Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PGP email encryption

from [Mark Ryan del Moral Talabis] Network Security [Permanent Link]
Subject: Re: PGP email encryption
Date: Fri, 23 Sep 2005 08:10:01 +0800 
Yeah, I think you should try out gpg. We've been using it here (using
the 'hard way'). We provided each machine with  GPG, Thunderbird and
the Enigmail plugin.


On 9/21/05, AragonX <aragonx@dcsnow.com> wrote:

<quote who="Meni Milstein">

Thank you for your detailed answer!
The reason I asked this question in the first place was because the
answers
I got (and keep getting) from the technical team and sales team at PGP
were
inconclusive, and certainly WAY off what you are saying.

There IS a web client to PGP, and one way to use "email encryption" in PGP
(according to the tech team at PGP) is to have the PGP server catch the
message after it passed through, say, my exchange server, and instead of
sending that message, send another message (notification message) to the
receiving end - with a link. The link will lead the user to read the
message
off the "web messenger" on the PGP server through HTTPS. The access is
done
using a user entered pass phrase (which according to what you said - is
very
bad.)


I think the problem is PGP has been turned into more than it once was.  It
once was a simple public/private key encryption program.  Now it's a
company with a wide range of products.

Personally, I would avoid PGP as a whole.  The US government has been
pressing hard to get a back door into their keys.  I'm not sure if they
have one yet or not.  I'm not sure we would know if they did.

Personally, I would suggest a solution based on gpg instead.

http://www.gnupg.org/

The way I see it, there is an easy way, and a hard way.

1)  Easy way - setup a web mail server using gpg encrypted messages.

  Disadvantages

1 - You are relying on ssl encryption to protect the data once the client
logs on.  You could setup a secure VPN to mitigate this threat.
2 - The security of your server is greatly diminished by allowing these
external users access.

  Advantages

1 - Easy to setup.
2 - Emails remain local and completely under your control.
3 - Depending on the countries you do business with, they may not be
allowed to use gpg.


2)  Hard way - Send messages to your clients using gpg.

  Disadvantages

1 - You must work with your client's IT staff to get this setup correctly.
2 - Messages are out of your control once they leave your server.

  Advantages

1 - You don't have to maintain the users on your server.
2 - Overall security of this setup is better.

This is just the way I see it.  I could be way off base on some things but
I do feel you should avoid pgp and use gpg instead.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Checkpoint Fw1 syslog logging. Any solution ?, xyberpix
Next by Date:  Group permissions changed, sf_submit
Previous by Thread:  Re: PGP email encryption, Harrison Holland
Next by Thread:  RE: PGP email encryption, Jason Albuquerque
Indexes:  [Date] [Thread] [Top] [All Lists]