Slashdot Mirror
Ask Slashdot: Cryptography in Mail software?
Bartmoss asksL:
"Obviously, nobody will use encryption if two problems
occure: (a) your friends won't be able to read your mail
because they don't have crypto, and (b) your software
doesn't have crypto. I'm wondering - are there good HOWTO's
and info sites on how to plug encryption into leading mail
software for UNIX, Mac and Windows? What Windows-Software
supports PGP, and which can have PGP support added? Does
anybody have information on clients people could use for
crypted mails?"
I was discussing this with my friends after watching Enemy of the State and the general consensus was that the usability issues combined with the goofy US laws were insurmountable for ordinary users, and that wide spread encryption was never going to happen on the MUA level. It's great that has [P|G]GP support, but realistically it's a very small subset of people who you can mail. The best solution IMHO is to patch sendmail such that it automagically encrypts your mail if the remote server supports it. I was looking into implementing this, when I found it was already done. It was done in Australia by some guy working at Qualcomm and it's called ssmail, and it's at:
http://www.home.aone.net.au/qualcomm/
and I think it's GPL'd. While it's not as good a solution if you just want to encrypt your mail to 1 or 2 others, it's a much better mass solution if you are the admin for a mail domain. I urge you to start using it.
--sam
I love MH and nmh and exmh -- they have supported PGP for years and do so transparently and securely and, unlike most other readers, allow you to manage gigantic volumes of mail. PGP, MH, and procmail -- I never even need to drop into X! It is a pity that more people don't use MH. It is a pity that O'Reilly dropped the MH book (although it was good of them to allow Mr. Peek's book to be GPL-ed). Oh well.
e nPGP and http://www.ics.uci.edu/~mh/book/mh/remime.htm#ReaP GP covers the use of PGP in MH. http://www.ics.uci.edu/~mh/book/exmh/thbuied.htm#P GP covers it in exmh.
...).
Kids: I know that a lot of you are pretty young. If you don't mind a bit of advocacy from an old fart, learn MH. Like many enduring things in the UNIX world, there is a reason that it has stuck around -- it works. elm and mutt (really what elm should be) are good, pine is good, albeit basic. But you should look at MH. Imagine being able to do anything that you can think of from the command line while working on other things. No shelling out, nothing. exmh allows you to do all of this in X. MH and exmh are both rock solid and very rewarding, and they both give you that nice feeling after a while that this really is The Right Thing.
Here are some URLs:
http://www.ics.uci.edu/~mh/book/ for a basic website.
ftp://ftp.gw.com/pub/people/jpeek/mh/book-ps/ is the book, still updated regularly, and a very good read. Pull it down and read it.
http://www.ics.uci.edu/~mh/book/mh/senove.htm#S
OK that is it for advocacy on this fine morning. The birds are singing, the s70s are at 2-3 (loafing, my children, loafing), and I think that I will go show the mainframers what REAL coffee tastes like.
Have fun. 'Cause if it ain't fun, you're doing it wrong (this can be applied to many things
Everyone in the GNU/linux world
should be talking about GPG instead of PGP
GPG aka GnuPG aka GNU Privacy Guard
fully openPGP compatible
http://www.d.shuttle.de/isil/gnupg/
http://www.gnupg.org
there is even a wrapper for compatibility with
pgp 2.6
http://www.nessie.de/mroth/pgpgpg/
For those using Emacs for email, Mailcrypt
is an excellent tool for integrating PGP
support. Also, the original author, Pat LoPresti,
is a nice guy.
Develop your own provably secure encryption algorithm, and then whenever you want to send email to a friend, encrypt it 3 or 4 times over with different keys, zip it using InfoZip but change the extension to ".tgz" or ".tar.gz" (very important!), then uuencode it and encrypt the result. Now split the file up into a thousand chunks and intersperse them in an MPEG animation as spurious frames. Take note of which frames have the real data in them and split the numbers up into groups of 4 (this will be important later on). Now place the MPEG on a zip disk, mislabel it as "holiday pictures" (sneaky!) and place in a regular postal envelope. Finally, hire out a Brink's truck and 4 guards to drive the package to the intended recipient. Make each of the 4 guards memorize one group of the MPEG frames without telling them what it is.
VOILA! One secure email!
If it's that hard for you to type, link it to something that isn't.
---
Of course, one could remap it. But figuring out how to tweak an email agent is a waste of time unless you're already decided on it.
---
I assume you mean a proxy that will run on your same machine, and not on the network; otherwise, you're transmitting cleartext on the wires.
---
Secret key cryptography are systems that use a single secret key both to encrypt and decrypt the message. That is, both the sender and the recipient need to arrange for both to have the secret key, over some kind of secure channel. This approach is not practical to use over the net, since transmitting the key over it would place the users in danger of it being intercepted.
Public/private key cryptography uses a pair of keys: one to encrypt messages, and a second one to decrypt them. This works the following way: suppose you want to send me an encrypted message. What you (or anyone) would have to do is get a copy of my public encryption key (which I could place in an accesible place, like my home page), and use that to encrypt the message. When I receive it, only I can read it, since it can only be decrypted with the private key I keep on a safe computer. Of course, I need to protect my private key from being stolen. But the main point is that I never have to transmit the private decryption key over the net, while my public encryption key can be wholly public.
This is the method used by PGP to encrypt email, by SSH for encrypted logins, and SSL for secure sockets (like when you use a secure web connection). A variant of it is used for PGP signatures (which can, in conjunction with a public key, cryptographically guarantee that some file has not been altered).
---
Why get the commercial Eudora plugin when it is included in the freeware international PGPi releases? Current version is 6.02i I think, works great with Eudora.
Heehee mutt pisses on pine....film @ 11
Next.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
If you use Pine, there is a package called PGP4Pine which you can find at
freshmeat. It lets you use PGP seamlessly in Pine. I haven't personally had time to set it up but a bunch of my friends use it and recomend it.
Posted by Moritz Moeller - Herrmann:
I agree. It installs easily and works perfectly with mutt. I can really recommend it!
>>If I was a goverment agent in charge of snooping through email don't >>you think that I would have a scanner similar to a virus detector >>looking for encrypted messages?
>That's exactly the reason why we all should use encryption for _all_ of our messages.
Eh? Haven't you heard the best way to hide something is to hide it in plain sight?
Bah. Cryptography in Mail is a joke. It's something to play with, but really isn't all that useful in the real world. Let's face it, unless you're really dealing with really sensitive matters, the hassle involed with encryption isn't worth it, and all it really does is call attention to yourself. Think about it. If I was a goverment agent in charge of snooping through email don't you think that I would have a scanner similar to a virus detector looking for encrypted messages? The scanner may not be able to decrypt the messages, but it could flag and save the headers (including the adresses of the computers sending and receiving the encrypted mail) to a file so they could be investigated later by human field agents.
I really think you encryption supporters are really operating under a false sense of security. If the goverment really wants to get you, they will. End of story.
You're right though, it's a chicken and egg problem, you draw attention to yourself when you encrypt email, fortunately I have nothing to hide so attention spent paying attention to my email will protect those who should fear our government.
As for the sense of security, a false sense of security can be better than none at all. I also presume that you are talking about methods other than simply capturing and decrypting emails. If all email was encrypted, I'd feel pretty good that mine weren't the ones that were being focused on for decryption.
It may be a "good" idea next time to post a link instead of doing 'Edit -> View Source' and selecting then pasting....makes me wonder if there is/should be a comment byte limit. :)
da w00t. mtfnpy?
Mutt has inbuilt suport for the various PGP flavours (2 5 and gpg)
...high-grade encryption offers little resistance to a court-ordered search warrant
:P
Wow Those are easy to get! I get one or two a day!
Yes but they still need the passphrase to unlock the message. You can just keep the passphrase to yourself. (take the fifth?) I know you can talk about temp files and swap files and stuff, but if you look at real world examples those things don't usually come into play. If you are really paranoid then you can get the tools to scrub your hd anywhere.
In my opinion it's not the government that would be crippled by crypto it's small time spooks like jealous boyfriends and industrial spys. I think crypto would stop more crime than it would hide!
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
It's ironic that you said this. In the last day, I decided to try out mutt instead of my old faithful pine. After messing around with my .muttrc, I got it working semi-ok. The keys and everything were so alien to me that it was a pain learning them. I like the scroll down feature that pine has and mutt dosen't. While mutt might be great with PGP and can be configured in many ways, I have retreated back to my good old pine. Hitting the down key is a little too weird for me instead of "n".
Ok, fixed the bindings and got scrolling down to work. Thanks.
Ok, I used parts of that file and now mutt acts just like I want to. Except an option to bind a key to go back to the main index of messages. :)
JCSI is in Java. You'll need to download many a package from Javasoft before you'll get it to work.
--
http://www.wholepop.com/
Whole Pop Magazine Online - Pop Culture
http://www.wholepop.com/
Whole Pop Magazine Online - Pop Culture
For MUA integration, see Mail User Agent Survey
here's some more stuff,
Search results
59 programs matched your search criteria.
Aegis Shell (16-bit) 3.0.8
Aegis Shell (32-bit) 3.0.8
BetweenUs
Calyspo 3 PGP plugin
Claris Emailer plugin
CryptoEx 1.0b4
Emacs auto-pgp
Encryplet 1.0
Eudora 3.x and 4.x plugin
Eudora plugin
Gibbon PGP Front-End for EPM 1.2
Gui4PGP 2.0
Lock & Key 3.1
MS Outlook 97/98 and Exchange plugin
MS Outlook Express 4 plugin
MacPGP Control 1.0
MailPGP 1.3
Mailcrypt 3.5.3
MandelSteg and GIFExtract 1.0
Mollusc 1.0
PGP Encryptor Interface 1.1
PGP Extension for Microsoft Exchange 1.10
PGP Manager (16-bit) 1.3
PGP Manager (32-bit) 2.2b
PGP QuickFront 1.0
PGP REXX 1.2
PGP Windows 1.1
PGP Winfront (16-bit) 3.1
PGP Winfront (32-bit) 4.0
PGP-PM32 0.7 beta
PGP4Pine (aka PAPP)
PGPClick (16-bit) 2.5
PGPClick (32-bit) 2.5
PGPClip 1.4.4
PGPSort 1.0
PGPn123 (freeware) 1.0 beta 5
PGPn123 (shareware) 1.8
PGPoMAGIC 2.4
PGPsendmail 1.4
PGPtoGUI
PGPwho
PMMail/2 2.0
PgpEudra 1.02
PowerPGP (16-bit) 2.0
PowerPGP (32-bit) 2.20
Private Idaho 2.8b3
Privtool 0.90 beta
Pronto Secure 1.13
QDPGP 2.60
SafeMail 2.0 beta5
Stealth 1.1
WPGP 1.6
WinPGP (16-bit) 4.1
WinPGP (32-bit) 5.0
dirtypgp
elmpgp 2.4pl24
pgp4pine
psMail 1.1
zmail PGP script
peterrenshaw ~ Another Scrappy Startup
Linux people should really pay attention to Outlook
and all of the cool stuff that Microsoft does in
it. With the possible exception of GNUS, Outlook
is the best email client on the planet. Sure, it
has its faults, but if you subscribe to the "my inbox
contains everything in my whole life" school of life
management, then Outlook is about the best there is.
Now, it's far from worth justifying Windows, which
is why I sue the mighty pine, but everyone should at least
give it a shot and see what neat stuff they have.
Fortunately the part about one-way algorithms is very important. It is absurd even with astounding advances in computing power to do a brute force search of 160 bits. Thus the question becomes how secure is your hash function.
Secure hash functions are a VERY important topic but the fact that you only have 160 bits is irrelevant.
Marriage is the "pseudo-ethics" that cloaks the messy truth of sexuality in the raiment of propriety -- it's "Don't Ask,
http://www.mutt.org/doc/manual/ma nual-6.html#move
move
Type: quadoption
Default: ask-no
Controls whether you will be asked to confirm moving read messages from your spool mailbox to your $mbox mailbox, or as a result of a mbox-hook command.
"set move=no" will do exactly what you want.
You don't even need to delve into the source. Here is a sample muttrc which will redefine all the key bindings to their pine equivalents.
Insofar as unix is concerned, you simply cannot beat mutt ( http://www.mutt.org/) for a pgp-aware mailer.
If you're currently using either pine or elm, you're doing yourself a serious disservice not looking at mutt. It's easier, more flexible, and more powerful than any of the alternatives.
PGP support is top-notch and native, for both v2 and v5 pgp. Highly recommended.
Use SSH and port forwarding.
fetchmail has an easier way to do it automatically using SSH port forwarding (I have not yet found a seamless implemention)..
There is an implementation of SSL/IMAP, but both clients and server have to follow it.
Note: Same thing with
POP3
and you may want to use SSH port forwarding with NNTP. (which is also in the clear...)
The problem w/ SSH port forwarding is that the server also needs to support SSHD (but if you have control over both machines)....
https://www.mav.net/teddyr/syousif/
--
Time is on my side
"mutt" has two t's, which means a short delay there.
.cshrc file to alias pine to mutt is a ridiculous option. And besides, who wants to use a mailer not named after a tree?
In addition, is is difficult to type "mu" without using just one finger.
"pine" on the other hand, can be typed with four fingers (one for each letter), and so can be typed much faster and more easily. That alone makes pine my mailer of choice.
And no, editing my
Unfortunately, The Bat's IMAP support is clunky at best.
Does anyone know of a good mail client that supports both IMAP and PGP? Most clients support one or the other.
And Outlook is not an option.
zeroknowledge.com has a beta client out that supports encryption and anonymous remailing. These guys tend to get quoted in wired frequently when privacy issues come up.
So long, and thanks for all the Phish
Try zeroknowledge.com again.
So long, and thanks for all the Phish
With the question in mind, I use Ishmail as it
has a GUI front-end and supports PGP, as well
as well as working with IMAP, POP, and local mail servers, I really like the Automatic filing.
Check it out at http://www.ishmail.com
WDM
... PMMail can not be beat in my opinion. It doesn't get much press but it handles PGP 2.x and [56].x very well. It's fast and very reliable.
Ashley Clark
Come on, almost ANY old mailer can fake mails!
/* Steinar */
(This comment is of course GPLed.)
Not only does The Bat support PGP in its latest version, but it is an all-around cool email program. It's very configurable and new enhancements are being added frequently. It's at www.ritlabs.com.
This is the notion that Winnow and Chaffing (sorry is the spelling is wrong) operates. It isn't a new idea, but application to today's network systems was recently (within the last year?) brought up by the R and S in RSA (Rivest and the other name I forget... Shamir?). The idea is simply to flood any given packetized connection with false signatured/authenticated garbage. The packets that are good are also signed/authenticated but they actually will check out correctly when the signature is checked. Depending on how small the packets are different methods of creating the "chaff" packets can be effectively utilized in this scheme. In this method corrent information can travel somewhat securely in the clear among "noise."
If you mean changing the From: header, mutt allows this.
Around here, my friend with windows use Outlook and
PGP, and I use exmh and GnuPG, and they interoperate
great!
-Nick
Technically speaking, I have to wholeheartedly agree that PGP is superior to PGP in just about every way. Unfortunately, there is one mighty drawback:
It's not reverse compatible with the old pgp 2.62 keysets out there. That sucks.
(also the fact that /usr/local/bin/gpg is setuid root, but that's minor)
Here's what it looked like when I tried to import my pgp 2.6.2 key. (id 'xxx'ed to protect the innocent)
gpg (GnuPG) 0.9.8; Copyright (C) 1999 FreeSoftware Foundation, Inc.
This program comes with ABSOLUTELY NOWARRANTY.
This is free software, and you are welcome to
redistribute it under certain conditions. See
the file COPYING for details.
gpg: key xxx: unsupported public key algorithm
gpg: key xxxx: no valid user ids
gpg: this may be caused by a missing
self-signature
gpg: Total number processed: 1
gpg: w/o user IDs: 1
-- If you met me, you probably wouldn't remember me. I'm pretty hard to remember.
The key I have is in fact self signed, it's just that GPG didn't recognize the format, and did a guess that it wasn't self-signed.. :)
I guess that could be considered an unstable failure mode.
-- If you met me, you probably wouldn't remember me. I'm pretty hard to remember.
Is there a non-commercial imap server that supports ssl?
Hate to point out the obvious...but I believe that the message you replied to was a sarcastic farse. You need to lighten up a bit there bud.
I agree - in the meantime, there is good shareware for PGP email integration on Windows called Mollusc, which supports Netscape and almost every Windows emailer and the author can very rapidly support off-beat email programs.
I used to use this quite a lot when I was using PGP on Windows. For attachments, the simplest thing is just to encrypt the file using PGP of course.
A quick search on Google.com revealed the following beta done in Norway, so it is usable worldwide - not sure if it is just a library but it should be usable by mail program developers.
s g01874.html
http://www.pasta.cs.uit.no/~perm/PASTA/pilot/
There was also mention of some work done in US/Canada, for those who live there, in
http://www.imc.org/ietf-open-pgp/mail-archive/m
Have a look at the international PGP home page. Good links here to the standard PGP packages for most platforms. Freshmeat is a good source for Linux specific things.
20,000 people downloading that commment at once would Slashdot Slashdot, dumb-ass.
It's a Unix system - I know this.
In my view S/MIME is a superior protocol for encrypting email than PGP. It is supported by the major mail clients (e.g. Netscape's Messenger), and I believe is easier to use. Its main disadvantage is that its support among "free" mail clients appears to be non-existent...
Perhaps for the same reason that MS Excel 97 `cannot open two documents with the same name, even if the documents are in different folders', eh?
-rozzin.
Does outlook have a search-and-replace function?
-rozzin.
I didn't perform the moderation you mention, but I suspect that it was done because the poster had made the exact same post twice. (by accident, I'm sure) You can't get much more redundant than that! The other post was (as of the time I write this) moderated up to a score of 2. That looks like quite appropriate moderation to me.
read the subject
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
What if the API in question wasn't for encryption, but rather a generic API that any number different plugins could work with (including encryption). I don't know, say for example, a plugin that just took 64 bits and XORed it with 45 or something (by no means strong encryption). Sure its worthless, but it should alow someone to write a plugin that used DES or some other strong encryption right? Just call it generic data transformation or something (GDT) - just an idea, has it ever been tried?
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
Ahhh, I can reminice about the old days.....
:-)
Email was a simple client where you can scrub the messages through a nice encryptor (Simple double Xor encryption with phrases) that couldnt be cracked easily by a cracker or punk kid. Usenet postings that were offensive were rot13'd and all was joyous.
What about the fact that ALL news readers and IRC clients no longer have a rot13 function?? if everyone used it then the bitching by us old-timers and the paranoid public would be minimal I.E. no chance of a child accidently seeing c00l D00d's latest flame where he tried out the new word F*** every 3 words. You would have to deliberately rot13 it ro read it. encryptors were easy to impliment... pine-- Ahhh a message from my russian commander -- save it as ascii and decrypt. to send? text->encryptor->mail ruskie@ussr.ru but then that was back in the dark ages.... before Point and drool...
(NOTE: I like to point and drool, I use NT for silly things) on the Linux/unix/BSD side the encryption interface is trivial... it's the intentional Abstraction of winblows that was in place to keep you from doing things like encrypting your mail or adding features to software that dont exist yet. (It still can be done.. cut and paste your text, run the win interface to PGP, bla bla bla.... easy as pie
Now if Eudora wanted to rise from the ashes... make a Unix,solaris,linux,Windows,mac,BE,etc... version with a pgp interface built in.... but it wont happen...
Eough of my drivel... where's my old-farts walker..
Do not look at laser with remaining good eye.
I think the point was that if we use crypto on ALL our mail then the nosey bastards monitoring our mail will be kept busy decoding messages about fridays pub-night until they get bored with the whole endevour. If people are going to snoop lets make it as painful as possible...
Hack the system!!!! (lol)
*--BigMan--- Time flies like an arrow.. but personally I prefer a nice glass of wine!
That's exactly the reason why we all should use encryption for _all_ of our messages.
I sync my mail with my Palm, so that I can play^H^H^H^Hwork a bit while commuting. Using encryption limits working with encrypted mails till I reach my desktop.
Does anybody know of a Palm version? I'd settle for just being able to *read*
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
But in Windows i use Outlook 98 for e-mail. It has support for PGP...which I have found is the easiest way to share crypto stuff. PGP integrates rather well in my experience...if you DO use Outlook it's a nice way to keep big brother from reading your plans to kill people or whatever scheme they say everyone is now planning through e-mail.
I'm a loner Dottie, a Rebel.
Mutt not only seamlessly interacts with PGP, but also with the GNU Privacy Guard (GPG). Mutt is absolutely fantastic as MUA. If you're really crazy, you can use it under windows by compiling it with cygwin/slang.
> Bandwidth is free, even at 56k.
Not necessarily. It's free for most people, particulary (I imagine) for people in North America and Europe, but people in other parts of the world don't always have as many options.
The only reason that I'm bothering to write this reply is that the 'bandwidth is free' needs to be challenged. I know of too many people on limited bandwith that keep getting sent things like large attachments because of that assumption.
A month ago, I was paying NZ$3/hour access for 28k - hardly free bandwidth, and the university department where I work gets charged something like NZ$1/Mb.
Roy Ward.
Some of you might be interested in a project called Enigma. It is open source, written entirely in Java, and works with just about any e-mail package. Enigma works by being a proxy server decrypting all e-mail and intelligently encrypting e-mail according to who is on your keyring.
That's basically what happened with the Amiga's XPK interface. It was originally intended as a general-purpose interface for compression routines. But over time it got to be rather widely used for crypto too. It's really just a general-purpose data-munging API.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Well, actually, it looks more like clueless admins rather than spooks, but I guess you never know. They are virus-scanning at the wrong point.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I would say that entirely depends on what country you're in. Man, why do I even bother to reply to this? ;-)
Well... if you use PGP for Windows or Macintosh, you get this nifty menu that allows you to encrypt/sign or decrypt/verify any selected text.
This setup won't work with PGP/MIME, (multipart/encrypted), but it will work with inline stuff (you know, the messages that start with "START PGP SIGNED MESSAGE" or whatever it is).
if someone is green to pgp than by far the easiest and most foolproof way to get them up and running is via pgp's native mail client plugins for outlook, outlook express, and eudora.
my suggestion is eudora light 3.0.6, at www.eudora.com. intutitive interface (remember netscape mail three ugly panes from hell? phooey.) and simple.
then stop by www.pgpi.com to pick up your preferred pgp version. 6.0.2 freeware works fine for people in the us. you'll want 6.0.2i (the international version) if you want backward compatibility, though. the great 'client selection wizard' will get most people through.
once you get these two programs up and running exchanging encrypted e-mails is a snap. just click 'encrypt/decrypt' (or sign, or whatever) right in eudora.
good luck. i've always believed that as more and more people use pgp, the 'digital worth' of each pgp-encrypted message increases. please help as many people as possible to download, use, and support pgp. it helps us all.
www.pgpi.com
www.pgp.net
wwwkeys.pgp.net
Network Associates PGP 6.0.2 integrates with Microsoft Outlook, Outlook Express, Netscape Mail, and Eudora Mail clients. You can download it free from their webpage. This is for Windows only though, I'm not sure about Unix or the mac platform.
I can only please one person a day. Today is not your day, and tomorrow does not look good either.
The link below will take you to what I believe to be the most extensive webpage on Encryption and Security. From free win based ssh clients to information about the Australian NSA.
Here it is!
It seems to me that exactly what Sun is doing with Java2 and JCE.
A set of abstract classes, useless until you bought the corresponding "real" classes, from Sun is the US, or elsewhere (IAIK here in Europe).
Correct me if I'm wrong, but what's different from pluggable encryption in a MUA ?
What?? having 2 or more 160bit keyID/fingerprint?
0 0
160 bits means approx
14600000000000000000000000000000000000000000000
possible.
exactly; and we should encrypt the most mundane of our communications most of all, to *really* piss them off. if some agency has to use some really expensive cracking hardware and up-time to find out what time i'm meeting my girlfriend at the cinema tonight, i'm that little bit happier...
I'm the poster, and yes, I did post twice accidentally (/. threw an error), changing it slightly on the repost. And I moderated down someone else's duplicate the other day, so I'm not sore .. but thanks for the defence.
Another barrier to encryption is the use of virus sweepers; some sysadmins are now paranoid about mail viruses, and process all the mail through some filter that gives them a warm fuzzy feeling (and probably little else).
.. as a result, we've just been asked to remove both encrypters and decrypters from our systems.
These systems can't work with encrypted mail (obviously)
Makes you wonder whether the antiencryption spooks are behind the mail viruses, doesn't it ?
PS: If you really feel the need to send a 'fake' e-mail, you can do it the hardcore way, if your up to it... ( warning: only for the truly 3lit3) Okay, here it is, all you need to do is address a postcard to root@127.0.0.1 and drop it into the mail box. Works every time. Sounds simple doesn't it? It's really difficult to trace too!
Hey, have you ever gotten any bounced messages doing this? ;-p
And sometimes it's just the opposite! Consider the DOS utility pkunzip. *Five* of seven letters typed with the left index finger! what a pain.
--- Who? What? Huh? What? ---
FWIW I used to have problems with MS Outlook and the PGP for Windows from www.pgpi.com. Every so often a mail would come through and trying to open it would cause a GPF in outlook as the plugin DLL died, dunno why. It was not fun having auto-preview enabled, as this also involved 'opening' the mail!
:)
This was outlook in the days of IE4 and PGP5.5 - might be different now, but be on your guard
~Tim
~Tim
--
~Tim
--
Rushing on down to the circle of the turn
Rather than dealing with the problems of hacking encryption into MUAs, why not create a PGP encrypting/decrypting proxy that would work seamlessly with any MUA?
Check out the Modern Cryptography FAQ on RSA's web site:
http://www.rsa.com/rsalabs/faq/
It has all the answers you need.
How do you get one of those shiny silver RSA keys for pgp?
*****
Knoweldge is power. Knowing is half the battle. Why do we still clout kid's views with that crap?
*****
Knoweldge is power. Knowing is half the battle. Why do we still clout kid's views with that crap?
FYI: Hushmail only lets you send encrypted mail to other hushmail users.
*****
Knoweldge is power. Knowing is half the battle. Why do we still clout kid's views with that crap?
*****
Knoweldge is power. Knowing is half the battle. Why do we still clout kid's views with that crap?
Check out fortify.net
http://www.paladincorp.com.au has some really informative info and links to PGP issues.
This still isn't enough for secure email to be ubiquitously usable. What do you if your recipient receives email on a PalmPilot, WinCE handheld or WebTV? How 'bout if you're accessing your email on a web browser based account (maybe on a vacation without your laptop) and someone sends you pgp'd email?
From reading the protocols bit in Applied Cryptography I got the feeling that all public key systems relied on good and trusted servers for distributing public keys. How do the current systems handle public key management?
Is that not the real area where the land of the free (and the home of the brave) is screwing us over?
There are, in fact, clients for all three OS'. I've not tried the others, but the Windows integration (with Outlook, at least) is very smooth.
Glyciren
Glyciren
"Well that didn't work... try this jumper instead.. oops."
I am looking for a pretty GUI Mail client w/pgp abilitys. I am successfully converting all of my company to Linux. I am also looking to implement a secure/signed email policy. It's gotta be pretty for the simple folk. Thanks.
I currently use Exim as my MTA (and don't wish to change). Using the
transport_filter feature, would it be possible to automatically PGP encrypt
outgoing mail (only for a single recipient)?
Unfortunately, I'm useless with shell/Perl scripting, so is there anyone out
there who has already implemented this kind of thing? Any example code or relevant URLs would be *extremely* useful.
Zip disks are too ubiquotous. Use a magneto-optical disk. Security through obscure media.
Netscape doesn't support PGP encryption. There's been a lot of discussion over at the mozilla crypto newsgroup on the hows and whys. Basically, AOL/Netscape's interpretation of the stupid US cryptography export regulations prevents them from even exposing their API for cryptographic processing. Some folks at NAI volunteered to help out, which elicited some favorable noises on the part of Mozilla, but no visible action. They may be working on it behind the scenes however.
Netscape Messenger owns a huge share of the Internet email client market. The lack of PGP support is a substantial impediment to the widespread adoption of PGP as a standard for Windows email. I'm not too fond of NAI, but I'd like to see this particular product succeed, since it's in such widespread use on Unix."Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
Yup. I'm a little biased of course because I test MS Outlook crypto, but I'd honestly have to say that Outlook2000 SR2 will be the uncontested champion among secure mail clients, at least for a while. Why?
- smime-ess-12.txt for the coolest stuff) And I swear it really is exactly implemented, no extensions!
:)
*Standards based* - that's right, O2k SR2 will be the first and only mail client *in the world* to implement the SMIME v3 protocols. This gives you features like secure labels and secure receipts, as well as full support for the standard-specified algorithms and other cools stuff like FIPS mode. (see http://search.ietf.org/internet-drafts/draft-ietf
*Autoconfiguration* - Don't know what the feature's going to be called when it goes out the door, but autoconfig rocks. Essentially, it instantly eliminates the hassle of selecting and administering your certificates. You just get a cert, click Sign or Encrypt on the mail, and Outlook does everything else. It will also repair your security profiles if a cert expires. Of course you can still go in and do all this yourself, but autoconfig is so cool, many people never will.
*Performance* - O2k is without contest in its speed and memory footprint. I know this will be greeted with skepticism due to O98, but just try it - you'll see why the perf numbers trash Quaalcom and Lotus.
*Stability* - well, I tested it. Nuff said
Now as for PGP, hmm. I guess I personally haven't been testing that and I'm upset that it seems to screw up your systems. I'll DL it tomorrow and see whether I can get those preview bugs fixed.
-konstant
-konstant
Yes! We are all individuals! I'm not!
gpg is so much better then pgp
-overlord
Don't assume everyone is using a qwerty keyboard.
Although I use qwerty at work and for work-related things at home, I'm also increasing my profiency with dvorak every day. Don't change your program so it is faster to type, change the layout.
-bugg
-----BEGIN PGP SIGNED MESSAGE-----
o cAMxDU6Mk8UAn3mF
Hash: SHA1
Hmm, well I still use Windoze for most of my day to day email stuff
and, I also find the PGP+Outlook'98 combination very usable.
Two gripes: if you use the auto preview in combination with decrypt-on
open then the preview re-saves the decrypted email which can be
irritating.
Also PGP DOES NOT work with Outlook Express 5.0
( ie. the one that comes with IE 5.0 )
Anyone using Outlook 2000? I daren't yet I don't
have the RAM or DISK. Outlook'98 is bloated enough
irq_conflict
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0
iQA/AwUBN4CLT+3AgzeWcyyiEQIl0QCfQnLPvlTFuyHknTI
u9AbAZ2/+NvMxTIZaK/Gh7xy
=gZq7
-----END PGP SIGNATURE-----
Barry Wimlett at endless dot co dot uk
I know this isn't glamorous or integrated, but an encryption program that does really well without the need for public keys is something called Crypt-o-Text, written by Rodney Savard (check him out at www.savard.com) It's basically a notepad that you cut and paste encrypted text to/from. Works for me.
Technological progress has merely provided us with more efficient means for going backwards. -- Aldous Huxley
Among the others, you can also use the XFMailp g.tar.gz) GnuPG too.
mail reader; it supports PGP 2.6, 5.0 and, with
a patch (http://members.xoom.com/alberanid/patch-xfmail-g
I agree that everybody should use encryption all the time. The best analogy I've heard is to snail mail:
Encryption is an envelope. I notice that almost all snail mail is sent in envelopes instead of postcards.
I suspect that if most users inherently understood this analogy and the technology underneath, the desire for encryption would be much more widespread.