Verizon (FiOS) (Off Topic?) I have it!

[Ben Scott]

On 1/24/06, Drew Van Zandt <drew.vanzandt at gmail.com> wrote:
> So since it's not guaranteed to be 100% secure, there's no reason to bother
> at all.  That's silly.

  That's not the argument.  The issue is that if one is concerned
about a communication being read by others, one should not use the
technological equivalent of using post card to transmit it.  Or, in
the OP's case, hire an armored car to carry the post card from his
house to the post office in the next town.

  In this case, we're talking about creating an encrypted tunnel to a
machine that's owned by a third party ISP, under their physical
control.  Then we use that tunnel to relay email which immediately
goes cleartext over the wire, on said third party's network.  Keep in
mind that the objection in the first place was that ISPs can read the
email.  So we're tunneling email to another server where a different
ISP can then read the email there!  Further, In at least one case in
point, the email is not only cleartext, but sent to a public mailing
list, which is repeated to hundreds of subscribers and several public,
indexed, searchable mail archives.

  If securing email is the goal, then the email message should be
encrypted at the start, and decrypted by a trusted recipient at the
end.

  If creating the secure tunnel were actually a first step in a
comprehensive security plan to secure the email message end-to-end,
your argument would have some weight.  But there is absolutely no
indication that is ever going to happen.

  Once an end-to-end encrypted transport is established, then one can
start to consider things like "Can the guy at the other end be trusted
to keep what I say confidential?" or even "Can the guy at the other
end be trusted to use GPG correctly?".  But we're nowhere near that.

  As an aside: Phrases like "100% secure" are inherently bogus.  As
Schneier says, security is process.  It is not a scalar quantity.

-- Ben