Necessity of GPG when using SSL

Janusz A. Urbanowicz alex at bofh.net.pl
Wed Feb 22 12:22:38 CET 2006 

On Tue, Feb 21, 2006 at 07:52:26AM -0500, Henry Hertz Hobbit wrote:
> Johan Wevers wrote:
> 
> >Henry Hertz Hobbit wrote:
> >
> >>Usually, if you are using a web interface to access your email, only the
> >>initial authentication is done via SSL.  After that if your URL address
> >>shifts to using an "http://" rather than the "https://" you made your
> >>initial connection with means that your communication just shifted from
> >>SSL (weak encryption) to NO encryption.  That is the norm.
> >
> >Strange, I've never seen that happen. All webmail from Dutch providers
> >that I've accessed (my own and some for people with problems where I
> >accessed the mail to dump mails with large attachments that took too
> >long to download) were https all the way.
> 
> Thanks for the information.  The reason I said what I said is because
> Netscape, Yahoo, gmail (the email account the original person was
> posting from) almost all do a shift from https:// to http:// after the
> connection is made.  The only ones I have seen that continue using the
> SSL are small ISPs and only one of the local universities here.  But then
> I have only seen three of the universities, and actually even the one
> that was using SSL all the time shifted after I showed an acquaintance
> how to make the connection that way and he spread the information to
> everybody he knew who spread it to ....  Once that was done, even that
> school shifted to doing it with SSL for connection only.  I realize that
> SSL doesn't have the overhead of more powerful encryption like that
> provided by OpenPGP, but it is still enough of an overhead that once
> the load of SSL all the time becomes noticeable to the ISP (or whoever),
> they feel that the authentication alone should be using SSL and they
> make the shift to using plain the rest of the time.  In other words,
> consider yourself lucky IF you are getting SSL all the time if you
> need it all the time.  On the other hand if you don't need SSL all the
> time there MAY be the possibility those long download times are partly
> being caused by the overhead of SSL encryption taking place on the
> server.
[]

SSL/TLS is not ,,much more powerful'' encryption, it is a connection
level encryption. As for service providers using SSL to protect only
the most sensitive data - computationally SSL on multiple connections
is ,,heavy'' and supporting it continuously is expensive (specialized
,,SSL Accelerators'' cost tens of thousands of dollars).

And there is really no point in ecryptiong the whole access since the
contents, the emails usually travel the rest of the net unencrypted.

Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20060222/a366779c/attachment.pgp

More information about the Gnupg-users mailing list