christophe barbé on Wed, 3 Jul 2002 09:05:50 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] keysigning wednesday?


On Wed, Jul 03, 2002 at 03:32:27AM -0400, gabriel rosenkoetter wrote:
> On Tue, Jul 02, 2002 at 10:58:20PM -0400, Jesse Schultz wrote:
> > gabriel rosenkoetter wrote:
> > >I could easily expand on the SSH PKI rant I've been on today, if
> > >people want to hear it
> > I do.
> 
> Well, if we've got the time, I'm glad to run through how my own set
> up works and what the various pitfalls of using PKI with SSH are.
> Sounds like we've got a pretty interesting topic this meeting, so
> maybe I'll pull this together with some other crypto-related stuff
> and talk about it later in the year.
> 
> Maybe MCT and I could talk about CipherSaber. ;^>

It sounds interesting. Unfortunately I could not be there tonight, so I
hope you will do that later.

> > Even though I pulled us into a tangent on the su thing, I would be 
> > interested in using certificates with SSH.  Also with POP3 if you know 
> > anything about that.
> 
> Well, POP3 has no internal encryption methods. You can talk POP3
> over an SSL-encrypted channel (and you can call it POP3S if you like
> it, but you're in a state of sin when you do ;^>), and you can even
> do that, I'm told, when talking to a Microsoft Exchange server,
> though I haven't gotten my hands on my employer's yet to try.
> 
> Some MTAs make it easier to hook into this than others. Probably
> the easiest way to graft it onto an existing MTA without recompilation
> or (more than trival) reconfiguration is stunnel[1]. A more
> complicated, though in the long run cheaper, in terms of maintenance,
> and more truly secure[2] route would be IPSec. Don't try that on
> Linux right now unless you want to learn a whole lot about the
> internals of FreeSWAN. (I'd be glad to be corrected and told that
> FreeSWAN is easy these days and actually does all of IPSec, but I
> think I'd have heard a lot more noise about it by now if that were
> the case).

With SSH it's easy to forward a port from a remote host to a local host
and then use a pop client using this sort-of tunnel. This require a shell
account on the remote machine. You also need a mail client allowing you
to specify a pre-connect (mutt does) command (to setup the temporary port
forwarding). It is also possible to use a script to setup the port forwarding
when required (the ssh connexion die when you have use it, so you need
to relaunch ssh).  
I can find the correct syntax if you want, just ask.

The best solution to grab your mails in a secure manner is to use IMAPS. 
This also protect you against MITM attack when setup correctly.
I can't understand why not all ISP provide it. DCA.net only provides
IMAP, I was very disappointed about that but I guess Verizon do the same.
So with DCA.net you have two solutions : Grab your mail in an insecure
way (at least fetch it only when your are connected to your DCA link,
which is not ever true with a laptop) or pay $5 per month for a shell
account.

NOTE: Secure mail is especially important with cable-modem (ie. not
ADSL) where you share the connexion with your neighborough and then
where it is easy to see all passwords.

Christophe

> 
> > I like rants :-)
> 
> Heh.
> 
> [1] http://www.stunnel.org/
> [2] IPSec buys you authentication and rekeying, with stunnel you
> must trust the remote end of the socket to stay trustworthy, which
> isn't necessarily a safe thing to do.
> 
> -- 
> gabriel rosenkoetter
> gr@eclipsed.net



-- 
Christophe Barbé <christophe.barbe@ufies.org>
GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8  F67A 8F45 2F1E D72C B41E

Cats are intented to teach us that not everything in nature has a
function. --Garrison Keillor

Attachment: pgpy8RdapmipS.pgp
Description: PGP signature