Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #95399

Re: Encrypted web mail

Show all headers | View raw

On Sun, 16 Aug 2015 09:09:12 +0300, Uri Even-Chen <uri@speedy.net>
declaimed the following:

>Hi Dennis,
>
>
>

>>
>Thanks for the feedback. Actually the passwords on my webmail in 2000 to
>2005 were not encrypted, but I agree with you that passwords should be
>always encrypted.
>
	Hashes are NOT "encryption" as commonly thought of -- to most people,
encryption means the data can be decrypted/recovered. A hash is one-way
only. It is possible for two or more strings to generate the same hash
value (one reason common practice is to prepend a "salt" that was randomly
generated at time of account creation) -- but given the hash there is no
means of recovering the password itself (other than brute force hashing of
guesses).

>> I think ProtonMail <https://protonmail.ch/> is doing something similar to
>what I want, so maybe I'll check what they are doing. I also want the
>user's mail to be searchable, like Gmail.
>
	The information on that site is rather confusing. In one spot they
mention that the encryption takes place ON THE USER'S COMPUTER before it
reaches their server -- that means the headers are not encrypted, as they
need to be able to read the headers to know where to send the mail, UNLESS
they require the recipient of the email to also be on their server meaning
the message never leaves via SMTP***. It also implies that the decryption
has to be performed on the recipient's computer -- which again implies the
recipient must also be a user of their software (being a web-based access
system, that means the encryption/decryption stuff is being done via
Javascript or other downloaded program running under the browser control --
implied by the statement "ProtonMail employs SSL to ensure our encryption
codes are properly delivered to user’s browsers and not tampered with
en-route." -- where I interpret "codes" to mean the encryption/decryption
software, not the keys).

	In one spot they claim they do not have the decryption keys, so could
only provide encrypted copies to law enforcement. However, this requires
some sort of key to be transferred from sender to receiver... Or are they
maintaining the public key for all users (again, this implies the system
only works if sender/recipient are using their system -- it won't work if
the message has to leave their server) and they send the public key to the
client: ie; you enter a user-name in the "to:" field, their server finds
the public key for that user, and sends it to your client for subsequent
use in encrypting the message before transfer to the server.

	Is there provision for signing the keys with a trust level? I presume
the decryption key is generated on the client side when first signing up to
the service.

	Otherwise there is nothing in the service that can't be done with PGP
(or, since PGP went to a $$$ package, GPG) using public key servers --
except that they are trying to make the act of running the
encryption/decryption transparent to the user.

	Back in the old days, PGP (when it was free or very low-cost) used to
have a plug-in for Eudora (version 4, maybe usable in v5 and v6 -- but I
haven't seen it in decades) which added encrypt/decrypt buttons to the
control bar. Without the buttons, it was just a need to cut from message,
paste into the cryptography package, transform, cut, paste back into the
message body. (Looking at the GPG4Win documents, I can see why I fell out
of PGP... I can't even find a way to import my ancient keyrings)



*** Found on another page: "ProtonMail's segregated authentication and
decryption system means logging into a ProtonMail account " So that would
indicate -- this system only works between users of their system... You can
not send or receive mail from outside their system. Though later down they
do mention sending encrypted to outside uses -- which implies (and the big
banner for OpenPGP reinforces) that the system is using regular PGP-style
public key cryptography which anyone can implement today. The only thing
they are providing is: 1) a web client that automatically applies the
encryption (meaning it has to have access to some public key server to
retrieve the recipient public key), 2) decrypts messages when viewed
(requiring the user to provide the proper password to access the private
key file), 3) doesn't provide local mail storage. Item 1 has the corollary
that you can't send mail to someone that does not have a known public key
-- since that would have to be sent in plain-text and their system does not
allow for plain-text messages.

	Items 1 and 3 are enough for me to reject usage of the system. (I abhor
web based messaging schemes due to their "always one, one at a time"
processing. Give me a POP3/SMTP (or NNTP for forums) system where I can
connect, download messages, work on them as I get time (I can have multiple
messages open for editing in parallel), save them in draft form, use
whatever editor I'm most comfortable with (when was the last time you saw a
web-based input form that allowed for tab characters for formatting?), etc.

	Heck, the $$$ PGP (now owned by Symantec) boasts "Symantec Desktop
Email Encryption provides an end-to-end email encryption solution that
automatically encrypts and decrypts email directly between clients without
the need to log into a third-party website."

	No doubt by running as an email server on the client machine so one's
preferred client sends mail to the PGP-server (on the same machine), that
server applies encryption and relays to the user's regular ISP server; and
conversely, retrieves mail from the ISP POP3 server, decrypts any messages
as needed, and provides them to the mail client when it does a POP3 fetch.

	For a web-based system, there is also Hushmail
https://www.hushmail.com/?l=19 
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/

Back to comp.lang.python | Previous | Next | Find similar | Unroll thread

Thread

Re: Encrypted web mail Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2015-08-16 12:12 -0400

csiph-web