Jason on Wed, 3 Jul 2002 14:37:59 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] keysigning wednesday?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 03 July 2002 14H:04, christophe barbé wrote:
> On Wed, Jul 03, 2002 at 01:45:56PM -0400, Kevin Brosius wrote:
> > christophe barbé wrote:
> > ...
> >
> > Secure ... mail?  I keep seeing this concept mentioned by different
> > people, and keep wondering why this is important to them.  Are you using
>
> First you keep your password for you. With a few dial-up provider, the
> same password is used for the mail and the connexion and ...
>
> Also you are responsible for what you do on the internet, spaming, porn
> child, launching a new virus, ... If someone can use your identity, you
> can have serious problem.
>

I have seen more than a few instances of spammers abusing email servers to 
forge sender adresses (trivial on some older servers, but it happens on newer 
servers as well). I don't know about anyone else, but I find it highly 
offensive to see the name of someone I know forged as the sender address on 
SPAM email. I'm sure it violates some law, but good luck enforcing it.

If I sign all of my email, you know something that doesn't have my signature 
didn't come from me. However, if you don't use any software to verify 
signatures and don't participate in keysignings, then you would have no way 
of verifying any of this info.

IMHO, the spammers are not going to go to the effort to even make it look like 
somethings been signed (not yet, anyway). In the meantime, I try to expose 
most of my friends, colleagues, etc. to the benefits of digital signatures.

> > this on an internal secure network?  It just seems like an exercise with
> > little benefit for mail which travels over public networks.
>
> This is very easy to setup when provided by your ISP. I don't see any
> good reason to use an unsecure manner when I have a secure manner to do
> it. In fetchmail for IMAPS you need to add one keyword or three if you
> want to protect yourself against MITM.
>
> They should certainly use IMAPS by default and provide for you a special
> 'unsecure' keyword. Also I guess you don't have a laptop.
> Let's imagine you come to a PLUG meeting with your laptop, check your
> mail. Anyone with a laptop on the same hub can have your password (and
> the login, server address).

This is important to be aware of. I generally do any remote activities through 
SSH to try to avoid any clear-text password issues. Either piping an app's 
connection through SSH, or simply using mutt. Speaking of which, I assume 
most people who would care are aware of the recent exploit in OpenSSH, right?

Just my $.02,
Jason Nocks

>
> Christophe
>
> > --
> > Kevin Brosius
> >
> > ______________________________________________________________________
> > Philadelphia Linux Users Group       -      http://www.phillylinux.org
> > Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
> > General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj0jRA0ACgkQ3CryLfCgqRlihgCfVV/hS/ErWIiC35VbYIdjlJhl
NyoAn3OboMmEtxBWcZU0hJQGVLWp81HC
=bfFC
-----END PGP SIGNATURE-----


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug