Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
RE: [suse-security] Encrypt E-Mails without human-agreement
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 19 Aug 2002 08:02:39 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D1019894D0@xxxxxxxxxxxxxxxxx>
> > This is called Transport Layer Security (TLS) because it
> only encrypts
> > the direct connection from one MTA to the next. Every MTA
> on the route
> > is able to read the mail since it processes mails above the
> > transportlayer. Privacy can only be guaranteed if there is a direct
> > connection between sending and recieving MTA (and both ca
> nbe trusted).
> > This is not true for SMTP.
>
> this is not really true, i can define SMTP routing tables and contact
> such smtp server directly, no need for smarthost. I think just of
> the possibillity that you can send 'encrypted' mail over the net.
> Surely the mail itself isn't encrypted.

You can't generally say that sending mails directly to a domain's MXs
guarantees that they'll travel encrypted to their destination, you can't
even be sure that they won't traverse the Internet again unencrypted before
reaching their destination. With e.g. PGP and S/MIME, you can.

> > To meet all privacy requirements encryption must take place on the
> > application level.
>
> right, but that isn't possible without users interaction.

True.

> > And for authentication over insecure networks it is
> necassary to have
> > cryptographically secure identification data for every person to
> > communicate with. This can't be done without the senders/receivers
> > cooperation.
>
> noone 'authenticates' normal mails, so why should i take special
> care on a encrypted mail?

Authentication and encryption are distinct operations, there is no need for
you to take one into account when deciding whether or not to use the other.
However, authentication does have its applications, e.g. I expect people to
run only those executable attachments that I've signed.

> i don't know that my mail travels in
> an encrypted 'transport layer' thru the net. For real and approved
> security you need pgp or something simmilar, but just to encrypt
> the mail transport tls is some kind to think of. So if you want
> no user interaction, it is a way to get a bit more security, no
> gurantee, no auth, just a bit encryption.

You can perform authentication in TLS, but it authenticates only the SMTP
client and server, not the email sender or recipient. The use of TLS without
authentication equates to missing the point of it entirely, IMHO.

Cheers
Tobias

< Previous Next >