Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Re: Why Install Telnet by Default?
  • From: Crispin Cowan <crispin@xxxxxxxxxx>
  • Date: Thu, 08 Dec 2005 22:28:09 -0800
  • Message-id: <439923F9.6060809@xxxxxxxxxx>
John Summerfield wrote:
> Randall R Schulz wrote:
>> It's also not secure in that it sends _all_ the data, inbound and
>> outbound, unencrypted.
> Just like postfix, sendmail, exim, qmail, zmailer and every other MTA.
> More people send more confidential data by unencrypted email than they
> do by telnet, and I don't recall anyone saying "don't use email."
Allow me to introduce you to PGP and GPG, encryption for e-mail :)

Funny story: I started using Enigmail (GPG plugin for Mozilla mail
client) about 5 years ago. For six months, all of the mail I sent out
everywhere was GPG-signed. Then I upgraded Mozilla, it broke the (not
yet supported) Enigmail plugin, and I couldn't be bothered to fix it. So
I started sending out mail with no digital signatures.

Now, according to the usage models of public key signed documents, I
*should* have started receiving complaints from people about "Crispin
usually signs his mails, and this is not signed; are you an imposer or
what?" But that *never* happened. Not once. This convinced me that very,
very few people actually check digital signatures, and thus they are of
very little value in casual correspondence :(

Digital encryption, on the other hand, has direct specific utility, in
that you can encrypt sensitive content to a specific person any time you
like. I do use that fairly regularly, at least with my correspondents
who are PGP/GPG aware.

Full disclosure: I am on the Technical Advisory Board, and they
actually make a (Linux-based) mail server appliance that substantially
addresses this very problem, resulting in most corporate communications
being encrypted.

Crispin Cowan, Ph.D.
Director of Software Engineering, Novell

< Previous Next >
Follow Ups