Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Edward Ned Harvey wrote: > I am very surprised to hear people using the term "PGP" as if it were > synonymous with "Email signing/encryption." As far as I'm concerned, S/MIME > has already won the war on email signing/encryption. I wish that were true, but can you name any organization that routinely uses S/MIME when sending mail to recipients outside their organization? It's amazing that major banks continue to employ laughable anti-phishing measures like sticking portions of your account number in their email, which they still stuff with links, encouraging the recipient to blindly click though. (Links that often get laundered through marketing tracking sites, obscuring the real target, and making it harder for those that pay attention to such details to determine of a message is fraudulent.) Phishing could be all but wiped out if these organizations adopted S/MIME. Something pretty much all modern email clients support with no effort on the user's behalf. Why don't these companies make use of it? Are they worried about the minority that can't handle S/MIME? If the message was signed, but not encrypted, that would just mean the signature would go unverified, but the message would still be readable. Even organizations in the Internet industry, in the rare cases when they employ email encryption, choose PGP over S/MIME (one ISP I deal with does this). I assume because they think it is more widely deployed. Or they don't want to burden the recipients with obtaining a certificate. > Go get a free certificate from startssl.com, and voila. As Bill pointed out, free certificates are worth about what you pay for them. Mark Woodward wrote: > I find that the notion of "trust" is completely broken with secure > communications. We've already seen that supposedly trusted certs gave > keys to china and the US government so that browsers would accept bogus > keys. Agreed. My trust in certificate authorities has been greatly diminished. Both due to reports of fraudulent certificates issued by legitimate CAs (or their subsidiaries), and due to the way our browsers (and email clients) are packed with hundreds of root certificates from shady CAs (some controlled by questionable foreign governments). The certificate issuing industry has substantial financial incentive to provide cheap certificates, and little incentive (in the short term) to do the necessary work to validate the authenticity of the applicant. > The only way to "trust" a key, IMHO is to have each entity that > wishes to have private communication with you create their own cert > and send you, via an alternate "safer" transport, the public key. > Only that way can you be sure. It seems like cert fingerprints ought to be distributed via DNS(SEC), but even then, unless you've cached that, it could still be subject to man-in-the-middle exploits. I use the Certificate Patrol extension in Firefox to cache certificate fingerprints for the SSL sites I use regularly, so I can quickly spot when a cert changes unexpectedly. https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/ -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |