Re: [PHP] Encrypting email
Bob McConnell wrote: I have been asked by a product manager what our options are for encrypting email messages with sensitive information. We are currently using PHPMailer to send email. What can be done to encrypt those messages? Can it be done without OOP? Yes, that's no problem. Look up openssl smime -encrypt /Per -- Per Jessen, Zürich (19.8°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypting email
At 8:39 AM -0400 4/21/09, Bob McConnell wrote: I have been asked by a product manager what our options are for encrypting email messages with sensitive information. We are currently using PHPMailer to send email. What can be done to encrypt those messages? Can it be done without OOP? Server configuration: RHEL 5 Apache 2.0 PHP 5.2.3 PHPMailer 1.73 Thank you, From within a php script, it's not a problem to encrypt a text string and send it as email. The sending of the email and the encrypting the contents are two different issues. You may want to look at it that way. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Encrypting email
From: tedd At 8:39 AM -0400 4/21/09, Bob McConnell wrote: I have been asked by a product manager what our options are for encrypting email messages with sensitive information. We are currently using PHPMailer to send email. What can be done to encrypt those messages? Can it be done without OOP? From within a php script, it's not a problem to encrypt a text string and send it as email. The sending of the email and the encrypting the contents are two different issues. You may want to look at it that way. But can it be done so the recipient's email client will automatically open and decrypt the message? How do you make it as seamless as possible for them, preferably so they don't even realize the message was encrypted? Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Encrypting email
At 9:49 AM -0400 4/21/09, Bob McConnell wrote: From: tedd At 8:39 AM -0400 4/21/09, Bob McConnell wrote: I have been asked by a product manager what our options are for encrypting email messages with sensitive information. We are currently using PHPMailer to send email. What can be done to encrypt those messages? Can it be done without OOP? From within a php script, it's not a problem to encrypt a text string and send it as email. The sending of the email and the encrypting the contents are two different issues. You may want to look at it that way. But can it be done so the recipient's email client will automatically open and decrypt the message? How do you make it as seamless as possible for them, preferably so they don't even realize the message was encrypted? Bob McConnell Bob: At some point both parties (sender/receiver) must know (agree) what the encrypting mechanism is. If I was writing a script to do this for a client, I must have control over both the send and receive scripts and then I could deliver the email to the client seamlessly. They would never know what happened in the background. However, if your client wants to send stuff to anyone and have it encrypted without knowing who the receiver is going to be, then there is no way to do this. Both the sender and receiver must agree on the encrypting mechanism either by providing passwords OR by you having access to both the sending and receiving scripts. As I see it, there is no other way. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypting email
On Tue, Apr 21, 2009 at 10:14 AM, tedd tedd.sperl...@gmail.com wrote: At 9:49 AM -0400 4/21/09, Bob McConnell wrote: From: tedd At 8:39 AM -0400 4/21/09, Bob McConnell wrote: I have been asked by a product manager what our options are for encrypting email messages with sensitive information. We are currently using PHPMailer to send email. What can be done to encrypt those messages? Can it be done without OOP? From within a php script, it's not a problem to encrypt a text string and send it as email. The sending of the email and the encrypting the contents are two different issues. You may want to look at it that way. But can it be done so the recipient's email client will automatically open and decrypt the message? How do you make it as seamless as possible for them, preferably so they don't even realize the message was encrypted? Bob McConnell Bob: At some point both parties (sender/receiver) must know (agree) what the encrypting mechanism is. If I was writing a script to do this for a client, I must have control over both the send and receive scripts and then I could deliver the email to the client seamlessly. They would never know what happened in the background. However, if your client wants to send stuff to anyone and have it encrypted without knowing who the receiver is going to be, then there is no way to do this. Both the sender and receiver must agree on the encrypting mechanism either by providing passwords OR by you having access to both the sending and receiving scripts. As I see it, there is no other way. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php A number of our clients are moving towards secure webmail delivery and the mechanism is as Tedd describes. The only other option, if your clients are all on Outlook, is to use something like GPG for outlook to encrypt the transmission ( http://www.gpg4win.org/index.html ). -- Bastien Cat, the other other white meat
RE: [PHP] Encrypting email
From: tedd [mailto:tedd.sperl...@gmail.com] At 9:49 AM -0400 4/21/09, Bob McConnell wrote: From: tedd At 8:39 AM -0400 4/21/09, Bob McConnell wrote: I have been asked by a product manager what our options are for encrypting email messages with sensitive information. We are currently using PHPMailer to send email. What can be done to encrypt those messages? Can it be done without OOP? From within a php script, it's not a problem to encrypt a text string and send it as email. The sending of the email and the encrypting the contents are two different issues. You may want to look at it that way. But can it be done so the recipient's email client will automatically open and decrypt the message? How do you make it as seamless as possible for them, preferably so they don't even realize the message was encrypted? At some point both parties (sender/receiver) must know (agree) what the encrypting mechanism is. If I was writing a script to do this for a client, I must have control over both the send and receive scripts and then I could deliver the email to the client seamlessly. They would never know what happened in the background. However, if your client wants to send stuff to anyone and have it encrypted without knowing who the receiver is going to be, then there is no way to do this. Both the sender and receiver must agree on the encrypting mechanism either by providing passwords OR by you having access to both the sending and receiving scripts. As I see it, there is no other way. These will be targeted emails for selected recipients, primarily in the Security and Public Safety offices. But they will be sent via public mail servers, so the content must be protected. Knowing the first site where this would go for field trials, I suspect most recipients are using some version of Microsoft Outlook. But other sites down the road are likely to have different clients. That end is completely outside of my control or influence. All I can do is recommend packages for them to download and install. I already know I need to get a public key from each recipient before I can encrypt their messages, but that's as far as I have gotten. I did glance at the GPG site earlier, and it appears they only support the version of Outlook in Office 2003. I have a feeling this is going to get messy, at least on the deployment end. Thanks for the pointers, Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypting email
On Tue, Apr 21, 2009 at 9:43 AM, Bob McConnell r...@cbord.com wrote: From: tedd [mailto:tedd.sperl...@gmail.com] At 9:49 AM -0400 4/21/09, Bob McConnell wrote: From: tedd At 8:39 AM -0400 4/21/09, Bob McConnell wrote: I have been asked by a product manager what our options are for encrypting email messages with sensitive information. We are currently using PHPMailer to send email. What can be done to encrypt those messages? Can it be done without OOP? From within a php script, it's not a problem to encrypt a text string and send it as email. The sending of the email and the encrypting the contents are two different issues. You may want to look at it that way. But can it be done so the recipient's email client will automatically open and decrypt the message? How do you make it as seamless as possible for them, preferably so they don't even realize the message was encrypted? At some point both parties (sender/receiver) must know (agree) what the encrypting mechanism is. If I was writing a script to do this for a client, I must have control over both the send and receive scripts and then I could deliver the email to the client seamlessly. They would never know what happened in the background. However, if your client wants to send stuff to anyone and have it encrypted without knowing who the receiver is going to be, then there is no way to do this. Both the sender and receiver must agree on the encrypting mechanism either by providing passwords OR by you having access to both the sending and receiving scripts. As I see it, there is no other way. These will be targeted emails for selected recipients, primarily in the Security and Public Safety offices. But they will be sent via public mail servers, so the content must be protected. Knowing the first site where this would go for field trials, I suspect most recipients are using some version of Microsoft Outlook. But other sites down the road are likely to have different clients. That end is completely outside of my control or influence. All I can do is recommend packages for them to download and install. I already know I need to get a public key from each recipient before I can encrypt their messages, but that's as far as I have gotten. I did glance at the GPG site earlier, and it appears they only support the version of Outlook in Office 2003. I have a feeling this is going to get messy, at least on the deployment end. This may alleviate some of the mess: http://blog.cumps.be/gpg-in-outlook-2007-outlookgnupg/ -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Encrypting email
Bob McConnell wrote: From: tedd At 8:39 AM -0400 4/21/09, Bob McConnell wrote: I have been asked by a product manager what our options are for encrypting email messages with sensitive information. We are currently using PHPMailer to send email. What can be done to encrypt those messages? Can it be done without OOP? From within a php script, it's not a problem to encrypt a text string and send it as email. The sending of the email and the encrypting the contents are two different issues. You may want to look at it that way. But can it be done so the recipient's email client will automatically open and decrypt the message? How do you make it as seamless as possible for them, preferably so they don't even realize the message was encrypted? See S/MIME. /Per -- Per Jessen, Zürich (20.2°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Encrypting email
tedd wrote: However, if your client wants to send stuff to anyone and have it encrypted without knowing who the receiver is going to be, then there is no way to do this. As long as the intended receiver has the appropriate key to decrypt the email, the client does not need to know the intended receiver as such. Both the sender and receiver must agree on the encrypting mechanism S/MIME. /Per -- Per Jessen, Zürich (20.5°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Encrypting email
Bob McConnell wrote: These will be targeted emails for selected recipients, primarily in the Security and Public Safety offices. But they will be sent via public mail servers, so the content must be protected. The question is - to what extent? You can use TLS for server-to-server encryption, which is easy, but if you need person-to-person encryption, I think your best option is still S/MIME. Knowing the first site where this would go for field trials, I suspect most recipients are using some version of Microsoft Outlook. But other sites down the road are likely to have different clients. That end is completely outside of my control or influence. Use S/MIME. It's standard, and it's supported by e.g. both outlook and thunderbird. -- Per Jessen, Zürich (18.1°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
