Discussion:
Yahoo email still hosed for all eternity thanks to HeartBleed
(too old to reply)
Thad Floryan
2014-04-09 05:42:24 UTC
Permalink
Raw Message
We all know Yahoo is a company that prides itself on hiring H1-B Visa
clowns who are totally incompetent. Wihness the destruction of Yahoo
Groups' message archives and the dumbed-down and nearly unusable NEO
interface that infected Yahoo Groups mid-August 2013. And, of course,
Yahoo Email is one of the longest-running jokes on Earth far surpassing
AOL's clown circus. You'd be well-advised to abandon Yahoo and Yahoo
Mail immediately.

Another article from ARS Technica entitled:

Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style

is here:

http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/

Lest readers think "catastrophic" is too exaggerated a description for
the critical defect affecting an estimated two-thirds of the Internet's
Web servers, consider this: at the moment this article was being
prepared, the so-called Heartbleed bug was exposing end-user passwords,
the contents of confidential e-mails, and other sensitive data belonging
to Yahoo Mail and almost certainly countless other services.

The two-year-old bug is the result of a mundane coding error in OpenSSL,
the world's most popular code library for implementing HTTPS encryption
in websites, e-mail servers, and applications. The result of a missing
bounds check in the source code, Heartbleed allows attackers to recover
large chunks of private computer memory that handle OpenSSL
processes. The leak is the digital equivalent of a grab bag that hackers
can blindly reach into over and over simply by sending a series of
commands to vulnerable servers. The returned contents could include
something as banal as a time stamp, or it could return far more valuable
assets such as authentication credentials or even the private key at the
heart of a website's entire cryptographic certificate.

Underscoring the urgency of the problem, a conservatively estimated
two-thirds of the Internet's Web servers use OpenSSL to
cryptographically prove their legitimacy and to protect passwords and
other sensitive data from eavesdropping. Many more e-mail servers and
end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant
messages, and other sensitive data. OpenSSL developers have released
version 1.0.1g that readers should install immediately on any vulnerable
machines they maintain. But given the stakes and the time it takes to
update millions of servers, the risks remain high. Enter Yahoo Mail

For an idea of the type of information that remains available to anyone
who knows how to use open source tools like this one, just consider
Yahoo Mail, the world's most widely used Web mail service. The images
below were recovered by Mark Loman, a malware and security researcher
with no privileged access to Yahoo Mail servers. The plaintext passwords
appearing in them have been obscured to protect the Yahoo Mail users
they belong to, a courtesy not everyone exploiting this vulnerability is
likely to offer. To retrieve them, Loman sent a series of requests to
servers running Yahoo Mail at precisely the same time as the credentials
just happened to be stored—Russian roulette-style—in Yahoo memory.

Hackers can repeat the process over and over on unpatched servers and
then use freely available software to scan the results for all kinds of
sensitive data. In theory, attackers may also be able to query client
machines running OpenSSL-powered software to retrieve large chunks of
sensitive memory, too. (Private) keys to the kingdom

The huge number of servers running software vulnerable to Heartbleed
exploits isn't the only thing that makes patching difficult. That's
because one of the crucially sensitive pieces of information potentially
exposed by the vulnerability is the private key that corresponds to a
website's digital certificate. Attackers who get access to the private
key can use it to impersonate a site even after the OpenSSL patch is
applied. What's more, for sites that don't use a cryptographic property
known as perfect forward secrecy, attackers might be able to use the key
to decrypt data already sent. And of course, any sensitive data
transmitted between the time the flaw was discovered and when it was
patched remains potentially compromised.

All of this means that applying the OpenSSL patch is only the starting
point on the multi-step path of Heartbleed recovery. Website operators
should strongly consider replacing their X.509 certificates after
applying the update and getting all users and administrators to change
passwords as well. While it's possible that none of this data has been
compromised, there's no way to rule it out, either.

It's probably premature for users to replace passwords across the board,
but for sites they know have received the OpenSSL patch, it may be a
good idea to change login credentials. People who are truly security
conscious may want to change passwords a second time if they notice a
patched site later updates its digital certificate.

In the meantime, readers should steer clear of Yahoo Mail and any other
sites that are still running vulnerable versions of OpenSSL. The login
credential you save may be your own.
Eric Weaver
2014-04-09 13:58:52 UTC
Permalink
Raw Message
C'mon, Heartbleed applies not only to the 'hoo but almost certainly to
Gmail and "Outlook".

I thought you were gonna post something NEW, like the DMARC DNS record
thing.
Keith Keller
2014-04-09 14:56:47 UTC
Permalink
Raw Message
Post by Eric Weaver
C'mon, Heartbleed applies not only to the 'hoo but almost certainly to
Gmail and "Outlook".
It may or may not have applied to Google and/or Gmail; if they were
vulnerable well after the announcement nobody publicized it. Yahoo was
(though it now seems to pass). Of course it's completely unhelpful to
talk about "Outlook" in this context, since it's just a piece of
software (which probably isn't even linked to the OpenSSL library).

Either a site patched in a timely fashion or they didn't; Yahoo didn't.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Eric Weaver
2014-04-09 16:15:07 UTC
Permalink
Raw Message
Post by Keith Keller
Post by Eric Weaver
C'mon, Heartbleed applies not only to the 'hoo but almost certainly to
Gmail and "Outlook".
It may or may not have applied to Google and/or Gmail; if they were
vulnerable well after the announcement nobody publicized it. Yahoo was
(though it now seems to pass). Of course it's completely unhelpful to
talk about "Outlook" in this context, since it's just a piece of
software (which probably isn't even linked to the OpenSSL library).
Actually "Outlook" is the current branding of "Hotmail" and in that
sense was I using the term.
Post by Keith Keller
Either a site patched in a timely fashion or they didn't; Yahoo didn't.
Interesting... got dates?
Steve Pope
2014-04-09 16:50:53 UTC
Permalink
Raw Message
Post by Eric Weaver
Post by Keith Keller
Either a site patched in a timely fashion or they didn't; Yahoo didn't.
Interesting... got dates?
Media reports are that Yahoo applied the patch by 4 pm EDT,
April 8.

Whether this is completely true is difficult to determine.


Steve
Jeff Liebermann
2014-04-09 17:02:05 UTC
Permalink
Raw Message
Post by Eric Weaver
Actually "Outlook" is the current branding of "Hotmail" and in that
sense was I using the term.
MS seems to be using an IDS (intrustion detection system) to block
anything that looks like a Heart Bleed attack.
<http://filippo.io/Heartbleed/#mx1.hotmail.com>
Post by Eric Weaver
Post by Keith Keller
Either a site patched in a timely fashion or they didn't; Yahoo didn't.
Interesting... got dates?
Yahoo web site was apparently patched last night, at least their web
servers:
<http://filippo.io/Heartbleed/#www.yahoo.com>

The port 443 webmail login page at mail.yahoo.com was being blocked
for most of the morning, but apparently just appeared as patched
(10am).
<http://filippo.io/Heartbleed/#mail.yahoo.com>
I haven't tried the backend servers yet.

This example of how one company patched 60,000 servers might help
explain why Yahoo was rather slow:
<https://www.getpantheon.com/heartbleed-fix>
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Jeff Liebermann
2014-04-09 17:11:08 UTC
Permalink
Raw Message
Post by Jeff Liebermann
This example of how one company patched 60,000 servers might help
<https://www.getpantheon.com/heartbleed-fix>
That should be 60,000 sites, not servers. Some are probably virtual
servers.

Incidentally, 60,000 sites in 12 hrs is 1.4 sites per second which is
about what I might expect from a single shell script running from an
admin machine.

This is 5 years old, but still interesting:
<http://www.datacenterknowledge.com/archives/2009/05/14/whos-got-the-most-web-servers/>
(Yahoo has) ...likely has more than 100,000 servers in
operation to support its large free hosting operation
as well as its paid hosting service and Yahoo Stores.
So, using a similar method, that would be well over 20 hrs to patch
all the Yahoo servers, sites, or whatever.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
David Kaye
2014-04-09 19:07:27 UTC
Permalink
Raw Message
Post by Keith Keller
It may or may not have applied to Google and/or Gmail; if they were
vulnerable well after the announcement nobody publicized it.
Remember that Google is another Apple: a cult. There's a fascinating
article making the rounds about a potential billion dollar lawsuit because
Google, Apple, and some others conspired to NOT offer jobs to people who
work at each other's companies. Not only is it against the law, there are
emails from Eric Schmidt, the then Google CEO, stating that he was worried
about this conspiracy being against the law.

Here's one link:
http://appleinsider.com/articles/14/04/08/apple-google-others-could-pay-blindingly-high-9b-in-anti-poaching-class-action-suit

So, my point is that there are many people at Google, as well as those who
work around them or do business with them, who are not going to spill the
beans on any vulnerabilities. Yahoo then becomes punching bag instead,
because "nobody cool" works at Yahoo.

Yes, despite its faults I'm still a Yahoo booster.
Keith Keller
2014-04-09 19:43:11 UTC
Permalink
Raw Message
Post by David Kaye
So, my point is that there are many people at Google, as well as those who
work around them or do business with them, who are not going to spill the
beans on any vulnerabilities.
Nobody inside has to spill the beans. People can test for this
vulnerability for themselves. That is how people knew Yahoo was still
vulnerable. If I forgot to post a link to the tester, Jeff posted a
link to one today.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
David Kaye
2014-04-09 21:38:20 UTC
Permalink
Raw Message
Post by Keith Keller
Nobody inside has to spill the beans. People can test for this
vulnerability for themselves. That is how people knew Yahoo was still
vulnerable. If I forgot to post a link to the tester, Jeff posted a
link to one today.
AFTER the fact. It's easy to go back through the rabbit hole once you found
it. It's something else entire to test everything against all possibilities
unless you can make money at it, either as a paid tester or as an exploiter
of the loopholes.

Don't you remember when people were going on and on about how Apple's OS was
invulnerable to attack? We who knew better said it was only because they
didn't have a large enough installed user base to attract the attention of
the malware writers. And even when malware began to appear, the Apple
defenders said it was just a fluke. And then Steve Jobs banned Adobe's
products on Apple products because they had holes big enough to drive a
truck through. And STILL they didn't believe; they felt it was a tiff
between Jobs and Adobe or that Apple was working on a better version of
Flash, or something.

People who embrace companies like a religion (Apple, Google, Facebook) are
going to defend it to the exclusion of reason. Religion is not rational.
Ready now? "You cannot use logic to argue someone out of a position if they
did use logic to get themselves into it."

They're not going to spill the beans on the flaws they find.
Keith Keller
2014-04-09 22:28:12 UTC
Permalink
Raw Message
Post by David Kaye
Don't you remember when people were going on and on about how Apple's OS was
invulnerable to attack?
Those people were idiots just as much as people claiming that commercial
encryption is any better than open source.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Steve Pope
2014-04-09 22:42:05 UTC
Permalink
Raw Message
Post by Keith Keller
Post by David Kaye
Don't you remember when people were going on and on about how Apple's OS was
invulnerable to attack?
Those people were idiots just as much as people claiming that commercial
encryption is any better than open source.
I wouldn't claim that, but I will claim that the best encryption
in use is not open source.

Steve
Keith Keller
2014-04-09 23:56:24 UTC
Permalink
Raw Message
Post by Steve Pope
I wouldn't claim that, but I will claim that the best encryption
in use is not open source.
What is "the best encryption in use", then? Name a product!

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Jeff Liebermann
2014-04-10 00:22:33 UTC
Permalink
Raw Message
On Wed, 9 Apr 2014 16:56:24 -0700, Keith Keller
Post by Keith Keller
Post by Steve Pope
I wouldn't claim that, but I will claim that the best encryption
in use is not open source.
What is "the best encryption in use", then? Name a product!
--keith
The "best" as in the most useable, or the "most secure" as in
unbreakable? If the "best", methinks Truecrypt perhaps, although
there is some controversy:
<http://www.truecrypt.org>
<http://www.computerworld.com/s/article/9243873/NSA_spying_prompts_open_TrueCrypt_encryption_software_audit_to_go_viral>
<http://istruecryptauditedyet.com>
I use it carrying around documents on flash drives or storing password
files on my hard disk.

For the "most secure", I have no clue. Probably something the
government put together for their own use. Or maybe a one time pad
system:
<http://www.unbreakable-crypto.com>
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Keith Keller
2014-04-10 02:02:08 UTC
Permalink
Raw Message
Post by Jeff Liebermann
On Wed, 9 Apr 2014 16:56:24 -0700, Keith Keller
Post by Keith Keller
What is "the best encryption in use", then? Name a product!
The "best" as in the most useable, or the "most secure" as in
unbreakable?
Well, in the context of Heartbleed, and Steve's unproveable comment that
''commercial'' is better than open source, I would say that it has to be
able to replicate the functionality of OpenSSL in an https session. So
a web server needs to be able to use the library, and web browsers need
to be able to communicate with such a server. (I don't think the
requirement should be "can currently be used in Apache httpd" or "is a
drop-in replacement for OpenSSL"; rather, it should be more along the
lines of "with proper coding, could be used in Apache httpd".)
Post by Jeff Liebermann
If the "best", methinks Truecrypt perhaps, although
From what I know of Truecrypt, it would not qualify under the above,
since from what I can tell it's mainly for file or volume encryption.
Post by Jeff Liebermann
For the "most secure", I have no clue. Probably something the
government put together for their own use. Or maybe a one time pad
A one-time pad is certainly the gold standard, but for better or worse
many users would resist such measures. (And distribution of pads would
cause logistical problems.) You'd also still need some way of
encrypting the initial communication, so that the one-time key couldn't
be sniffed (since they aren't instantaneous, an attacker could in
theory sniff the key and, if he was fast enough, connect to the server
and impersonate the victim).

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Jeff Liebermann
2014-04-10 04:06:13 UTC
Permalink
Raw Message
On Wed, 9 Apr 2014 19:02:08 -0700, Keith Keller
Post by Keith Keller
Post by Jeff Liebermann
On Wed, 9 Apr 2014 16:56:24 -0700, Keith Keller
Post by Keith Keller
What is "the best encryption in use", then? Name a product!
The "best" as in the most useable, or the "most secure" as in
unbreakable?
Well, in the context of Heartbleed, and Steve's unproveable comment that
''commercial'' is better than open source, I would say that it has to be
able to replicate the functionality of OpenSSL in an https session.
Sorry, I misunderstood.

Please note that the Heart Bleed problem was caused by a coding error,
and not a problem the basic design, which might justify a replacement.
Post by Keith Keller
So
a web server needs to be able to use the library, and web browsers need
to be able to communicate with such a server. (I don't think the
requirement should be "can currently be used in Apache httpd" or "is a
drop-in replacement for OpenSSL"; rather, it should be more along the
lines of "with proper coding, could be used in Apache httpd".)
Well, in terms of implementation, SSL/TLS is far from perfect. See:
<http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher>
In terms of current web browsers, none of them have fixed even known
vulnerabilities in SSL/TLS.
<http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers>
Whether it is justified to replace SSL/TLS with a better cipher or to
just fix the problems, is subject to further debate. I'm not
qualified to offer a replacement or even hold an opinion (which is
another reason I should probably stay out of security debates).
Post by Keith Keller
Post by Jeff Liebermann
If the "best", methinks Truecrypt perhaps, although
From what I know of Truecrypt, it would not qualify under the above,
since from what I can tell it's mainly for file or volume encryption.
Volume only. It won't encrypt individual files. Truecrypt creates an
encrypted virtual folder (OS/X) or drive letter(PC), which can then be
used as a normal drive.
Post by Keith Keller
Post by Jeff Liebermann
For the "most secure", I have no clue. Probably something the
government put together for their own use. Or maybe a one time pad
A one-time pad is certainly the gold standard, but for better or worse
many users would resist such measures. (And distribution of pads would
cause logistical problems.) You'd also still need some way of
encrypting the initial communication, so that the one-time key couldn't
be sniffed (since they aren't instantaneous, an attacker could in
theory sniff the key and, if he was fast enough, connect to the server
and impersonate the victim).
That's usually handled by re-negotiating for a new key at regular
intervals. For example, wireless WPA typically re-keys every 10
minutes. (The range of acceptable values is usually 600 - 7200
seconds although some go up to 65536 seconds). DBS satellite and
cable TV encryption work much the same way (I forgot the intervals).
In theory, one could crack an individual key in a reasonable amount of
time, but cracking multiple keys takes much too long.

Besides being impractical for web browser security, and for the
reasons you mention, a one-time pad also has a big problem that if the
list of one-time keys are leaked, all the previous and future messages
can be read.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Keith Keller
2014-04-10 04:55:45 UTC
Permalink
Raw Message
Post by Jeff Liebermann
Please note that the Heart Bleed problem was caused by a coding error,
and not a problem the basic design, which might justify a replacement.
You and I know that. Apparently not everyone does. The goto fail bug
in commercial OS X and iOS was also a coding error.
Post by Jeff Liebermann
<http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher>
In terms of current web browsers, none of them have fixed even known
vulnerabilities in SSL/TLS.
<http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers>
Whether it is justified to replace SSL/TLS with a better cipher or to
just fix the problems, is subject to further debate.
I suspect that this issue is orthogonal to the quality of the
implementation, which seems to be what Steve was questioning (though now
I'm not so sure). We will need to let him elaborate on his criteria for
"better" encryption than "open source" (and more importantly, name the
"better" encryption suites that he believes exist).
Post by Jeff Liebermann
I'm not
qualified to offer a replacement or even hold an opinion (which is
another reason I should probably stay out of security debates).
Based on the posting history of ba.internet, I would suggest that you
are the most qualified of the group's regular posters to offer an
opinion on these matters. I would certainly never take anyone else's
word here (including my own) on encryption questions! But one of the
reasons you are more qualified is that you provide evidence for your
claims in the form of reputable citations (a behavior I try to emulate,
unfortunately unsuccessfully more often than not).
Post by Jeff Liebermann
Besides being impractical for web browser security, and for the
reasons you mention, a one-time pad also has a big problem that if the
list of one-time keys are leaked, all the previous and future messages
can be read.
Exactly what I was thinking--if the OTP had been stored in a
Heartbleed-vulnerable service, for example, all the one time pads would
need to be replaced. That'd be way more painful than what admins are
currently facing under Heartbleed!

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Steve Pope
2014-04-10 06:18:52 UTC
Permalink
Raw Message
Post by Keith Keller
I suspect that this issue is orthogonal to the quality of the
implementation, which seems to be what Steve was questioning (though now
I'm not so sure).
I'm questioning both the quality of the implementation, and
the engineering soundness of claming any level of security in
a system that cannot possibly be secure. Look at what has happened.
There is no communications security; there is no information
security except within a very narrow layer of the protocol stack.
Therefore, any bug anywhere in the system can create a huge
gaping security hole.

The pricinples are not rooted in security, they are rooted in
cheapness, high transaction abilty, and marketing.

Steve

sms
2014-04-09 14:12:13 UTC
Permalink
Raw Message
Post by Thad Floryan
We all know Yahoo is a company that prides itself on hiring H1-B Visa
clowns who are totally incompetent. Wihness the destruction of Yahoo
Groups' message archives and the dumbed-down and nearly unusable NEO
interface that infected Yahoo Groups mid-August 2013. And, of course,
Yahoo Email is one of the longest-running jokes on Earth far surpassing
AOL's clown circus. You'd be well-advised to abandon Yahoo and Yahoo
Mail immediately.
This story actually made it to TV news last night. Hopefully it being
publicized in the mass media will help spur more people to abandon Yahoo
Mail.

While I've done my part to warn friends, relatives, and colleagues about
Yahoo Mail, and nearly everyone I know has abandoned it, there are still
many non-tech-savvy people that don't know about the issues. Then there
are those people that do know about all the problems but ignore or deny
them.
David Kaye
2014-04-09 19:00:59 UTC
Permalink
Raw Message
Post by sms
This story actually made it to TV news last night. Hopefully it being
publicized in the mass media will help spur more people to abandon Yahoo
Mail.
And yet I now know 2 people who left Google for Yahoo and much prefer
working at Yahoo. I think I know 5 people total working there, all
born'n'bred Americans.
David Kaye
2014-04-09 18:58:28 UTC
Permalink
Raw Message
Post by Thad Floryan
We all know Yahoo is a company that prides itself on hiring H1-B Visa
clowns who are totally incompetent. Wihness the destruction of Yahoo
Groups' message archives [....]
I'm confused. The list I've run the longest, SF Games, has every message
back to the beginning on January 23, 2000, when I welcomed people to the
list. At least every random title I've clicked on has had a message
attached.

I'll be the first to admit that the new look is horrible and management
beyond simple things is difficult. However, I run SF Games as an opt-in
list, where people can simply send a "subscribe" email to the list and not
have to fuss with Yahoo's web interface at all. We have 469 members at
present.
Post by Thad Floryan
and the dumbed-down and nearly unusable NEO
interface that infected Yahoo Groups mid-August 2013. And, of course,
Yahoo Email is one of the longest-running jokes on Earth far surpassing
AOL's clown circus. You'd be well-advised to abandon Yahoo and Yahoo
Mail immediately.
Nearly all my email accounts are on Yahoo mail, and I haven't had any
problems except for ONE: I get a rejected email and a 550 error when I send
any email to kcsm.org. It's some sort of spamblocker somewhere in their
chain. This is the only address where my email has ever been rejected.

But I'll also say that I try not to put any mission-critical information on
any email message. For the longest time Yahoo (and others) ran email
unencyrpted, so I was well aware that anybody doing any packet sniffing
between me and Yahoo and between Yahoo and the recipient would be able to
read my email. So, I just assumed/assume that all email is public.
Jeff Liebermann
2014-04-09 20:09:30 UTC
Permalink
Raw Message
On Wed, 9 Apr 2014 11:58:28 -0700, "David Kaye"
Post by David Kaye
But I'll also say that I try not to put any mission-critical information on
any email message. For the longest time Yahoo (and others) ran email
unencyrpted, so I was well aware that anybody doing any packet sniffing
between me and Yahoo and between Yahoo and the recipient would be able to
read my email. So, I just assumed/assume that all email is public.
Same here. I sorta inherited several Yahoo accounts via
PacBell/SBC/AT&T DSL accounts. I use them for trivial junk, like
reading Yahoo groups and complaining to AT&T about the DSL service.

However, for stuff I really care about, I use Enigmail for Thunderbird
and GNU Privacy Guard (GNUpg) on Linux and GPGmail on OS/X[1]:
<https://www.enigmail.net/home/index.php>
<https://addons.mozilla.org/en-us/thunderbird/addon/enigmail/>
<http://en.wikipedia.org/wiki/GNU_Privacy_Guard>
I'm involved currently in 3 virtual companies. All our internal email
has been encrypted for many years. The email is also "salted" with
tempting traps, such as people and telephone extension numbers that
don't exist, but are logged. So far, no leaks.

There's nothing I can do to stop someone from somehow grabbing my
password, such as with Heart Bleed, and trying to read my mail, or
impersonate me. Without my X.509 certificate and private key, they
won't be able to do much. Also, I don't leave mail on any public mail
server for very long. We used to have various private mail servers,
but got tired of constant updates, spam filtering, maintence, etc.

The bottom line is that if you REALLY want and need security, privacy,
and reliability, you have to do most of the work yourself.


[1] I haven't tried APG on Android yet.
<https://play.google.com/store/apps/details?id=org.thialfihar.android.apg>
I just got a new Google Nexus 7 tablet, so I guess it's time to try
it.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Kristian M Zoerhoff
2014-04-09 21:42:51 UTC
Permalink
Raw Message
Post by Jeff Liebermann
[1] I haven't tried APG on Android yet.
<https://play.google.com/store/apps/details?id=org.thialfihar.android.apg>
I just got a new Google Nexus 7 tablet, so I guess it's time to try
it.
You need to pair it with K-9 Mail for best effect. It works pretty well once
you get your keys imported. I've used it on-and-off on my Android phone for
a while now.
--
Kristian M Zoerhoff
Loading...