EnsuredMail  -- Thoughts?

Discussion in 'privacy technology' started by luv2bsecure, Mar 16, 2002.

Thread Status:
Not open for further replies.
  1. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    I received an email from a man asking me about a product called, "EnsuredMail"  I went to the site, which is at [link]http://www.ensuredmail.com/[/link]. It looks rather interesting.

    The person who wrote said he works in the IT dept. of a midsized company and they all seem to think it is easier to use for their people scattered all over the country, and many who know little about computing, than PGP.

    I have only given the website a quick glance but am getting ready to look it over. I thought I would post here to see if anyone has experience and/or knows anything about this product.

    Any thoughts??

    John
     
  2. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Log Files:
    We use IP addresses to analyze trends, administer the site, track general traffic flow through the site, and gather broad demographic/geographic information for aggregate use. IP addresses are not linked to personally identifiable information within our log files.

    Sharing:
    We will share aggregated demographic information with our partners and advertisers. This is not linked to any personal information that can identify any individual person.



    How much spam do you think you are going to get out if this ?

    P.S. Hope i didn't make any spelling mistakes.  Would not want to be called a moron, too !
     
  3. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Easy now. let's not drag one thread into a new one. luv2bsecure has asked a valid question. If you are not interested in the topic, don't reply.

    We are all freinds here right? Can't we all just get along?
     
  4. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    I did reply to the question which shows my interest.

    But until that insulting posts for all of us who's native language is not english is removed i will add this p.s. to all further posts.

    p.s. Again i hope there is no spelling mistakes here.  Would not want to be called a moron.
     
  5. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    WTF is happening to this forum Mickey? You have always been an outstanding member.

    If the comment you are referring to is:

    then it was not made buy luv2bsecure, it was made by checkout. So why direct something like that at him?
     
  6. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Yes i am referring to the post made by checkout and certainly do not appreciate mods leaving this not only  insulting but personal attack post there.
    My p.s. is not directed at anyone but will appear anywhere i go until someone realize the seriousness of that post. !
     
  7. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    I wondered why that was mentioned in a post to me as well. In fact, as coincidence would have it, my wife asked if she could use my username to write a post about spelling, etc and she defended a certain individual. That was less than an hour ago!! I agree Mickey that there should be no place for things like that. As my wife reminded me (she teaches English), nobody knows the circumstances of anyone here. Some may be from a country we only know from a map and they are making a gallant effort to write in English, some could have mild mental disabilities, some could have just received a poor education! We are impressed with those posts because they don't let their weakness stop them.

    Yet, Mickey, I was bewildered when I read your post above because (like Unicron) I thought it was directed at me and I was thinking about the irony of that. Tracy just finished writing about that in the, well now I don't remember which thread it was in.

    Now, about EnsuredMail...I haven't really looked at the site yet, but what you quoted doesn't really bother me. I think we have all been through this before, but gathering and sharing of  aggregated demographic information, is done by almost all commercial sites in attempts to find out where their visitors are coming from to determine how effective their marketing efforts are, etc. I have never known aggregated demographic information to include the sharing of email addresses. I also can't imagine a company devoted to privacy would ever share email addresses, if not out of principle, at least out of fear of losing their credibility. However, I would still check and make sure before I ever used the product.

    John
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi all,
    did not post to this subject yet.
    We have here a forum with english as language of communication; it is evident internationally people have their own native languages, but we at least try to use one common language here.
    My language is dutch and of course i know i make lots of spelling/grammar/idiomatic errors and typos and i might not always fully understand the finer thoughts between the lines, as much as others might think different ideas between my words.
    If people take time to kindly correct each other, i for me am grateful but please never ever call anybody names for this kind of errors, which has nothing to do with somebody's abilities to think reasonable.
    Most people here have a lot of experience in computer use and many have fine jobs and all levels are here; central point is we are reasonable enough and advanced to be able to make security a serious item.
    So i'm sure we all have to offer and can learn from each other. And please don't let language barriers cause wars.
    We can always ask clarifications, and if this spelling is so imperative we can ask the administrator if a spellcheck option is possibly implemented in this forum software.
    Too much work but possible could be editing a posting first in any of our other programs on our computers with spellcheck options and paste the product inhere.
    So please never ever hold back in postings because of this matter and share what you have to share in the subjects given.
     
  9. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Mickey, why couldn't you email me or send a personal message?  In no way was the message intended for anyone else except Vampirefo.  And, in the cold light of day, I can see that I shouldn't have attacked him over that.  In the cold light of day, I should - and do - apologise.

    I was angry as hell at the time.  It's that simple.  The guy set out to make people angry, and regrettably, he succeeded.  I got sucked in.  I also felt he was not so much using bad spelling as "Net Speak" which is a deliberate bastardisation of English.  Like the way Ali G deliberately befouls the language when he's clearly more than capable of speaking properly.  (Shudder.)

    Now, can we be friends again?  And if I ever upset you again, could you tell me about it, please?
     
  10. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Unfortunately I am no longer able to edit the offending post.  Please note that I was willing to, and intended to.
     
  11. Someone emailed me about this very product a few days. What follows is my response.

    I've taken a look at the site -- quickly, mind you -- and while I'm no crypto expert, I do have a couple of reactions.

    First, Ensuredmail relies exclusively on symmetric encryption -- meaning, that you've somehow got to get the password to your intended email recipients. Still further, if you have multiple email recipients, you'll have to start using different passwords for all of those different people (and getting all those passwords to those people). And we won't even talk about what happens if you want to avoid re-using passwords and then start using different passwords for each and every email with each and every one of your email correspondents.

    Do you start to see the problem here? And then think about trying to deploy such a program in a company with remote users. Remember: if the passwords aren't unique to each recipient and then to each email message, then you vastly increase the risk that that your email confidentiality can be breached. AND you have to think about how to distribute and keep track of all those passwords.

    We won't even talk about what happens if you find out that one of the passwords you're using is compromised.

    The tip-off, by the way, that this is what's happening with Ensuredmail is all that business about "self-decrypting technology" -- all that pompous term means is that the user has to input a password when s/he receives an encrypted message. Nothing fancy, but it's not truly "self-decrypting" since it requires on an exchange of passwords between sender and recipient beforehand and then the input of the password by the recipient when the message is received.

    On this page:

    http://www.ensuredmail.com/apimail/SelfTest.asp

    ..I encountered this short description, which confirms what I said above:

    "Here is an overview of how this works:

    * The user receives an email with a self decrypting HTML attachment.
    * The user double clicks and opens this attachment.
    * The HTML file downloads a 35 kilobyte Java class file from the Ensuredmail server.
    * The user inputs the password for the message.
    * The decrypted message is displayed in a new browser window."

    So the end recipient must have a password that you and s/he agree on. That's the entire key-distribution problem that PGP's use of asymmetric encryption is designed to get around. With PGP (and other crypto products that use asymmetric encryption for key exchanges), you don't have to exchange or agree on passwords or keys in advance -- you just need the recipient's Public key.

    If you're not familiar with PGP or symmetric vs. asymmetric (public key crypto) encryption, then I'd direct you to these two pages on my web site:

    General Crypto Info
    http://www.staff.uiuc.edu/~ehowes/info5.htm

    PGP Info
    http://www.staff.uiuc.edu/~ehowes/info5b.htm

    You might also pop by the grc.techtalk.cryptography newsgroup and run this same program past the very knowledgeable folks there:

    https://grc.com/x/news.exe?cmd=xover&group=grc.techtalk.cryptography&utag=

    or...

    news://news.grc.com/grc.techtalk.cryptography

    One final problem with the program is that the user must be using a Java and JavaScript enabled browser or email client. Enabling those active content technologies brings with it other security risks, of course.

    Sorry I can't give a more complete reaction to the program. I would encourage you to visit that grc crypto forum I mentioned above and run this program past them.

    Hope the above helps,

    Eric L. Howes
     
Thread Status:
Not open for further replies.