Eric Murray wrote:
Mike writes:
Which leads to another idea, couldn't we encrypt SMTP by running it over SSL as a web server cgi? If 99% of Internet traffic is web browsing and we are trying to hide our email, then why not make the email look like web browsing? You don't need to run it through a CGI. There's a port defined for SMTP-over-SSL:
If you want to protect all email (an excellent idea), build a mail
Sure, but the idea here was hiding email to defeat traffic analysis. Ssmtp would raise alarms in any snopper but https would seem like business as usual, probably just another gif. And https is available through a lot of firewalls where you can't run ssmtp. transport which automatically encrypts each outgoing mail in the key of the recipient Eudora/PGP already does that, but you are still quite vulnerable to traffic analysis unless you add remailers to the pot, which makes it a lot more complicated and error prone. A significant threat to online privacy comes from passive attackers, because you can't do anything about them. If you have an active attacker, you can analyze his moves and fix the bugs he uses to break root, but a passive attack is difficult to even detect before it's too late and your romantic conversations are headline news. Mike.