Email security (was: Gmail..)

Paul Iadonisi pri.lugofnh at iadonisi.to
Sun Aug 22 19:09:01 EDT 2004 

On Sun, 2004-08-22 at 17:30, bscott at ntisys.com wrote:
> On Sat, 21 Aug 2004, at 7:05pm, pri.lugofnh at iadonisi.to wrote:
> > I've been waffling (heh, sorry) on whether or not I'm willing to trust to
> > Gmail, but I'll never know unless I try (for my least sensitive mail, at
> > least).
> 
>   If you're sending sensitive email unencrpted, you're already in trouble
> And you should know better, too.  :)

  Come on, Bruce, read Bruce Schneier's regular Cryptogram newsletter
before making such broad statements.  Security is *always* a tradeoff. 
Private email from me to another friend of mine on the same ISP who is
also running his own TLS enabled SMTP server is plenty sufficient
security for the type of communication I have with him.
  Now, if I was communicating with an attorney on our next move in an
ongoing lawsuit, I probably wouldn't be using email AT ALL.
  Of course, I wasn't all that specific either.  I'm paranoid, but not
THAT paranoid.  Gmail (and other webmail-only services) is a whole
different animal.  The email is ALWAYS on the server, no opportunity to
POP it out of there as quickly as it comes in, which is what I do with
another (low volume) externally hosted POP account.  Yes, I know about
caches, logs, and backups.  There are always traces of data we all leave
behind, but an entire record of my email life is not available in any
one location, like it would be were I to switch entirely to Gmail. 
(Even Gmail's own description of the service talks about data that can
be left behind...an unusual admission for services like this.)  Except,
of course, on my OWN servers.
  Apart from my own servers, which will in the not-so-distant future use
encrypted filesystems, it would likely be just as difficult to
reconstruct all my *private* (i.e.: not public mailing lists like this
one) conversations as it was prior to my very first use email.  Of
course, I'm pack rat, so that's not saying much ;-).
  All that said, I do know where you are coming from.  I'm not naive
about it.  I just watched Enemy of the State again this weekend and it's
remarkable how much more of it is relevant and true today than when the
movie was made.  Frighteningly so.
=-=-=
  This all reminds me that I never followed through on something I
mentioned a while ago on this list, for which I apologize.  I was going
to put together a description of my current mail setup using sendmail,
cyrus-imapd, mysql with SMTP AUTH, TLS and other stuff.  Problem is,
it's a moving target, as I'm always tweaking it.  Maybe I'll put
something together in a feeble attempt to steer this discussion back to
something Linux related ;-).
-- 
-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets

More information about the gnhlug-discuss mailing list