of the MPEG frames without telling them what it is.
VOILA! One secure email!
If it's that hard for you to type, link it to something that isn't.
---
Of course, one could remap it. But figuring out how to tweak an email agent is a waste of time unless you're already decided on it.
---
I assume you mean a proxy that will run on your same machine, and not on the network; otherwise, you're transmitting cleartext on the wires.
---
Heehee mutt pisses on pine....film @ 11
Next.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
If you use Pine, there is a package called PGP4Pine which you can find at
freshmeat. It lets you use PGP seamlessly in Pine. I haven't personally had time to set it up but a bunch of my friends use it and recomend it.
Posted by Moritz Moeller - Herrmann:
I agree. It installs easily and works perfectly with mutt. I can really recommend it!
>>If I was a goverment agent in charge of snooping through email don't >>you think that I would have a scanner similar to a virus detector >>looking for encrypted messages?
>That's exactly the reason why we all should use encryption for _all_ of our messages.
Eh? Haven't you heard the best way to hide something is to hide it in plain sight?
Bah. Cryptography in Mail is a joke. It's something to play with, but really isn't all that useful in the real world. Let's face it, unless you're really dealing with really sensitive matters, the hassle involed with encryption isn't worth it, and all it really does is call attention to yourself. Think about it. If I was a goverment agent in charge of snooping through email don't you think that I would have a scanner similar to a virus detector looking for encrypted messages? The scanner may not be able to decrypt the messages, but it could flag and save the headers (including the adresses of the computers sending and receiving the encrypted mail) to a file so they could be investigated later by human field agents.
I really think you encryption supporters are really operating under a false sense of security. If the goverment really wants to get you, they will. End of story.
You're right though, it's a chicken and egg problem, you draw attention to yourself when you encrypt email, fortunately I have nothing to hide so attention spent paying attention to my email will protect those who should fear our government.
As for the sense of security, a false sense of security can be better than none at all. I also presume that you are talking about methods other than simply capturing and decrypting emails. If all email was encrypted, I'd feel pretty good that mine weren't the ones that were being focused on for decryption.
It may be a "good" idea next time to post a link instead of doing 'Edit -> View Source' and selecting then pasting....makes me wonder if there is/should be a comment byte limit. :)
da w00t. mtfnpy?
Mutt has inbuilt suport for the various PGP flavours (2 5 and gpg)
...high-grade encryption offers little resistance to a court-ordered search warrant
:P
Wow Those are easy to get! I get one or two a day!
Yes but they still need the passphrase to unlock the message. You can just keep the passphrase to yourself. (take the fifth?) I know you can talk about temp files and swap files and stuff, but if you look at real world examples those things don't usually come into play. If you are really paranoid then you can get the tools to scrub your hd anywhere.
In my opinion it's not the government that would be crippled by crypto it's small time spooks like jealous boyfriends and industrial spys. I think crypto would stop more crime than it would hide!
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
It's ironic that you said this. In the last day, I decided to try out mutt instead of my old faithful pine. After messing around with my .muttrc, I got it working semi-ok. The keys and everything were so alien to me that it was a pain learning them. I like the scroll down feature that pine has and mutt dosen't. While mutt might be great with PGP and can be configured in many ways, I have retreated back to my good old pine. Hitting the down key is a little too weird for me instead of "n".
Ok, fixed the bindings and got scrolling down to work. Thanks.
Ok, I used parts of that file and now mutt acts just like I want to. Except an option to bind a key to go back to the main index of messages. :)
JCSI is in Java. You'll need to download many a package from Javasoft before you'll get it to work.
--
http://www.wholepop.com/
Whole Pop Magazine Online - Pop Culture
http://www.wholepop.com/
Whole Pop Magazine Online - Pop Culture
For MUA integration, see Mail User Agent Survey
here's some more stuff,
Search results
59 programs matched your search criteria.
Aegis Shell (16-bit) 3.0.8
Aegis Shell (32-bit) 3.0.8
BetweenUs
Calyspo 3 PGP plugin
Claris Emailer plugin
CryptoEx 1.0b4
Emacs auto-pgp
Encryplet 1.0
Eudora 3.x and 4.x plugin
Eudora plugin
Gibbon PGP Front-End for EPM 1.2
Gui4PGP 2.0
Lock & Key 3.1
MS Outlook 97/98 and Exchange plugin
MS Outlook Express 4 plugin
MacPGP Control 1.0
MailPGP 1.3
Mailcrypt 3.5.3
MandelSteg and GIFExtract 1.0
Mollusc 1.0
PGP Encryptor Interface 1.1
PGP Extension for Microsoft Exchange 1.10
PGP Manager (16-bit) 1.3
PGP Manager (32-bit) 2.2b
PGP QuickFront 1.0
PGP REXX 1.2
PGP Windows 1.1
PGP Winfront (16-bit) 3.1
PGP Winfront (32-bit) 4.0
PGP-PM32 0.7 beta
PGP4Pine (aka PAPP)
PGPClick (16-bit) 2.5
PGPClick (32-bit) 2.5
PGPClip 1.4.4
PGPSort 1.0
PGPn123 (freeware) 1.0 beta 5
PGPn123 (shareware) 1.8
PGPoMAGIC 2.4
PGPsendmail 1.4
PGPtoGUI
PGPwho
PMMail/2 2.0
PgpEudra 1.02
PowerPGP (16-bit) 2.0
PowerPGP (32-bit) 2.20
Private Idaho 2.8b3
Privtool 0.90 beta
Pronto Secure 1.13
QDPGP 2.60
SafeMail 2.0 beta5
Stealth 1.1
WPGP 1.6
WinPGP (16-bit) 4.1
WinPGP (32-bit) 5.0
dirtypgp
elmpgp 2.4pl24
pgp4pine
psMail 1.1
zmail PGP script
peterrenshaw ~ Another Scrappy Startup
Linux people should really pay attention to Outlook
and all of the cool stuff that Microsoft does in
it. With the possible exception of GNUS, Outlook
is the best email client on the planet. Sure, it
has its faults, but if you subscribe to the "my inbox
contains everything in my whole life" school of life
management, then Outlook is about the best there is.
Now, it's far from worth justifying Windows, which
is why I sue the mighty pine, but everyone should at least
give it a shot and see what neat stuff they have.
Fortunately the part about one-way algorithms is very important. It is absurd even with astounding advances in computing power to do a brute force search of 160 bits. Thus the question becomes how secure is your hash function.
Secure hash functions are a VERY important topic but the fact that you only have 160 bits is irrelevant.
Marriage is the "pseudo-ethics" that cloaks the messy truth of sexuality in the raiment of propriety -- it's "Don't Ask,
http://www.mutt.org/doc/manual/ma nual-6.html#move
move
Type: quadoption
Default: ask-no
Controls whether you will be asked to confirm moving read messages from your spool mailbox to your $mbox mailbox, or as a result of a mbox-hook command.
"set move=no" will do exactly what you want.
You don't even need to delve into the source. Here is a sample muttrc which will redefine all the key bindings to their pine equivalents.
Insofar as unix is concerned, you simply cannot beat mutt ( http://www.mutt.org/) for a pgp-aware mailer.
If you're currently using either pine or elm, you're doing yourself a serious disservice not looking at mutt. It's easier, more flexible, and more powerful than any of the alternatives.
PGP support is top-notch and native, for both v2 and v5 pgp. Highly recommended.
"mutt" has two t's, which means a short delay there.
.cshrc file to alias pine to mutt is a ridiculous option. And besides, who wants to use a mailer not named after a tree?
In addition, is is difficult to type "mu" without using just one finger.
"pine" on the other hand, can be typed with four fingers (one for each letter), and so can be typed much faster and more easily. That alone makes pine my mailer of choice.
And no, editing my
Unfortunately, The Bat's IMAP support is clunky at best.
Does anyone know of a good mail client that supports both IMAP and PGP? Most clients support one or the other.
And Outlook is not an option.
zeroknowledge.com has a beta client out that supports encryption and anonymous remailing. These guys tend to get quoted in wired frequently when privacy issues come up.
So long, and thanks for all the Phish
Try zeroknowledge.com again.
So long, and thanks for all the Phish
With the question in mind, I use Ishmail as it
has a GUI front-end and supports PGP, as well
as well as working with IMAP, POP, and local mail servers, I really like the Automatic filing.
Check it out at http://www.ishmail.com
WDM
... PMMail can not be beat in my opinion. It doesn't get much press but it handles PGP 2.x and [56].x very well. It's fast and very reliable.
Ashley Clark
Not only does The Bat support PGP in its latest version, but it is an all-around cool email program. It's very configurable and new enhancements are being added frequently. It's at www.ritlabs.com.
This is the notion that Winnow and Chaffing (sorry is the spelling is wrong) operates. It isn't a new idea, but application to today's network systems was recently (within the last year?) brought up by the R and S in RSA (Rivest and the other name I forget... Shamir?). The idea is simply to flood any given packetized connection with false signatured/authenticated garbage. The packets that are good are also signed/authenticated but they actually will check out correctly when the signature is checked. Depending on how small the packets are different methods of creating the "chaff" packets can be effectively utilized in this scheme. In this method corrent information can travel somewhat securely in the clear among "noise."
Around here, my friend with windows use Outlook and
PGP, and I use exmh and GnuPG, and they interoperate
great!
-Nick
Technically speaking, I have to wholeheartedly agree that PGP is superior to PGP in just about every way. Unfortunately, there is one mighty drawback:
It's not reverse compatible with the old pgp 2.62 keysets out there. That sucks.
(also the fact that /usr/local/bin/gpg is setuid root, but that's minor)
Here's what it looked like when I tried to import my pgp 2.6.2 key. (id 'xxx'ed to protect the innocent)
gpg (GnuPG) 0.9.8; Copyright (C) 1999 FreeSoftware Foundation, Inc.
This program comes with ABSOLUTELY NOWARRANTY.
This is free software, and you are welcome to
redistribute it under certain conditions. See
the file COPYING for details.
gpg: key xxx: unsupported public key algorithm
gpg: key xxxx: no valid user ids
gpg: this may be caused by a missing
self-signature
gpg: Total number processed: 1
gpg: w/o user IDs: 1
-- If you met me, you probably wouldn't remember me. I'm pretty hard to remember.
Is there a non-commercial imap server that supports ssl?
Hate to point out the obvious...but I believe that the message you replied to was a sarcastic farse. You need to lighten up a bit there bud.
I agree - in the meantime, there is good shareware for PGP email integration on Windows called Mollusc, which supports Netscape and almost every Windows emailer and the author can very rapidly support off-beat email programs.
I used to use this quite a lot when I was using PGP on Windows. For attachments, the simplest thing is just to encrypt the file using PGP of course.
A quick search on Google.com revealed the following beta done in Norway, so it is usable worldwide - not sure if it is just a library but it should be usable by mail program developers.
s g01874.html
http://www.pasta.cs.uit.no/~perm/PASTA/pilot/
There was also mention of some work done in US/Canada, for those who live there, in
http://www.imc.org/ietf-open-pgp/mail-archive/m
Have a look at the international PGP home page. Good links here to the standard PGP packages for most platforms. Freshmeat is a good source for Linux specific things.
In my view S/MIME is a superior protocol for encrypting email than PGP. It is supported by the major mail clients (e.g. Netscape's Messenger), and I believe is easier to use. Its main disadvantage is that its support among "free" mail clients appears to be non-existent...
Perhaps for the same reason that MS Excel 97 `cannot open two documents with the same name, even if the documents are in different folders', eh?
-rozzin.
Does outlook have a search-and-replace function?
-rozzin.
read the subject
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
What if the API in question wasn't for encryption, but rather a generic API that any number different plugins could work with (including encryption). I don't know, say for example, a plugin that just took 64 bits and XORed it with 45 or something (by no means strong encryption). Sure its worthless, but it should alow someone to write a plugin that used DES or some other strong encryption right? Just call it generic data transformation or something (GDT) - just an idea, has it ever been tried?
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
Ahhh, I can reminice about the old days.....
:-)
Email was a simple client where you can scrub the messages through a nice encryptor (Simple double Xor encryption with phrases) that couldnt be cracked easily by a cracker or punk kid. Usenet postings that were offensive were rot13'd and all was joyous.
What about the fact that ALL news readers and IRC clients no longer have a rot13 function?? if everyone used it then the bitching by us old-timers and the paranoid public would be minimal I.E. no chance of a child accidently seeing c00l D00d's latest flame where he tried out the new word F*** every 3 words. You would have to deliberately rot13 it ro read it. encryptors were easy to impliment... pine-- Ahhh a message from my russian commander -- save it as ascii and decrypt. to send? text->encryptor->mail ruskie@ussr.ru but then that was back in the dark ages.... before Point and drool...
(NOTE: I like to point and drool, I use NT for silly things) on the Linux/unix/BSD side the encryption interface is trivial... it's the intentional Abstraction of winblows that was in place to keep you from doing things like encrypting your mail or adding features to software that dont exist yet. (It still can be done.. cut and paste your text, run the win interface to PGP, bla bla bla.... easy as pie
Now if Eudora wanted to rise from the ashes... make a Unix,solaris,linux,Windows,mac,BE,etc... version with a pgp interface built in.... but it wont happen...
Eough of my drivel... where's my old-farts walker..
Do not look at laser with remaining good eye.
I think the point was that if we use crypto on ALL our mail then the nosey bastards monitoring our mail will be kept busy decoding messages about fridays pub-night until they get bored with the whole endevour. If people are going to snoop lets make it as painful as possible...
Hack the system!!!! (lol)
*--BigMan--- Time flies like an arrow.. but personally I prefer a nice glass of wine!
That's exactly the reason why we all should use encryption for _all_ of our messages.
I sync my mail with my Palm, so that I can play^H^H^H^Hwork a bit while commuting. Using encryption limits working with encrypted mails till I reach my desktop.
Does anybody know of a Palm version? I'd settle for just being able to *read*
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
But in Windows i use Outlook 98 for e-mail. It has support for PGP...which I have found is the easiest way to share crypto stuff. PGP integrates rather well in my experience...if you DO use Outlook it's a nice way to keep big brother from reading your plans to kill people or whatever scheme they say everyone is now planning through e-mail.
I'm a loner Dottie, a Rebel.
Mutt not only seamlessly interacts with PGP, but also with the GNU Privacy Guard (GPG). Mutt is absolutely fantastic as MUA. If you're really crazy, you can use it under windows by compiling it with cygwin/slang.
> Bandwidth is free, even at 56k.
Not necessarily. It's free for most people, particulary (I imagine) for people in North America and Europe, but people in other parts of the world don't always have as many options.
The only reason that I'm bothering to write this reply is that the 'bandwidth is free' needs to be challenged. I know of too many people on limited bandwith that keep getting sent things like large attachments because of that assumption.
A month ago, I was paying NZ$3/hour access for 28k - hardly free bandwidth, and the university department where I work gets charged something like NZ$1/Mb.
Roy Ward.
Some of you might be interested in a project called Enigma. It is open source, written entirely in Java, and works with just about any e-mail package. Enigma works by being a proxy server decrypting all e-mail and intelligently encrypting e-mail according to who is on your keyring.
That's basically what happened with the Amiga's XPK interface. It was originally intended as a general-purpose interface for compression routines. But over time it got to be rather widely used for crypto too. It's really just a general-purpose data-munging API.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Well, actually, it looks more like clueless admins rather than spooks, but I guess you never know. They are virus-scanning at the wrong point.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I would say that entirely depends on what country you're in. Man, why do I even bother to reply to this? ;-)
Well... if you use PGP for Windows or Macintosh, you get this nifty menu that allows you to encrypt/sign or decrypt/verify any selected text.
This setup won't work with PGP/MIME, (multipart/encrypted), but it will work with inline stuff (you know, the messages that start with "START PGP SIGNED MESSAGE" or whatever it is).
if someone is green to pgp than by far the easiest and most foolproof way to get them up and running is via pgp's native mail client plugins for outlook, outlook express, and eudora.
my suggestion is eudora light 3.0.6, at www.eudora.com. intutitive interface (remember netscape mail three ugly panes from hell? phooey.) and simple.
then stop by www.pgpi.com to pick up your preferred pgp version. 6.0.2 freeware works fine for people in the us. you'll want 6.0.2i (the international version) if you want backward compatibility, though. the great 'client selection wizard' will get most people through.
once you get these two programs up and running exchanging encrypted e-mails is a snap. just click 'encrypt/decrypt' (or sign, or whatever) right in eudora.
good luck. i've always believed that as more and more people use pgp, the 'digital worth' of each pgp-encrypted message increases. please help as many people as possible to download, use, and support pgp. it helps us all.
www.pgpi.com
www.pgp.net
wwwkeys.pgp.net
Network Associates PGP 6.0.2 integrates with Microsoft Outlook, Outlook Express, Netscape Mail, and Eudora Mail clients. You can download it free from their webpage. This is for Windows only though, I'm not sure about Unix or the mac platform.
I can only please one person a day. Today is not your day, and tomorrow does not look good either.
The link below will take you to what I believe to be the most extensive webpage on Encryption and Security. From free win based ssh clients to information about the Australian NSA.
Here it is!
It seems to me that exactly what Sun is doing with Java2 and JCE.
A set of abstract classes, useless until you bought the corresponding "real" classes, from Sun is the US, or elsewhere (IAIK here in Europe).
Correct me if I'm wrong, but what's different from pluggable encryption in a MUA ?
What?? having 2 or more 160bit keyID/fingerprint?
0 0
160 bits means approx
14600000000000000000000000000000000000000000000
possible.
exactly; and we should encrypt the most mundane of our communications most of all, to *really* piss them off. if some agency has to use some really expensive cracking hardware and up-time to find out what time i'm meeting my girlfriend at the cinema tonight, i'm that little bit happier...
Another barrier to encryption is the use of virus sweepers; some sysadmins are now paranoid about mail viruses, and process all the mail through some filter that gives them a warm fuzzy feeling (and probably little else).
.. as a result, we've just been asked to remove both encrypters and decrypters from our systems.
These systems can't work with encrypted mail (obviously)
Another barrier to encryption is the use of virus sweepers; some sysadmins are now paranoid about mail viruses, and process all the mail through some filter that gives them a warm fuzzy feeling (and probably little else).
.. as a result, we've just been asked to remove both encrypters and decrypters from our systems.
These systems can't work with encrypted mail (obviously)
Makes you wonder whether the antiencryption spooks are behind the mail viruses, doesn't it ?
PS: If you really feel the need to send a 'fake' e-mail, you can do it the hardcore way, if your up to it... ( warning: only for the truly 3lit3) Okay, here it is, all you need to do is address a postcard to root@127.0.0.1 and drop it into the mail box. Works every time. Sounds simple doesn't it? It's really difficult to trace too!
Hey, have you ever gotten any bounced messages doing this? ;-p
FWIW I used to have problems with MS Outlook and the PGP for Windows from www.pgpi.com. Every so often a mail would come through and trying to open it would cause a GPF in outlook as the plugin DLL died, dunno why. It was not fun having auto-preview enabled, as this also involved 'opening' the mail!
:)
This was outlook in the days of IE4 and PGP5.5 - might be different now, but be on your guard
~Tim
~Tim
--
~Tim
--
Rushing on down to the circle of the turn
Rather than dealing with the problems of hacking encryption into MUAs, why not create a PGP encrypting/decrypting proxy that would work seamlessly with any MUA?
How do you get one of those shiny silver RSA keys for pgp?
*****
Knoweldge is power. Knowing is half the battle. Why do we still clout kid's views with that crap?
*****
Knoweldge is power. Knowing is half the battle. Why do we still clout kid's views with that crap?
Check out fortify.net
http://www.paladincorp.com.au has some really informative info and links to PGP issues.
This still isn't enough for secure email to be ubiquitously usable. What do you if your recipient receives email on a PalmPilot, WinCE handheld or WebTV? How 'bout if you're accessing your email on a web browser based account (maybe on a vacation without your laptop) and someone sends you pgp'd email?
From reading the protocols bit in Applied Cryptography I got the feeling that all public key systems relied on good and trusted servers for distributing public keys. How do the current systems handle public key management?
Is that not the real area where the land of the free (and the home of the brave) is screwing us over?
Glyciren
Glyciren
"Well that didn't work... try this jumper instead.. oops."
I am looking for a pretty GUI Mail client w/pgp abilitys. I am successfully converting all of my company to Linux. I am also looking to implement a secure/signed email policy. It's gotta be pretty for the simple folk. Thanks.
I currently use Exim as my MTA (and don't wish to change). Using the
transport_filter feature, would it be possible to automatically PGP encrypt
outgoing mail (only for a single recipient)?
Unfortunately, I'm useless with shell/Perl scripting, so is there anyone out
there who has already implemented this kind of thing? Any example code or relevant URLs would be *extremely* useful.
Zip disks are too ubiquotous. Use a magneto-optical disk. Security through obscure media.
Netscape doesn't support PGP encryption. There's been a lot of discussion over at the mozilla crypto newsgroup on the hows and whys. Basically, AOL/Netscape's interpretation of the stupid US cryptography export regulations prevents them from even exposing their API for cryptographic processing. Some folks at NAI volunteered to help out, which elicited some favorable noises on the part of Mozilla, but no visible action. They may be working on it behind the scenes however.
Netscape Messenger owns a huge share of the Internet email client market. The lack of PGP support is a substantial impediment to the widespread adoption of PGP as a standard for Windows email. I'm not too fond of NAI, but I'd like to see this particular product succeed, since it's in such widespread use on Unix."Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
Yup. I'm a little biased of course because I test MS Outlook crypto, but I'd honestly have to say that Outlook2000 SR2 will be the uncontested champion among secure mail clients, at least for a while. Why?
- smime-ess-12.txt for the coolest stuff) And I swear it really is exactly implemented, no extensions!
:)
*Standards based* - that's right, O2k SR2 will be the first and only mail client *in the world* to implement the SMIME v3 protocols. This gives you features like secure labels and secure receipts, as well as full support for the standard-specified algorithms and other cools stuff like FIPS mode. (see http://search.ietf.org/internet-drafts/draft-ietf
*Autoconfiguration* - Don't know what the feature's going to be called when it goes out the door, but autoconfig rocks. Essentially, it instantly eliminates the hassle of selecting and administering your certificates. You just get a cert, click Sign or Encrypt on the mail, and Outlook does everything else. It will also repair your security profiles if a cert expires. Of course you can still go in and do all this yourself, but autoconfig is so cool, many people never will.
*Performance* - O2k is without contest in its speed and memory footprint. I know this will be greeted with skepticism due to O98, but just try it - you'll see why the perf numbers trash Quaalcom and Lotus.
*Stability* - well, I tested it. Nuff said
Now as for PGP, hmm. I guess I personally haven't been testing that and I'm upset that it seems to screw up your systems. I'll DL it tomorrow and see whether I can get those preview bugs fixed.
-konstant
-konstant
Yes! We are all individuals! I'm not!
gpg is so much better then pgp
-overlord
Don't assume everyone is using a qwerty keyboard.
Although I use qwerty at work and for work-related things at home, I'm also increasing my profiency with dvorak every day. Don't change your program so it is faster to type, change the layout.
-bugg
-----BEGIN PGP SIGNED MESSAGE-----
o cAMxDU6Mk8UAn3mF
Hash: SHA1
Hmm, well I still use Windoze for most of my day to day email stuff
and, I also find the PGP+Outlook'98 combination very usable.
Two gripes: if you use the auto preview in combination with decrypt-on
open then the preview re-saves the decrypted email which can be
irritating.
Also PGP DOES NOT work with Outlook Express 5.0
( ie. the one that comes with IE 5.0 )
Anyone using Outlook 2000? I daren't yet I don't
have the RAM or DISK. Outlook'98 is bloated enough
irq_conflict
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0
iQA/AwUBN4CLT+3AgzeWcyyiEQIl0QCfQnLPvlTFuyHknTI
u9AbAZ2/+NvMxTIZaK/Gh7xy
=gZq7
-----END PGP SIGNATURE-----
Barry Wimlett at endless dot co dot uk
I know this isn't glamorous or integrated, but an encryption program that does really well without the need for public keys is something called Crypt-o-Text, written by Rodney Savard (check him out at www.savard.com) It's basically a notepad that you cut and paste encrypted text to/from. Works for me.
Technological progress has merely provided us with more efficient means for going backwards. -- Aldous Huxley
Among the others, you can also use the XFMailp g.tar.gz) GnuPG too.
mail reader; it supports PGP 2.6, 5.0 and, with
a patch (http://members.xoom.com/alberanid/patch-xfmail-g
I agree that everybody should use encryption all the time. The best analogy I've heard is to snail mail:
Encryption is an envelope. I notice that almost all snail mail is sent in envelopes instead of postcards.
I suspect that if most users inherently understood this analogy and the technology underneath, the desire for encryption would be much more widespread.