Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] Encrypt E-Mails without human-agreement
  • From: Sven 'Darkman' Michels <sven@xxxxxxxxxx>
  • Date: Sun, 18 Aug 2002 18:50:43 +0200
  • Message-id: <3D5FD063.4010401@xxxxxxxxxx>
Michel Messerschmidt wrote:
IF both MTA support ssl, the mail will be transfered encrypted.
So if your MTA and the MTA of the other company speaks TLS,
your clients on both sides also uses ssl for smtp/pop3/imap,
the mail will transfered in an encryption tunnel.


No.
This is called Transport Layer Security (TLS) because it only encrypts the direct connection from one MTA to the next. Every MTA on the route is able to read the mail since it processes mails above the transportlayer. Privacy can only be guaranteed if there is a direct connection between sending and recieving MTA (and both ca nbe trusted). This is not true for SMTP.

this is not really true, i can define SMTP routing tables and contact
such smtp server directly, no need for smarthost. I think just of
the possibillity that you can send 'encrypted' mail over the net.
Surely the mail itself isn't encrypted.


To meet all privacy requirements encryption must take place on the application level.

right, but that isn't possible without users interaction.


And for authentication over insecure networks it is necassary to have cryptographically secure identification data for every person to communicate with. This can't be done without the senders/receivers cooperation.

noone 'authenticates' normal mails, so why should i take special
care on a encrypted mail? i don't know that my mail travels in
an encrypted 'transport layer' thru the net. For real and approved
security you need pgp or something simmilar, but just to encrypt
the mail transport tls is some kind to think of. So if you want
no user interaction, it is a way to get a bit more security, no
gurantee, no auth, just a bit encryption.

Sven


< Previous Next >