[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Secure email with limited usable metadata

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Secure email with limited usable metadata
From: Mike Cardwell <tor@xxxxxxxxxxxxxxxxxx>
Date: Mon, 1 Jul 2013 10:27:11 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 01 Jul 2013 05:40:20 -0400
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.grepular.com; s=dkim1; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=vPA+Mxt4VjJVgrYJt198sDtw5IrMl7R+tY62PqFlrL4=; b=kbHelPu6Gcq54TC6sArlV6l7btoe0un8O5w3bgA6kXCeiZV2p62PP2hYeNz3eYRDGBBGLS+f9v+oVASGyKyFJrKTIDysSdSUDD2k2sTwYGdMVZA+U+C9puWMZGUy/zV+E2RqrNF/Z1N+uoicDgxBpoATOs7drpUVObYaBFBTZTU=;
In-reply-to: <CAL8tG=nRVW+FGS7aFTnrAhXgFw=cJf68ESeaWtfvqNYKKwr3bQ@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <N1-pz4DK897d9@xxxxxxxxxxxxx> <CAL8tG=nRVW+FGS7aFTnrAhXgFw=cJf68ESeaWtfvqNYKKwr3bQ@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

* on the Sun, Jun 30, 2013 at 06:18:01PM -0600, AK wrote:

> That's why I'm setting up my own mail server at home. And also plan to
> access it via web interface if using someone else's machine (like at
> home). I would only allow web access via SSL and password, and only
> show the emails of the last week (not more). Trying postfix, dovecot,
> and SquirrelMail. Still in progress :)

If you're going to use somebody elses machine to access your webmail,
you probably want to make sure it has a unique password. Even to the
extent that your IMAP password for the same account is different. This
is because you should also be using two factor authentication for
webmail in case the untrusted machine is trojanned/keylogged. Then even
if it is keylogged they wont be able to do anything with the password
they gained.

The open source webmail application Roundcube http://roundcube.net/
has several plugins to handle two factor authentication using
different types of hardware tokens and protocols:

http://trac.roundcube.net/wiki/Plugin_Repository#Authentication

It's worth noting also that Roundcube has a PGP plugin now too based
on openpgp.js:

https://github.com/qnrq/rc_openpgpjs

Your PGP key is never uploaded to the server. You paste it into a
textarea after logging in, and then it is stored in your browsers
"localStorage" (http://diveintohtml5.info/storage.html)

Ordinarily I still wouldn't trust in-browser PGP, as every time you
log in, you have to hope that the server didn't send you some new
backdoored JS. However, if it's your own webmail installation on your
own server, you're using your own browser and all traffic goes over
https, you might feel that you can trust it.

Personally, I avoid using untrusted machines to access my email.

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] Phones for Tor
Next by Author: Re: [tor-talk] What would you put on a a Tor Wishlist?
Next by thread: Re: [tor-talk] Secure email with limited usable metadata
Index(es):
- Author
- Thread