Necessity of GPG when using SSL

Dany dany_list at
Wed Feb 22 21:26:34 CET 2006


I switched few years ago to for several reasons :

- https + advanced protections when accessing from public terminal
(including url pseudo-scrambling)
- IMAP with SSL
- Text and only text for the webmail interface (no pop-up ad and no
graphics), just plain speed
- WebDAV (I don't use it)
- IMAP access on non-standard port like 80 and 443  so you can go
through some difficult firewalls

I usually don't promote commercial products but as they offer a free
plan as well I thought it might help some people.


PS: before writting this email I quickly started Ethereal and used the
webmail in order to check that the connection was SSL protected even
after login.

Henry Hertz Hobbit a écrit :

>Johan Wevers wrote:
>>Henry Hertz Hobbit wrote:
>>>Usually, if you are using a web interface to access your email, only the
>>>initial authentication is done via SSL.  After that if your URL address
>>>shifts to using an "http://" rather than the "https://" you made your
>>>initial connection with means that your communication just shifted from
>>>SSL (weak encryption) to NO encryption.  That is the norm.
>>Strange, I've never seen that happen. All webmail from Dutch providers
>>that I've accessed (my own and some for people with problems where I
>>accessed the mail to dump mails with large attachments that took too
>>long to download) were https all the way.
>Thanks for the information.  The reason I said what I said is because
>Netscape, Yahoo, gmail (the email account the original person was
>posting from) almost all do a shift from https:// to http:// after the
>connection is made.  The only ones I have seen that continue using the
>SSL are small ISPs and only one of the local universities here.  But then
>I have only seen three of the universities, and actually even the one
>that was using SSL all the time shifted after I showed an acquaintance
>how to make the connection that way and he spread the information to
>everybody he knew who spread it to ....  Once that was done, even that
>school shifted to doing it with SSL for connection only.  I realize that
>SSL doesn't have the overhead of more powerful encryption like that
>provided by OpenPGP, but it is still enough of an overhead that once
>the load of SSL all the time becomes noticeable to the ISP (or whoever),
>they feel that the authentication alone should be using SSL and they
>make the shift to using plain the rest of the time.  In other words,
>consider yourself lucky IF you are getting SSL all the time if you
>need it all the time.  On the other hand if you don't need SSL all the
>time there MAY be the possibility those long download times are partly
>being caused by the overhead of SSL encryption taking place on the
>Do you need encryption all the time or not?  My advice still remains the
>same - OpenPGP is still the best choice for the scenario presented, IF I
>indeed understood all the parameters.  It puts the control of when to use
>it in your hands.  It just depends on what is being transported.  I could
>care less whether all that spam is encrypted or not.  I also don't want all
>the redirected email on my comcast account (also spam, but with the worms
>removed) encrypted during transmission.  The faster I get rid of it the
>better.  Not having the transmission of it helps me get rid of it as fast
>as possible!
>Switch to Netscape Internet Service.
>As low as $9.95 a month -- Sign up today at
>Netscape. Just the Net You Need.
>New! Netscape Toolbar for Internet Explorer
>Search from anywhere on the Web and block those annoying pop-ups.
>Download now at
>Gnupg-users mailing list
>Gnupg-users at

More information about the Gnupg-users mailing list