Encouraging email security.
Jean-David Beyer
jdbeyer@exit109.com
Sun May 18 03:30:02 2003
This is a cryptographically signed message in MIME format.
--------------ms070909050004080002060209
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Daniel Carrera wrote:
> I was thinking about how most people have no understanding or
> interest in email security. OpenPGP is hard enough to understand and
> use that getting the majority of the population to use it seems a
> formidable task.
>
> I thought of a compromise that might be a step forward. I was hoping
> that those who know more about this than I could offer an opinion.
>
> There could be a mail client with the following properties:
>
> 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA, 1024
> DSA, 2048 ElGamal). 2) Automatically signs, and encrypts emails (when
> the pub key is available). 3) Here is the big one: It stores the
> user's password in the hard disk, in the style of Mozilla, so that
> the user doesn't have to type it. It all happens automatically.
Well, Mozilla can do both the VeriSign kind of S/MIME signatures and the
GnuPG kind (with Enigmail, though Enigmail does not work with my
Mozilla) already. And mutt can do GnuPG signatures just fine. But in
each case, the user must type in a passphrase. I suppose they would both
accept a NULL passphrase, so you could just press "Enter" or something,
but it would sure expose the user to risk. I imagine the programs could
be setup to notice NULL passphrases and not even prompt for a password.
N.B.: I am sure not requesting this!
>
> This would be a significant down compared to the proper use of
> OpenPGP, but a significant up compared to what exists today. Now
> emails would go around signed and encrypted.
Well, perhaps so, but AOL users and msn.com users seem to get all kinds
of problems with MIME attachments, which is where the signatures
normally go. True, you can stick them in inline, but that seems to be
getting passe'. AOL seems to assume that if there is any MIME, that all
attachments are of the same type as the first, and this is generally
false. msn.com users apparently get it that the e-mails are all
attachments and they see nothing unless they open the various
attachments. So there will be a lot of resistance to people sending out
anything in MIME and that includes signatures. I am not sure what AOL
would do if confronted with an encrypted e-mail: probably bounce it as a
virus. ;-(
> In order to read a
> message an attacker would have to get the password from the
> recipient's hard drive. A determined attacker could certainly do
> that, but the casual one would not.
That is rather difficult with some systems. There is a large software
manufacturer with a reputation for delivering products that are easy to
infiltrate, though.
>
> Today's email system is about as secure as a postcard. This
> alternative would raise the bar somewhat bit above sending mail in a
> sealed envelope. It raises the effort needed to eavesdrop in a
> conversation or impersonate someone.
>
> Any thoughts?
>
It is interesting, but it has taken about 10 years for MIME to not be
accepted by some large ISPs. I think digital signing and encryption will
take at least as long, since so few users see any point in it.
I think your analogy is not quite correct. Present e-mail is about as
secure as a postcard. Signing and encrypting would be more secure than
using an envelope: it would be using a steel strongbox with a good lock,
but where the intruder knows where the key is and can break in and get
it with varying amounts of effort depending on OS, sophistication of the
user, etc.
The biggest minuses, as far as I am concerned, is that people will get a
false sense of security when their e-mails are signed and encrypted, but
their private keys too easily available. When you get a signed and
encrypted e-mail, you tend to believe you know who sent it and that it
has not been tampered with or read. But if all someone need do is hijack
(remotely, even) a machine and get the private key, you are in big
trouble with identity theft, etc.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 73926.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 9:05pm up 2 days, 23:00, 3 users, load average: 2.21, 2.13, 2.10
--------------ms070909050004080002060209
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINvjCC
A2IwggLLoAMCAQICEAvaCxfBP4mOqwl0erTOLjMwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE
BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1Ymxp
YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4
MDUxMjIzNTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp
U2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv
cnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2ln
biBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0
ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJv
nFS/vOh3Kp258Gi7ldkxQXB6gUu5SBNWLccI4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpd
trA2QjO1blSIT4dKvxna+RXoD4e2HOPMxpqOf2okkuP84GW6p7F+78nbN2rISsgJBuSZAgMB
AAGjgbAwga0wDwYDVR0TBAgwBgEB/wIBADBHBgNVHSAEQDA+MDwGC2CGSAGG+EUBBwEBMC0w
KwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEwMQYDVR0fBCow
KDAmoCSgIoYgaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS5jcmwwCwYDVR0PBAQDAgEG
MBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQACfZ5vRUs4oLje6VNkIbzk
TCuPHv6SQKzYCjlqoTIhLAebq1n+0mIafVU4sDdz3PQHZmNiveFTcFKH56jYUulbLarh3s+s
MVTUixnI2COo7wQrMn0sGBzIfImoLnfyRNFlCk10te7TG5JzdC6JOzUTcudAMZrTssSr51a+
i+P7FTCCBSgwggSRoAMCAQICEGlfAhgT5dD2IHApDrAaq5owDQYJKoZIhvcNAQEEBQAwgcwx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3
b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4g
QnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIElu
ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDIwNjAyMDAw
MDAwWhcNMDMwNjE2MjM1OTU5WjCCARYxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD
VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29t
L3JlcG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQL
ExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxMzAxBgNVBAsTKkRpZ2l0YWwgSUQgQ2xhc3MgMSAt
IE5ldHNjYXBlIEZ1bGwgU2VydmljZTEZMBcGA1UEAxQQSmVhbi1EYXZpZCBCZXllcjEiMCAG
CSqGSIb3DQEJARYTamRiZXllckBleGl0MTA5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMv38/uuxXth9gQ9TcEZMARz9Ju+c2l0hzW2vpYYJUcQig/uCLJqmYLzsdoB
faSMHN8UlnHk1FC4MQ3r3l58v0iIz6ERC4RLWKFvntQNvk5teCqZ0Tmf9DdFNzh4gkffdhL8
Un9CsRrHogviVReyTXfzH039X/UjODAcvyRVTDpMVpNQ81bhR/VWxR7esbm1ewHVj+KOGxqr
rl2PD412TxxIXEAzVTACqVR/CCOBQZ7BrrztKXomz9ePav/ZTjdybWFve5p1NAUawFcl1ajA
JiEGL2Ug4qq26x4Z2cOosQCx9tJt0tpPy3qwORYbepKBDhkXicPBZVkzx7Lm7a961isCAwEA
AaOCATgwggE0MAkGA1UdEwQCMAAwgawGA1UdIASBpDCBoTCBngYLYIZIAYb4RQEHAQEwgY4w
KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIw
VjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJl
ZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBEGCWCGSAGG+EIBAQQEAwIHgDAw
BgpghkgBhvhFAQYHBCIWIDMxYzVhODdmZDYxNjdhY2NlY2NmNWFhMjcxNjIyOTE5MDMGA1Ud
HwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZI
hvcNAQEEBQADgYEAZLD9KTpkxdd6cjpK6vjIkieu6V5o0PngC/Y6is1waG0nSRcnLrVn/ped
OlLtkViedt0kRuVcr/TmphHO34zAfLA0n6BNzYRN3QS4vYmvsIeJkDtyP13xd7TQIq3lJQsI
KewOFKr46/W5/RbESZ0StZ86TTvMIwYJB+nWF1KuaA4wggUoMIIEkaADAgECAhBpXwIYE+XQ
9iBwKQ6wGquaMA0GCSqGSIb3DQEBBAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEf
MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWdu
LmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYG
A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29u
YSBOb3QgVmFsaWRhdGVkMB4XDTAyMDYwMjAwMDAwMFoXDTAzMDYxNjIzNTk1OVowggEWMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5
IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTMw
MQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBOZXRzY2FwZSBGdWxsIFNlcnZpY2UxGTAX
BgNVBAMUEEplYW4tRGF2aWQgQmV5ZXIxIjAgBgkqhkiG9w0BCQEWE2pkYmV5ZXJAZXhpdDEw
OS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDL9/P7rsV7YfYEPU3BGTAE
c/SbvnNpdIc1tr6WGCVHEIoP7giyapmC87HaAX2kjBzfFJZx5NRQuDEN695efL9IiM+hEQuE
S1ihb57UDb5ObXgqmdE5n/Q3RTc4eIJH33YS/FJ/QrEax6IL4lUXsk138x9N/V/1IzgwHL8k
VUw6TFaTUPNW4Uf1VsUe3rG5tXsB1Y/ijhsaq65djw+Ndk8cSFxAM1UwAqlUfwgjgUGewa68
7Sl6Js/Xj2r/2U43cm1hb3uadTQFGsBXJdWowCYhBi9lIOKqtuseGdnDqLEAsfbSbdLaT8t6
sDkWG3qSgQ4ZF4nDwWVZM8ey5u2vetYrAgMBAAGjggE4MIIBNDAJBgNVHRMEAjAAMIGsBgNV
HSAEgaQwgaEwgZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52
ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9
VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBW
ZXJpU2lnbjARBglghkgBhvhCAQEEBAMCB4AwMAYKYIZIAYb4RQEGBwQiFiAzMWM1YTg3ZmQ2
MTY3YWNjZWNjZjVhYTI3MTYyMjkxOTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZl
cmlzaWduLmNvbS9jbGFzczEuY3JsMA0GCSqGSIb3DQEBBAUAA4GBAGSw/Sk6ZMXXenI6Sur4
yJInruleaND54Av2OorNcGhtJ0kXJy61Z/6XnTpS7ZFYnnbdJEblXK/05qYRzt+MwHywNJ+g
Tc2ETd0EuL2Jr7CHiZA7cj9d8Xe00CKt5SULCCnsDhSq+Ov1uf0WxEmdErWfOk07zCMGCQfp
1hdSrmgOMYIDtTCCA7ECAQEwgeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD
VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29t
L3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQD
Ez9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5v
dCBWYWxpZGF0ZWQCEGlfAhgT5dD2IHApDrAaq5owCQYFKw4DAhoFAKCCAagwGAYJKoZIhvcN
AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDMwNTE4MDEzMDU4WjAjBgkqhkiG
9w0BCQQxFgQUGJgvDdAze2p2RMNSD3bsZnnMES4wUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG
9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN
AwICASgwgfQGCyqGSIb3DQEJEAILMYHkoIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j
LjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlz
aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFI
MEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVy
c29uYSBOb3QgVmFsaWRhdGVkAhBpXwIYE+XQ9iBwKQ6wGquaMA0GCSqGSIb3DQEBAQUABIIB
ADqT3bP4qCR8Rh402IKnJLWVGGOuoV23WdieErMZb0NrWRPzYBouJqPYCFP4fEnMhv81/PUi
tmsdcJuMFApg3uYXjjFK6s5b9i/3zlGu/AsSBLIVigKmX6L1+eJ+uMOmTzOcWbFPWmISoNJG
a2qhxWD56aDCPA9lD5xyvPUjspeKhrtVdvV+hQ+cjacrwom5xFYwJOOZK4rWMJRD4HMV0Vul
vFM4+HA7gCE/eseZxZiMFj7xNkYZI5uyM1MMl4DBwmftiEZBdtwPpuCIfs8XzwlMoeRQ1gnY
oEq0g/6hYo5GaNKazRGwmaONy4vs3hzs+1mqXPsAfmiHwRa7k3mJA1cAAAAAAAA=
--------------ms070909050004080002060209--