Automatic encryption of stored messages
Mikhail T.
mi+thun at aldan.algebra.com
Wed Apr 28 17:14:09 EDT 2010
28.04.2010 15:25, cyrus-sasl-request at lists.andrew.cmu.edu ???????(??):
> This is another problem, but server can't encrypt messages because it
> should have access to a symetric or assymetric keys saved on the
> server. Then you back to the problema, the hacker may access the key
> and decrypt messages (this chicken and egg problem).
>
My proposal addresses this problem. I fear, you have not read it --
despite two opportunities already -- before rushing to the reply-button.
Allow me to afford you one more explanation.
The new messages arriving to the server will remain unencrypted -- no
worse off than they are now -- until the user logs in (and provides the
key).
Again. Under my proposal, the server does have the key to a user's
messages, but /only while the user is logged in/. _Older messages of
disconnected users are not readable even to the server's root_.
My proposal does not solve the problem completely, but it does reduce
the damage. This is useful.
>> > The proposed method uses each user's own password to encrypt their mails --
>> > only the mailboxes of the currently-connected users would be exposed to a
>> > hacker (or coercer).
> If the hacker owned the server he can
> - use "tcpdump -s 0 -A | grep --line-buffered -e LOGIN -e USER -e
> PASS" to get password in next user authentication.
> - read TLS private key file and look traffic with tcpdump.
> - read TLS private key from memory.
> - switch imapd daemon to a version that save user/password on a file.
>
This would only give the hacker ability to access e-mails of people
currently connecting to the server, while the exploit is ongoing. My
plan -- for the third time -- aims to protect mailboxes of those, not
currently connected. I believe, this could be valuable in a substantial
number of installs.
> Server should't encrypt data. Root can do anything.
>
Both statements are wrong (as all generalizations)... I demonstrate, how
the server can do encryption usefully -- so that even root can not
decrypt it, until the user logs in to check their e-mail.
If a break-in happens, while a I'm on vacation, my old e-mails weren't
exposed. That's as useful as being able to lock my house, while I'm
away, even if I have to open it up upon returning...
> Server should't encrypt data.
>
You are now contradicting your own earlier advice (to use encrypted
filesystem)!
I must say this explicitly, Reinaldo, that you are coming off as an
annoyed, impolite, and discourteous individual and this is my last
e-mail to you, unless your response shows better manners. I don't want
to emulate your tone /again/...
This need not be -- and is not -- about anybody's ego, you know...
Yours,
-mi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20100428/d721de3e/attachment.html
More information about the Cyrus-sasl
mailing list