Re: [PLUG] news

Rich Freeman via plug on 14 Aug 2020 18:10:44 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] news

From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: Steve Litt <slitt@troubleshooters.com>
Subject: Re: [PLUG] news
Date: Fri, 14 Aug 2020 21:10:19 -0400
Cc: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Fri, Aug 14, 2020 at 8:40 PM Steve Litt via plug
<plug@lists.phillylinux.org> wrote:
>
> On Mon, 10 Aug 2020 16:55:51 -0400
> Rich Freeman via plug <plug@lists.phillylinux.org> wrote:
>
> > It makes zero sense to send stuff unencrypted.  Even if you don't
> > trust every certificate out there, you're more secure using encryption
> > with an untrusted certificate, than you are not using encryption.
>
> I wouldn't say zero sense, and here's why...
>
> Encryption takes a lot of work. You need to ride herd over all your
> keys and all your certificates. I've heard there's one zero-cost
> certificate vendor whose certificates last only 3 months, so unless
> you're extremely good at doing the right things at the right times,
> your website's going to go down or your email's going to screw up.

You don't HAVE to do this.  You could just self-sign a certificate
with a 40 year expiration and it would STILL be more secure than
sending things in the clear.

Sure, some software will complain about a self-signed certificate and
not complain about an unencrypted connection, and that is because
developers have a terrible set of priorities.

> Also, I'm not so sure how my email client (claws-mail) would handle
> encryption and certs.
>
> If  you know of good, simple documentation about how to do this stuff
> simply, please let me know.

I realize that not all software makes it easy to use encryption.  I'm
not saying that somebody is going to come and arrest you if you don't
use encryption.

My point is that using encryption is almost always better than not using it.

If my software didn't support encryption then obviously I wouldn't be
using encryption.  However, I'm not going to pretend that not using
encryption somehow makes me more secure.

As far as your situation goes - you can almost certainly configure
your email client to use SSL/TLS for its POP3/IMAP/SMTP connections to
transfer mail, assuming your mail server supports this.  That isn't
end-to-end encryption, but it does secure the transport layer.

And if you send me a gpg-encrypted email chances are I won't even read
it, because it is a royal PITA, so I won't tell you want to do about
S/MIME and so on.  I don't claim that this makes me more secure.
Sometimes security isn't the only consideration.

My argument here isn't with the fact that encryption isn't always
practical.  My argument is with the claims that encrypting things
makes you less safe somehow.  I'd be better off security-wise if I
used gpg for all my email.  I just don't do it because it is
impractical.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] news
  - From: jeff via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: Michael Lazin via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: Rich Freeman via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: Steve Litt via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] news
Next by Date: [PLUG] Dear Google Cloud: Your Deprecation Policy is Killing You
Previous by thread: Re: [PLUG] news
Next by thread: Re: [PLUG] news
Index(es):
- Date
- Thread