I was briefly considering trying to add support for gpg in some form
to sqwebmail but came to one sticky point: security.
I forsee several problems, under various implementations, to adding
gpg support to sqwebmail, and can find no reasonable solution to any
of them. I will try to summarize them below.
0) server side secret key security:
To upload a secret key to a potentially untrusted server
negates the use of the secret-key basically. If all the mail on the
mail server were encrypted for a particular secret key, and both were
basically right beside each other then the encryption is useless. If
the secret-key were password protected, a cracked server could simply
attempt a brute-force attack on the key as it has a long time to be
able to find the secret word for the secret key. Also, the cracked
server could use a modified binary that would store the secret key
after the user enters it when encrypting or decrypting mail.
1) client side secret key security:
If the secret key is stored on the client machine, and the
encryption/decryption occurs on the server, nothing is really
gained. Again, an untrusted or compromised server could easily be
modified to store this data and the secret key again is useless for
encryption. The next obvious step would be to use some sort of client
side processing to do the encryption, say a java applet. This seems to
be a rather complicated method of proforming the desired task. Also,
unless the applets were digitally signed themselves, the cracked
machine could send modified java applets.
2) authentication:
One could forgo dencryption all together and only allow for
signature verification and encrypting outgoing email, but the server
could be made to respond with correct signature verifications when in
reality they are failing, and could modify the contents of outgoing
messages before they digitally signed/encrypted.
There are a few other solutions I came up with quickly, but all seemed
to fail at the trusted-server portion of the equation. This makes me
think that we could ignore the trust level of the server, and let it
be up to the user whether they use a gpg on an untrusted host. One
solution to minimizing the effect could be suggested to users: use a
seperate key for usage with sqwebmail, and keep another one truly
secret for truly secret information.
What are other's thoughts on the issue of gpg support? Are the
obstacles in the way preventing any reasonably safe method of
implementation, and is the inclusion of gpg support only going to give
users a false sense of security?
--
Scott Moynes]----------------------[[EMAIL PROTECTED]
Go not unto the Usenet for advice, for you will be told both yea and nay (and
quite a few things that just have nothing at all to do with the question).
-- seen in a .sig somewhere
------------[http://woodblock.dhs.org/pubkey.asc for public key
Current RC5-64 rate: 1,724.32 KKeys/s
PGP signature
