Email security (was: Gmail..)

[bscott at ntisys.com]

On Sun, 22 Aug 2004, at 7:00pm, pri.lugofnh at iadonisi.to wrote:
>>> I've been waffling (heh, sorry) on whether or not I'm willing to trust to
>>> Gmail, but I'll never know unless I try (for my least sensitive mail, at
>>> least).
> > 
>> If you're sending sensitive email unencrpted, you're already in trouble
>> And you should know better, too.  :)
> 
>   Come on, Bruce, read Bruce Schneier's regular Cryptogram newsletter
> before making such broad statements.  Security is *always* a tradeoff. 

  "Security is a process, not a product."

  "There's no such thing as security -- only managed risk."

> Private email from me to another friend of mine on the same ISP who is
> also running his own TLS enabled SMTP server is plenty sufficient security
> for the type of communication I have with him.

  Sure.  But that would fit the definition of "encrypted", no?  :)

> Gmail (and other webmail-only services) is a whole different animal.  The
> email is ALWAYS on the server, no opportunity to POP it out of there as
> quickly as it comes in, which is what I do with another (low volume)
> externally hosted POP account.

  I don't understand how people construe a mail spool as a security feature.  
Presumably you consider the mail server untrusted.  That's reasonable.  But
if the mail server is untrusted, you have to assume all the mail going
through it is potentially compromised.  Recorded, analyzed, indexed, logged,
diverted, intercepted, blocked, modified, folded, spindled, or mutilated.
The fact that it gets spooled on a disk, or stored longer, is insignificant
compared to the larger security problem here.

> ... an entire record of my email life is not available in any one
> location, like it would be were I to switch entirely to Gmail.

  Let's say you switched "entirely" to POP on some nameless ISP.  We assume
that ISP is untrusted.  We don't know what they (or some intruder) might be
doing with their system.  We *do* know all your mail is flowing through
their systems, though.  There is certainly ample opportunity for anyone to
make an entire record of your email life, there.

  The only difference that I have seen with Gmail is that Google is overt
about it.  And is trying to turn a profit from it.  :)

> Except, of course, on my OWN servers.

  If the entire email transaction takes place on your servers, then we can
assume a real security gain.

  But chances are, you are exchanging email with other servers.  That means
your ISP, their ISP, *their* ISP, their peer, their transit provider, the
other guy's ISP's upstreams, the other guy's ISP, the other guy's mail
server operator, maybe the other guy's IT staff, employees, ex-employees,
ex-girlfriend, the hacker who has "0wned" the other guy's mail server, the
software company that wrote the other guy's mail server's OS, the NSA, FBI,
CIA, IBM, AT&T, and the Free Masons could all be reading your mail, for all
we know.  Oh, and maybe Google, too.

  Gmail seems to have highlighted the fact that we put a lot of trust in the
hands of Internet operators.  The thing I don't understand is why people are
not willing to trust Google, but *are* willing to trust all those other
elements.

  It's not that I think Google is particularly trustworthy.  It's that I
don't think anyone else is, either.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |