On Wed, Jul 17, 2013 at 1:03 AM, A.Chukin <[email protected]> wrote:
> Some of my current partners use safe-mail.net for secure messaging. > Does any of you have any information about maintainers and what is you > opinion about security of this mail service ?? Based on 5 minutes looking at the web site, I see no reason to trust it. " Using SSL (Secure Socket Layer), which is a component of all current browsers, for all data transmissions and strong proprietary encryption for server security, it offers the highest possible protection for all email communications and file attachments. The SSL encryption itself is generally thought to be secure, but it relies on X.509 certificates to identify the players so anyone who can subvert the certificate infrastructure can easily conduct a man-in-the -middle attack. If I can give you a bogus cert that says my machine is safe-mail.net, you will send me your not-yet-encrypted data, I save a copy and send it on to safenet. This is a real threat, at least against some enemies. Common browsers currently trust several hundred Certificate Authorities (CAs). Some have been subverted; a Dutch one was hacked & credentials stolen there used by the Iranian government to attack dissidents. Others having admitted selling bogus certs that let corporate IT monitor employees. Several are controlled by governments I'm not inclined to trust: China, Syria, .... Then there is: " and strong proprietary encryption for server security, That sets off alarm bells; basically "strong proprietary encryption" is an oxymoron. There's a link earlier in the thread to a Wikipedia explanation. Here's a different link to much the same thing: http://en.citizendium.org/wiki/Kerckhoffs%27_Principle This claim is worrying in two ways. First, it indicates that their system has not been published and independently analyzed, so it should not be trusted. Second, it shows that they are either ignorant of or ignoring a basic principle that has been well--known in the field for 100-odd years, so they should not be relied on to have designed their system well. Even if their proprietary encryption is secure, the encryption is done on their machines and they hold the keys. How safe is that? Not very if you are trying to protect against government agents who might show up with a warrant, or appeals to patriotism, just threats. Or if you are involved in high-stakes litigation where the opponent might use private detectives and large bribes. If they find a safe-mail system administrator who will co-operate, they read all your correspondence. The correct solution is end-to-end encryption such as PGP; encrypt on the sender's machine and decrypt on the receiver's. Even that is easily breakable if one of the machines involved has been subverted (downloaded a trojan horse or someone broke in and installed a key loggger or ...) and it does not stop someone like the NSA from seeing who you are talking to, but except for that it appears secure. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
