What email encryption is actually in use?
Major Variola (ret)
mv at cdc.gov
Tue Oct 1 09:05:04 PDT 2002
The problem Mr. Howe describes is fundamental, folks:
encryption should be end-to-end even when the endpoints
are functionaries in a company. Because not all employees
are equal.
So yes Alice at ABC.COM sends mail to Bob at XYZ.COM and
the SMTP link is encrypted, so the bored upstream-ISP netops can't learn
anything
besides traffic analysis. But once inside XYZ.COM, many
unauthorized folks could intercept Bob's email. Access Control is
sorely lacking folks.
Link encryption is a good idea, but rarely sufficient.
At 01:20 PM 10/1/02 +0100, David Howe wrote:
>at Tuesday, October 01, 2002 3:08 AM, Peter Gutmann
><pgut001 at cs.auckland.ac.nz> was seen to say:
>> For encryption, STARTTLS, which protects more mail than all other
>> email encryption technology combined. See
>
>I would dispute that - not that it isn't used and useful, but unless
you
>are handing off directly to the "home" machine of the end user (or his
>direct spool) odds are good that the packet will be sent unencrypted
>somewhere along its journey. with TLS you are basically protecting a
>single link of a transmission chain, with no control over the rest of
>the chain.
More information about the cypherpunks-legacy
mailing list