Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

Secure Webmail Providers? 56

Posted by Cliff from the a-little-paranoia-is-a-healthy-thing dept.
Rainier Wolfecastle asks: "I am looking for information on any webmail providers that support PGP/GnuPG encryption. Up until now I have been using Lok Technology's excellent service, but it appears that they have gone out of business, since their site has been unreachable for over two weeks now. I am aware of Hushmail, but that doesn't work well under Linux. I am considering using Name.Space's LokMail service (based on Lok Technology's..er...technology) but I was wondering if anyone out there has any other suggestions. Free email is coming to an end, and if I'm going to pay for it (which I don't mind at all) then I want a decent product."
This discussion has been archived. No new comments can be posted.

Secure Webmail Providers? More

Secure Webmail Providers?

Comments Filter:
  • when the server-to-server communication is plaintext?

    • Re:What's the point... (Score:5, Informative)

      by crow ( 16139 ) on Monday December 02, 2002 @02:28PM (#4795053) Homepage Journal
      The server-to-server communication is not in plaintext if you use PGP or GPG. Of course, the headers are, so an observer can see who you're talking to, just not what they're saying.
    • Hey... how can the parent comment be "overrated" if it hasn't been moderated by anybody else? Comments should not be allowed to be moderated as "overrated" or "underrated" unless they've been rated something else first.

      Unless I have been overrated personally?
      • some of us have an option of adding 1 to our posts - doing this might count for being allowed to have an overrated moderation.
        I posted this at score 3 for an example.

      • Re:What's the point... (Score:4, Insightful)

        by Twirlip of the Mists ( 615030 ) <twirlipofthemists@yahoo.com> on Monday December 02, 2002 @04:08PM (#4795876)
        Hey... how can the parent comment be "overrated" if it hasn't been moderated by anybody else?

        Because while you can moderate up for being informative or insightful, you can't (at present) moderate down for being dumb or wrong. As long as the down-mod options are limited to troll, off-topic, flamebait, and overrated, expect to see comments that are just plain stupid moderated "overrated."

        Seems to me that if there's a "+1, Informative," there ought to be a "-1, Misinformative."
        • But inexplicably, "overrated" and "underrated" are apparently immune to metamoderation (according to a friend who *hasn't* had their moderation and metamoderation privs stripped from them by Taco's bloodthirsty cabal).

          I strongly agree with "Misinformative", though I think I'd change it to "Incorrect", since "Misinformative" implies an attempt to deliberately spread misinformation (like the insidious Professor Collins [slashdot.org], for instance). "Misinformative" has a time and a place, but perhaps not serving the place of a term that simply means "wrong".
          • immune to metamoderation

            I wouldn't know. I haven't been asked to metamoderate since I started using this new account. I posted under a previous account for a few years, but grew sick of the user name and haven't been invited to participate in either form of moderation since. I have no idea if I'm deliberately being excluded, or if I'm just still in that "new user" phase. Don't know if there's any way to find out, either.

            I strongly agree with "Misinformative", though I think I'd change it to "Incorrect", since "Misinformative" implies an attempt to deliberately spread misinformation

            Yeah, you've got a point, but I'm not sure "incorrect" covers it either. I'd like a moderation that I could assign (in theory, if I ever were to get mod points again) to posts that are (1) wrong or (b) moot. Because sometimes a post can be technically correct, but wrong anyway because it doesn't apply to the situation at hand. The post that spawned this thread qualifies thus: it's true (transport-layer encryption [such as SSL] is less useful if other segments of the message path are unencrypted), but it doesn't apply to this discussion (we're not talking about transport-layer encryption, but rather message-layer encryption).

            I don't know what the right answer is, but I do know that Troll, Offtopic, Redundant, and Flamebait don't apply.
      • It's a bug in the Slashdot code. CmdrTaco has said so in a Journal entry, but I can't find it.
  • ...but there is no lack [google.com] of providers.

    I would be interested in this, also, thank you for asking.

  • Hushmail? (Score:4, Informative)

    by penguin_punk ( 66721 ) on Monday December 02, 2002 @02:18PM (#4794966) Journal
    Hushmail was the first and obvious choice when I read the headline, but you mentioned that it doesn't work well under linux??? What's up with that? I believe it uses java. (to lazy to check) Do you not know how to install the java plugin under mozilla/netscape/konqueror?

    • Re:Hushmail? (Score:1, Informative)

      by Anonymous Coward
      A couple of points:

      1) Please mod the parent down. It is the opposite of informative.

      2) Hushmail is only supported on IE under Windows. Yes, the client is a Java applet, but it's "MS-Java". The applet doesn't work under Linux or Mac OS X. I haven't tried it under Mac OS 8.x or 9.x, but I'm not exactly optimistic.

  • Hushmail in linux (Score:5, Informative)

    by rocketfairy ( 16253 ) <nmt2002@columbia.eYEATSdu minus poet> on Monday December 02, 2002 @02:37PM (#4795143) Homepage
    Hushmail works fine for me in linux; it runs on java, so you need a browser (Mozilla works swimmingly) and a working virtual machine. Grab the latest one from Sun, make sure there's a link to it in the mox plugins dir. If it keeps breaking, try making the account on a windoze machine, and then accessing it in linux -- that worked for me the 1st time when my jvm was crashy.

    Oh, and remember -- hush security is only as good as your passphrase. Diceware!

  • Problems with Encrypted Webmail (Score:5, Interesting)

    by pete-classic ( 75983 ) <hutnick@gmail.com> on Monday December 02, 2002 @03:16PM (#4795478) Homepage Journal
    Encrypted webmail is a tricky issue. In the final analysis you basically have to use a passphrase that is so good that you don't mind having your (encrypted) private key publicly available.

    Consider that the webserver admin(s) will have access to the encrypted private key. Also consider that the webserver (process) has read access to the key. The upshot is that if anyone gets root access to the box, gets a shell under the webserver's UID, or convinces the webserver to serve up a file that it is supposed to have read access to, the only thing between your private key and an attacker is your passphrase.

    I find all this unsettling to the point of believing that it can't be safely done.

    If anyone knows any better, please fill me in.

    -Peter

    • You're correct, but I don't think that it necessarily has to be that much of a problem, if it is made clear that the passphrase for your key is far more important than most others. You would have to ask people to remember a long, randomly choosen passphrase. Do not give them a choice. If you get 128 bits of random data, turn it into radix 64, thats a 22 letter passphrase (upper & lowercase, plus 2 other characters). Now, perhaps not everybody could memorize that, but even if it were written down & kept secure, it would keep most people's key reasonably secure.

      Another solution could be to have 128 bit (22 character) key that is again encrypted by a memorized passpharse. The user could write down the key, but even if this were compromised, it would still be at least secure for long enough to generate anohter key (not public/private key) & passphrase.

      • Are you serious?

        I can barely remember my phone number. It is only 10 digits, and the first three are a gimme. I'm supposed to remember "iDclyWnIxwaJcSOWNLcj" or some junk?

        And this has no real impact on the trust issue. What prevents the webserver admin from having the webmail software log all incoming passphrases?

        I harp on this becasue if I can trust my mail admin (and you trust yours) half the battle is already won.

        -Peter

        • Yes, I'm serious. Have a java applet which does enccryption on the client computer. This is what hushmail does.



          If you read my post, you'd realize that I suggested that a person could write down their key. I myself don't consider this much of a problem if you keep it secure on your person. Or if the key one writes down is encrypted with a passphrase which could be memorized.

    • Re:Problems with Encrypted Webmail (Score:4, Insightful)

      by photon317 ( 208409 ) on Monday December 02, 2002 @04:51PM (#4796253)

      It's worse than that. If they root the webmail server (or a little more difficult if they just get the webserver UID), they can read the SSL traffic, including your passphrase. In short the only way to have securely encrypted email is to store the private key on your own private local machine - a webmail service simply cannot gaurantee you jack.
      • Not if the passphrase is only given to the java applet. Of course that's only useful if the java signing key is on a separate computer, and you've code reviewed the source code of the applet yourself before signing it.
  • Going slightly off-topic here:

    Has anyone found any web mail service that handles texts in various character encodings - notably Unicode - correctly (or at all)?

    I'm really amazed how badly Hotmail et.al. handle i18n. Any message is treated as if it's in "iso-8859-1" (Latin 1, Western), and all information about the actual character encoding is just stripped off.

    Correctly would of course also mean "without using HTML in e-mail messages".

    • Re:Web mail with i18n support - any? (Score:5, Informative)

      by pete-classic ( 75983 ) <hutnick@gmail.com> on Monday December 02, 2002 @04:55PM (#4796273) Homepage Journal
      SquirrelMail [squirrelmail.org] has handled this [squirrelmail.org] for years.

      It is totally paranoid about HTML email.

      Even comes with a bunch of translations.

      So, either set up your own mailserver (like a real man!) or find a provider that uses SquirrelMail. I use Fairplay Communications [fpcc.net] here in Colorado. They rock, and provide SquirrelMail. (And the only affiliation I have with them is that I am a paying customer.)

      SquirrelMail is where it's at. (But I am a little biased ;-)

      -Peter
      • SquirrelMail [squirrelmail.org] has handled this [squirrelmail.org] for years.

        Thanks for the tip! I'll check it out.

        I did however get a little suspicious when I found the following page:

        http://www.squirrelmail.org/wiki/en_US/SquirrelMai lRequirements [squirrelmail.org]

        The character encoding is a total mess on that page. Maybe it's the Wiki's fault. I've seen that kind of mess on Wiki pages before.

        • Hrm. The encoding in SM works. I don't know what "brand" the wiki is, but I'll report that page on the list . . .

          Have no fear about SM itself, though. I believe that well over half of the SM installations out there are non-english. XS4All.nl was the "biggest" user for a long time, probably still is.

          -Peter
          • Have no fear about SM itself, though. I believe that well over half of the SM installations out there are non-english. XS4All.nl was the "biggest" user for a long time, probably still is.

            OK. I have no fear...

            But I did find an entry in the wish list, that UTF-8 support should be added in the future:

            http://www.squirrelmail.org/wiki/en_US/WishList [squirrelmail.org]

            So, is there Unicode support, or not, in SM?

            • Bear in mind that it is a wiki . . .

              I don't know all the subtleties of using non-US character sets . . . but there has been a "i18n guy" making SM work with all sorts of languages for a long time.

              The only thing that was outstanding when I last checked (which was a while ago) was multi-byte character sets. I don't know what the status is on those.

              So, does it work with UTF-8? I'm not completely sure, because I'm not completely sure I'd recognize UTF-8 if I saw him on the street. But it does work with all sorts of extended western character sets, Cyrillic, and several single-byte Asian sets, whatever that means.

              Subscribe to the mailing list, or even go out on a limb and install it!

              -Peter

  • No, that would be stupid... (Score:4, Informative)

    by anthony_dipierro ( 543308 ) on Monday December 02, 2002 @04:48PM (#4796235) Journal

    Webmail is for roaming. If you're roaming, then you don't trust the client. PGP is useless if you don't trust the client.

    And don't say signed java applets 'cause (1) if you trust the provider's signature then just use https (I'll give you an account at inbox.org) and (2) if you don't trust the computer then you can't store your private key.

  • The reason I stated that I don't want to use Hushmail is precisely because of the need for Java. The reason I want webmail is so that I can access it from anywhere, and I don't want to have to rely on the presence of Java on the machine I happen to be using.

    On a side not, I got an email from the CTO of Lok Technology today, and it appears that they will be back up by the end of the week.

    • The reason I stated that I don't want to use Hushmail is precisely because of the need for Java. The reason I want webmail is so that I can access it from anywhere, and I don't want to have to rely on the presence of Java on the machine I happen to be using.

      If you don't use java then you have to provide your webmail provider with your private key. That's not a smart idea.

      • At Lok, which I was using, the private key is generated and stored on the server at sign-up, using hints that make sure that you provide a decent passphrase. Neither the email account password nor the GPG passphrase are stored by the company. They specifically tell you not to be a dumbass and forget it, because they can't get you back in if you do.

        Also, there is a login history available (logs time and IP address) that you can use to make sure that no one else has accessed your account.

        • But if the company does not use java, then you are sending the PGP passphrase to them to use each time you read your encrypted mail. So there is the possibility of it being compromised. I know it is somewhat paranoid, & if you trust the company, fine. But if you don't, or if you fear they may be compromised, it's not very helful.

  • IMP (Score:2)

    by Etyenne ( 4915 )
    It's a software, not a service but just in case you would be interested in running your own server, I would mention that IMP [horde.org] have PGP/GPG support (at least, the CVS HEAD does).
  • Granted all of the problems stated with PGP over webmail, I'll pitch Novell's webmail service myrealbox.com [myrealbox.com]... they're running a free implementation of their latest directory service to test and debug in a production like environment... no banner ads... web access over SSL... IMAP, POP, and SMTP access over SSL... so I use Evolution as my local client on my desktop... and when I'm away from my desktop, I read (and only in an emergency respond) to my email using the web interface...

    Only downside is occasional downage for software and hardware upgrades...

    -jag
  • I have an SSH server set up on my DSL-connected Linux machine and pay for FastMail.fm [fastmail.fm] e-mail that offers IMAP. When I want to manage my e-mail, I log on to my server from wherever I am using PuTTY [greenend.org.uk] (I changed the SSH port to something that most firewalls allow), and run Mutt [mutt.org].

    I have it set up to use GPG [gnupg.org] for automatic signing -- all I do is type up an e-mail, press the send key, enter my GPG passphrase at the prompt (which is 35 alphanumeric chars,), and press Enter. My e-mail gets signed and mailed. When I receive a PGP-encrypted/signed mail, Mutt automatically decrypts it for me, again using my passphrase.

    It's very convenient (setting it up is the hardest part, and that's also easy with online documentation) and very self-reliant: no special provider to go out of business, no browser to block Java, and always encryped.
  • While they don't support PGP, I have used Cryptoheaven [cryptoheaven.com] casually for over a year and have been fairly impressed. They have a Java client for Windows, Mac, and Linux that runs on your own computer, meaning that the Cryptoheaven servers don't ever see your private key (although they offer to store your key as a convenience option if you choose). It started out as a closed system, meaning only Cryptoheaven members could contact other members, but now they have some kind of internet email gateway for plaintext messages. Anyway, they offer secure email, chat, and storage, with free and 'premium' options. The only questionable aspect is their use of the Rijndael algorithm:

    "All services fully encrypted using the latest technology including an AES symmetric cipher Rijndael with 256 bit encryption keys, SHA-256 message digest function, and asymmetric encryption with keys of 2048-4096 bits in length."
  • It may be your setup... I've had no problems at all using hushmail under Linux. My setup:
    • Mozilla 1.0.1
    • Sun JDK 1.4.1_01
    • Red Hat 8.0
    It also worked with the same Mozilla and JRE under Red Hat 7.2. It did not work under Mac OS X, but I didn't have time to see what the problem was.

Slashdot Top Deals

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein

Close