Comments on: Are Secure Email Services Really Secure? http://work-at-home.business-opportunities.biz/2008/01/19/are-secure-email-services-really-secure/ News, and links for WAH entrepreneurs Thu, 26 Nov 2009 19:31:07 -0800 http://wordpress.org/?v=abc hourly 1 By: Rick http://work-at-home.business-opportunities.biz/2008/01/19/are-secure-email-services-really-secure/comment-page-1/#comment-247155 Rick Fri, 22 Feb 2008 00:32:07 +0000 http://work-at-home.business-opportunities.biz/2008/01/19/are-secure-email-services-really-secure/#comment-247155 Tim is correct, a secure website will use SSL3 but a secure email server will usually use TLS. So SSL is relevant to webmail but not to POP/IMAP. Either should put MitM attacks out of reach of any but the TLAs. However, most email services do not use these. Much more information, including comparisons of various secure email providers can be found at www.novo-ordo.com. Tim is correct, a secure website will use SSL3 but a secure email server will usually use TLS. So SSL is relevant to webmail but not to POP/IMAP. Either should put MitM attacks out of reach of any but the TLAs. However, most email services do not use these.

Much more information, including comparisons of various secure email providers can be found at http://www.novo-ordo.com.

]]> By: Tim McCormack http://work-at-home.business-opportunities.biz/2008/01/19/are-secure-email-services-really-secure/comment-page-1/#comment-220487 Tim McCormack Wed, 30 Jan 2008 06:21:48 +0000 http://work-at-home.business-opportunities.biz/2008/01/19/are-secure-email-services-really-secure/#comment-220487 Email is not transmitted over https. That's only for websites. Of course, if you use a website like KeptPrivate.com and it sends and receives the email for you, then https is indeed relevant. SSL/TLS is not subject to MitM attacks. (SSL v2 was, but that's disabled by default in modern browsers.) A company could only stage a MitM attack by replacing the browser's root authority files. Indeed, after reading a little on how WebWasher works, I found this: "Webwasher re-encrypts the traffic using either the customer company’s certificate or a self-signed certificate with the common name of the web server." So use Portable Firefox and you don't have to worry about SSL scanning. Of course, if you're worried what other kinds of snoopware your company might have installed on your computer, such as keyloggers, you probably shouldn't do *anything* confidential on that machine. Email is not transmitted over https. That’s only for websites. Of course, if you use a website like KeptPrivate.com and it sends and receives the email for you, then https is indeed relevant.

SSL/TLS is not subject to MitM attacks. (SSL v2 was, but that’s disabled by default in modern browsers.) A company could only stage a MitM attack by replacing the browser’s root authority files.

Indeed, after reading a little on how WebWasher works, I found this:

“Webwasher re-encrypts the traffic using either the customer company’s certificate or a self-signed certificate with the common name of the web server.”

So use Portable Firefox and you don’t have to worry about SSL scanning. Of course, if you’re worried what other kinds of snoopware your company might have installed on your computer, such as keyloggers, you probably shouldn’t do *anything* confidential on that machine.

]]>