List Info

Thread: encryption or no encryption
encryption or no encryption
country flaguser name
United States		 2007-03-30 07:01:30 
Could someone give me some pros of messing with encryption?

My thoughts are that if an email fly thru the internet on
the open, all
SMTP servers I know will not do any encryption, user storage
are also not
encrypted.
Unless the sender is deliberately using some sort of
encryption at the
client level (PGP maybe) this email is in clear text from
origin to
destination.

One reason I see is so my own people wont be reading
customers email
directly from the database but again if they have access to
the db files
most likely they also have access to the encryption key...
The sql
database is or should be local or firewalled anyway and most
likely the
user mailbox is not encrypted either.
Why should I spend resourses to protect emails sent in clear
text from
my own people?  and in the long run cause me more work? 

perhaps I dont see a bigger picture.... :(

Sergio



_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
Re: encryption or no encryption
country flaguser name
United States		 2007-03-30 09:48:57 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sergio P. Cesar wrote:
> Could someone give me some pros of messing with
encryption?
> 
> My thoughts are that if an email fly thru the internet
on the open, all
> SMTP servers I know will not do any encryption, user
storage are also not
> encrypted.
> Unless the sender is deliberately using some sort of
encryption at the
> client level (PGP maybe) this email is in clear text
from origin to
> destination.
> 
> One reason I see is so my own people wont be reading
customers email
> directly from the database but again if they have
access to the db files
> most likely they also have access to the encryption
key... The sql
> database is or should be local or firewalled anyway and
most likely the
> user mailbox is not encrypted either.
> Why should I spend resourses to protect emails sent in
clear text from
> my own people?  and in the long run cause me more work?

> 
> perhaps I dont see a bigger picture.... :(

No, you're absolutely right.   The only benefit is to keep
your own people from
accidently reading email from the db, or the weird case of
making the db
unreadable in the case of seizure by unscrupulous government
authorities. (you
have to somehow keep the key on another system or disk and
protected somehow;
that's an exercise for the reader).

I don't use the encryption on any of my clients.

OTOH, SSL is great for the http session to protect the login
info.


- --
David Morton
Maia Mailguard                        - http://www.maiamailguard
.com
Morton Software Design and Consulting - http://www.dgrmm.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFGDSNZUy30ODPkzl0RAlh9AJ9BPzxh2aAmJrisPkTS+5gbDG2I5wCg
qWCf
Fb27RED73hNECHvxDN7jFgg=
=ts3O
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
Re: encryption or no encryption
country flaguser name
Canada		 2007-03-30 15:21:21 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Morton wrote:

> No, you're absolutely right.   The only benefit is to
keep your own people from
> accidently reading email from the db, or the weird case
of making the db
> unreadable in the case of seizure by unscrupulous
government authorities. (you
> have to somehow keep the key on another system or disk
and protected somehow;
> that's an exercise for the reader).

Right, the encryption feature was added in response to a
request from IT
workers who work for NGOs operating in parts of the world
where
repressive regimes are fond of confiscating servers to get
evidence
against dissidents.  For this to be of any value, however,
you need to
store the key file on an easily-removable device, like a
floppy disk or
a USB thumbdrive, or a flash memory card.  It's not
difficult to
configure that--you just need to provide the path to
wherever this
device is mounted.

For most users, though, the encryption feature is an
unnecessary hassle,
and there's obviously a small performance impact as well, so
it's not
something for general use.  I suspect that many of the
people using it
are getting a false sense of security out of it, using it
because they
believe it offers them some sort of additional protection.

As a means of "keep[ing] your own people from
accidentally reading email
from the db", this encryption may be marginally useful,
in that it will
prevent non-privileged users from reading the contents of
the maia_mail
table--though of course you should have your access controls
on the Maia
database set properly to prevent this anyway.  If anyone on
your system
can access your database and read the maia_mail table,
you've got a
bigger security problem to deal with! ;)

- --
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGDXFBGmqOER2NHewRAkRmAJ9eLGLaIArMdn2xqB1PTcilKRxtcQCf
cn/c
9KLKIgiyht6JLspEOvZCMno=
=ZrCI
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
Re: encryption or no encryption
country flaguser name
United States		 2007-03-31 06:34:00 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sergio P. Cesar wrote:
>> Could someone give me some pros of messing with
encryption?
>>
>> My thoughts are that if an email fly thru the
internet on the open, all
>> SMTP servers I know will not do any encryption,
user storage are also
>> not
>> encrypted.
>> Unless the sender is deliberately using some sort
of encryption at the
>> client level (PGP maybe) this email is in clear
text from origin to
>> destination.
>>
>> One reason I see is so my own people wont be
reading customers email
>> directly from the database but again if they have
access to the db files
>> most likely they also have access to the encryption
key... The sql
>> database is or should be local or firewalled anyway
and most likely the
>> user mailbox is not encrypted either.
>> Why should I spend resourses to protect emails sent
in clear text from
>> my own people?  and in the long run cause me more
work? 
>>
>> perhaps I dont see a bigger picture.... :(
>
> No, you're absolutely right.   The only benefit is to
keep your own people
> from
> accidently reading email from the db, or the weird case
of making the db
> unreadable in the case of seizure by unscrupulous
government authorities.
> (you
> have to somehow keep the key on another system or disk
and protected
> somehow;
> that's an exercise for the reader).
>
> I don't use the encryption on any of my clients.
>
> OTOH, SSL is great for the http session to protect the
login info.
I thought so, 

"unscrupulous government authorities..." they
probably have ways and
unlimited resourses to decrypt it anyway if they really want
to. 
Thanks
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )