E-Mail Encryption: Why Isn't Everyone Doing It?
Thu Oct 24 18:51:07 2002
On Wed, Oct 23, 2002 at 03:05:21PM -0700, Erick Thompson wrote:
> I'm no expert in encryption (far from it), but it seems to be that a lot of
> problems come about by trying to make a platform completely secure, and
> saying that everything that doesn't achieve that is insecure, and therefore
In my opinion, MORE problems come about by making false claims of security,
giving people a false sense of security and then having bad consequences.
This is a situation in which you have to be paranoid.
> as bad as no security. I understand that if a system is vulnerable to an
> attack it can be comprimised, but sometimes half a cake is better then none
Hopefully the person expecting desert has not been told that there is an
entire cake available :-)
> In the case of passing passphrases between processes being a bad thing, yes
It's not a bad thing per se; it's just a bad thing if done insecurely.
> it is, but if your system is running a trojan or process that can grab info
> passed between processes, you're SOL already. An earlier poster talked about
On a Unix machine, any user can view the command line of any program you
run. The root user can view the environment of any process and generally
its memory space as well. This does not require a trojan or more than
"first week Unix 101" knowledge. Unix applications passing sensitive data
should use things like pipes or other socketed items.
Likewise, Windows has its own set of ways to not pass data between
> not having passphrases at all, which I think is a great idea, as long as
> encryption and authentication are separated! I would like to see my users
> using encryption, but the level of hassle needed to do it right now is too
Instruct a user, and they will be able to do some of it.
Enlighten a user, and they will be yours forever :-)
If you teach them why they need encryption and how it works, it's not that
hard to grasp.
Make them paranoid and there ya are.