Necessity of GPG when using SSL

Henry Hertz Hobbit hhhobbit7 at netscape.net
Tue Feb 21 13:52:26 CET 2006 

Johan Wevers wrote:

>Henry Hertz Hobbit wrote:
>
>>Usually, if you are using a web interface to access your email, only the
>>initial authentication is done via SSL.  After that if your URL address
>>shifts to using an "http://" rather than the "https://" you made your
>>initial connection with means that your communication just shifted from
>>SSL (weak encryption) to NO encryption.  That is the norm.
>
>Strange, I've never seen that happen. All webmail from Dutch providers
>that I've accessed (my own and some for people with problems where I
>accessed the mail to dump mails with large attachments that took too
>long to download) were https all the way.

Thanks for the information.  The reason I said what I said is because
Netscape, Yahoo, gmail (the email account the original person was
posting from) almost all do a shift from https:// to http:// after the
connection is made.  The only ones I have seen that continue using the
SSL are small ISPs and only one of the local universities here.  But then
I have only seen three of the universities, and actually even the one
that was using SSL all the time shifted after I showed an acquaintance
how to make the connection that way and he spread the information to
everybody he knew who spread it to ....  Once that was done, even that
school shifted to doing it with SSL for connection only.  I realize that
SSL doesn't have the overhead of more powerful encryption like that
provided by OpenPGP, but it is still enough of an overhead that once
the load of SSL all the time becomes noticeable to the ISP (or whoever),
they feel that the authentication alone should be using SSL and they
make the shift to using plain the rest of the time.  In other words,
consider yourself lucky IF you are getting SSL all the time if you
need it all the time.  On the other hand if you don't need SSL all the
time there MAY be the possibility those long download times are partly
being caused by the overhead of SSL encryption taking place on the
server.

Do you need encryption all the time or not?  My advice still remains the
same - OpenPGP is still the best choice for the scenario presented, IF I
indeed understood all the parameters.  It puts the control of when to use
it in your hands.  It just depends on what is being transported.  I could
care less whether all that spam is encrypted or not.  I also don't want all
the redirected email on my comcast account (also spam, but with the worms
removed) encrypted during transmission.  The faster I get rid of it the
better.  Not having the transmission of it helps me get rid of it as fast
as possible!

HHH


__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

More information about the Gnupg-users mailing list