-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Monday, May 10 at 04:06 PM, quoth chombee: > I'm wondering about the privacy implications of using mutt. Say I'm > using it on my laptop (or any untrusted host, maybe a computer owned > and administrated by someone else) and if my laptop gets stolen I > don't want my email to be compromised in any way. I don't want a > copy of my email to be stored on my laptop, or accessible from it > without typing my password. So I use mutt, and I connect to my email > account over IMAP with SSL. I don't put my IMAP password in my > muttrc file, instead I type it every time I connect.
I used to do that, until I discovered the power of gpg to decode things on the fly. Now I have an encrypted mutt config file that is sourced by the main mutt config file, like this: source "gpg -d .muttrc.secure.gpg|" It'll ask for my gpg password, decode it, etc. I can even then use gpg-agent to store my passphrase and allow me to quit and restart mutt multiple times without retyping the passphrase. > The header and message cache options seem like an obvious > information leak. Which is a shame, because they really speed > things up! I suppose a possibility is to encrypt a directory > containing the mutt config and cache files etc., and each time you > check your email decrypt that directory then launch mutt. Depending on what you're after, you certainly don't *have* to encrypt it. You *could*, for example, simply use a wrapper script around mutt to automatically delete the header and message cache. It wouldn't make first-visits to messages and mailboxes fast, but would allow you to take *some* advantage of the caches. But a wrapper script---or even something called from within your muttrc---is a powerful way of making such an encrypted directory simple and convenient. If you're feeling *really* paranoid, however, you may wish to reconsider using a laptop at all. If it's stolen, a smart thief can recover your passwords by taking out your hard drive and scanning the swap partition and/or swap files for anything that had been stored in memory (like a password) but that had been swapped to disk for whatever reason. Worse than that, an even smarter thief can get those passwords even if you can prevent them from being swapped to disk, by quickly cooling and then removing your RAM from your laptop. It's a very scary, surprisingly easy technique: http://maltainfosec.org/archives/92-Recovering-passwords-from-RAM.html Because your RAM is vulnerable, ANYTHING on your laptop is vulnerable, even if it's encrypted in memory (because you'd have to have a way to decrypt it ALSO stored in memory). So... it all boils down to how paranoid you're feeling. At that level of paranoia, webmail might be the best option---even there, you have some potential issues with password saving or, at the very least, session-ID saving. Much more paranoia than that, though, and you probably shouldn't use a laptop at all. ~Kyle - -- Once again the conservative sandwich-heavy portfolio pays off for the hungry investor! -- Zoidberg -----BEGIN PGP SIGNATURE----- Comment: Thank you for using encryption! iQIcBAEBCAAGBQJL6C2BAAoJECuveozR/AWeo48P/i/i6y9pQjBiThnAN+Hy/U4Q DYcJfTMjAkceN+YH3svqz5xRuI0ekDoWB8lo1TQ/U4xXywymDEIk02u14vnizTch qWGp93EnAE8ArPhgC2ZHHUh7eYHn9fIdb9FH3plaVv5cDSS65e0zG/mRIwigXj/b aS72ov/vDZlZUGJwYWp+MNWudFWcCXqFlxzp568QaThs9tZbE00nHOKaBbRCNmUX cMvts15ecnNvaVlzqTVuF5M0lSCZdwPeEWw+W7wBv6FP4ClItmKtmUo/31iQSFWc IeVLYOnZuuKSB63mhWhG79nz+9+wFkFZ4gLL38cRaGYI4rIJW8Z+myIRMiAqQlBk u4UZ1XOitTcHXZfggXwWTNEG4jkX+Rzl+lNNN07sm98oWIGgSVfGYNrg9vAus90u nl5pEWkNhaBl8+25dhgjoM23IWvRIa+k6aLG4w45Eev7Za19VsWfoDoahRM/1aco yHjFzOFjR5ENSw7U+vIQeH0RwuVJ/HGofaxf/FKvv8XkpxgYjeuervQ9JiDBLW/z JdVNyJO73gzi8hWR9BZoc2RjdSYFD7m1aPyCTFcurwXMyAGYwhRMVRI+1ynixjEa t6zmx6GvdvYywkYLUi/DfT6J/+oiAKPYf2xOdeLKgZMw6UXOT+GtuFeTcfjATvDb Xr6zOKF5H7GQrNrI7Qcq =SR6U -----END PGP SIGNATURE-----