Plain text password login for email

Discussion in 'other security issues & news' started by Jo M, Nov 8, 2004.

Thread Status:
Not open for further replies.
  1. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Tested:- SAFe-mail.net

    Thanks again for the info! I have taken the plunge and registered not one but three free 3mb accounts at SAFe-mail.net. (Try saying that when you're drunk!)
    One "Main" account, one for Forums, one for spam suspects.

    I have it set up so that I can receive and send mail not only on the web through my browser but also through my email client!

    I have tested it from account to account and it all works.

    :cool: I have tested it while running socket spy within Port Explorer. The ONLY non encrypted data was the security certificates themselves! The only info these gave out was the name of SAFe-mail themselves and Thawte, the certificate holders. Brilliant!!! :cool:

    Now the only info that the NSA had on that transaction was that I am now using encrypted email (since they MUST have access to my IP as the origin of the mail). I could use an "anonimiser" to hide that but the NSA can get round that no probs! they have agreements with Governments which force ISPs to allow them to trace everything!

    Well I must already have a file with them! There were those demo's about Appartheid and the demo about the police cover up over the black kid murdered by racist thugs in London......and.....yes I'll have a record!!

    If you want to use encrypted mail you must first decide if you mind having a record! Or if like me you think of it as a matter of pride! o_O You might not get into heaven without one o_O

    :D I hope my "test" encourages other people to take the plunge and test it out for themselves! :D

    Perhaps if eveybody does this and the information dries up the NSA will spend their HUGE budget on other methods of Anti Terrorism that would actually be LEGAL for them to perform on a US citizen!

    Now begins the long and slow process of transferring all my mail....friends, family all those registrations, forums, newsletters......

    Regards Jo M
     
  2. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Further test:- SAFe-mail to unsafe ISP

    As pointed out in another Thread. It is important that an email cryptography solution is not only good between fellow users but also if used to communicate with non users.

    Therefore I tested today ( as my regular ISP email seems more or less back to normal after lots of downs of service) and came up with the following results.

    Using my normal email client and ISP to email INTO SAFe-mail was as suspected no more secure than any other email! I could read with socket spy everything that went on in the "email client/regular ISP" part of the transaction. However nobody would know if I had received or read the mail as the "Browser/SAFe-mail" part of reading the mail was totally encrypted!

    Using SAFe-mails "safe box" solution for communicating FROM SAFe-mail was very interesting and quite fun! It was also very easy! I had one security choice to make, let them choose a password (less secure) or create one myself and get it to my recipient myself (the real deal secure version!). So obviously I chose to create the password myself. I used the "create secure password" extension to Firefox and generated a modest password of 12 random characters (can be more). SAFe-mail then sent my recipient (also me) a notification that a secure message was waiting for me and gave a special link for their browser. This came to a page ready with the password box. Entered and hey presto there was the message! No problems! Easy! Very Nice!

    But was it secure?

    All part of the transaction that used the browser were all totally encrypted!
    In Chronological order:-

    1) sending the email from SAFe-mail to ISP mail was all encrypted!
    2) the notification that came through my ISP to my email client was not encrypted and could all be read by socket spy. It ONLY contained details of who the message was from and a link to get to the web site to recover it. NO PASSWORD! It suggested contacting the sender if they didn't know the password!
    3) the recipient can phone me for the password, which is a bit of a fag BUT is the only good wasy since as far as I know the US cannot yet automatically listen in by machine to every phone message. To be absolutely sure you would have to GIVE IT TO THEM BY HAND!
    4) receiving the email using the browser link as suggested was again totally encrypted!

    So by sending an encrypted email to a non SAFe-mail user I have given out just a bit more information, the NSA will already have my IP and that I use encrypted mail. Now they also have a hard connection with my SAFe-mail address. Unless they can get round my password then they cannot read it!
    So make the password good! I will increase the setting from 12 from now on! I just put it up and there seems to be a limit at 30 if you use the copy to clipboard feature but I tested up to 50 if you copy it manually. I will report that to the extension authors!

    I was quite happy with this result and feel that this is probably as good as I can get!? Hopefully anybody who gets a message like this will be as interested as me and register too! Then I would be back to just giving out IP and "using Cryptography".

    I am aware of one more test I can do and that is to do the same test but this time do the sending through my email client. Client - SAFe-mail - Recipients client - Recipinet's Browser at SAFe-mail. As soon as I have time I will post back the results! Sorry I have worked out that this is never going to be possible. There is no way to access the Safebox button from within an email client! Nor the password options etc. This one can't be done!
     
    Last edited: Nov 15, 2004
  3. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Encryption with a back door?

    Hi again,

    perhaps my last post in this thread?

    Just a reflection on the security level of using SAFe-mail.net. brought on by recent news items that nobody could have missed. But most people wouldn't have connected them in the way I do here?

    I have mentioned as one of my primary aims in using secure encrypted email that the security services of the USA (NSA or whoever!) should not be allowed to breach my human and legal rights by reading every single one of my mails! This is against the law in the US and also against the law in the UK. They only get away with doing it because the NSA and any other US secret service are not going to be held accountable for breaching the rights of a UK citizen! And the secret services of US friends (eg the UK) are not going to be held accountable for breaching the rights of a US citizen!

    Mod Note - Removed inappropriate ethnic/politic comments and associated link. Please refrain from posting similiar comments like this. - snap

    This brings me to my security question. The US has an extreemly close relationship with the Israeli Government. Is it possible that because of unknown and unprovable agreements between the US and the Israeli Government that my securely encrypted email using SAFe-mail would be read by the NSA (or other SS) o_O o_O

    Normally the situation is that the Secret Services are required to get a court order to force you to hand over your "private key" for "Anti Terrorist" purposes. I have NO problem with that! However in this case I don't hold my "private key". I am trusting SAFe-mail with that.

    Is it just possible that for stated "Anti Terrorist" purposes (but REALLY to get some juicy info on me so that they can use me for some purpose or discredit me somehow?) they could put pressure on SAFe-mail to hand over the key, without even doing the normal requisite of getting a court order o_O o_O

    If the Secret Service is from the US and I'm a UK citizen not protected by US laws and the email service is based in Jerusalem, not covered by either US or UK law. Then what is to stop them o_O o_O

    o_O o_O o_O o_O

    It is not a pleasant thought! Rather 1984! I very much doubt if ANYBODY could answer this question to my satisfaction! So I will just have to live with this one and decide in a while how to respond to it!

    I'm sorry for going on about "Politics" and "Ethics". Some people hate them! But they DO actually have a relevance in many areas (if not all?) and I think I have shown the relevance here!

    Regards Jo M

    PS Just remember to sleep well at night!
     
    Last edited by a moderator: Nov 15, 2004
  4. james232r

    james232r Guest

    Hmm if you are that paranoid, why not use PGP or something similar?
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
    The best way to communicate is person to person. That is, if you can trust the other person!

    PGP is one of the best ways to communicate using email. Now, we need to convince everyone.

    Seriously, if you want absolute security, don't use a device such as a telephone, radio, computer, etc, to pass the info along.
     
    Last edited: Nov 15, 2004
  6. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Paranoid:- Yeh!

    Hi James,

    yes I do have and have used PGP. What I am doing here is trying to work out the full social/political/realistic implications of using cryptography, and comparing various products.

    Yes I do think that it is the duty of any "post 1984 world citizen" to be paranoid! Not to think just what we are told to think!

    "Outing" the issue is also my way of saying "up yours!" to security agencies that I KNOW are currently breaching both my and your civil/human/legal rights! If I don't say "up yours" to them in this situation am I not complicit in it and just a lame coward?

    Regards Jo M
     
  7. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    No Absolute Security!

    Hi Ronjor,

    Yes of course you're right! There is no such thing as absolute security! But it doesn't pay to be un-aware of what is going on behind your back. It is people's right to know what is going on and then up to them how they respond. I personally think that it is a bit more than a right to know:- more of a duty to inform oneself?

    I havn't worked out how I will respond to my questions in #28 yet! Nobody can make that kind of decision for anybody else!

    Regards Jo M
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Why are there no Secure POP3 email services?
    Thunderbird and other email clients can handle it.
    It seems like there would be a huge market for such a secure email service.
    Does anyone know of ISPs or other companies that offer Secure POP3 email?
     
  9. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
  10. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Thanks no13! :D

    I will certainly find out about them and might very well give them a whirl!

    If its PGP based which I see on their front page then it might well get round my issue with SAFe-mail, that I am not the holder of the private key and therefore that I am forced to rely on their word:- and can I trust them? Perhaps I should? Certainly their security and pricvacy policy would want to allay ALL my fears!!!! But can I trust that?

    What I can trust is that Secret Services ARE able to bring a whole lot of pressure to bear!! Would they crack? Well I don't know!

    I also know that PGP versions that used to be available to the rest of us in the world used to be half the number of "bits" of security that were being used by the US citizens. I know that at that time a year or so back that I was widely thought that the US Secret Services did actually have the capacity to crack such 56 bit encryption. Not on a routine basis. Not EVERY email! But any that they wanted to open they could within a few hours with their super computers! When they finally relented and allowed us 128 bit security and beyond, it wasn't because they now had larger and faster computers. No it was becasue they no longer NEEDED to crack the encryption! They had by this time got agreeements with the necessary countries and through them to force ISP's to co-operate and the ability to get those court orders DEMANDING your private key. VERY NICE!

    It's all just a game?

    Thanks again for that link!

    Regards Jo M
     
  11. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hushmail first Impressions

    Hi anyone,

    At first glance Hushmail.com is actually very similar to SAFe-mail.net.

    Same PKI technology used (Public Key Infrastructure). I do need to do some more exploration and a few hard tests!

    However there are some differences I have noticed already.
    1 Hushmail.com only gives you 2mb free space.
    2 Hushmail has nagscreens to buy an upgrade!
    3 Hushmail has no ssl support, so you HAVE to use the Browser interface. No using your email client and still getting secure encrypted mail. One very definite plus for SAFe-mail.net!
    4 Hushmail.com allows you to export your public and private keys. I didn't try it but it makes me wonder just HOW they are going to export it? If they use anything not encrypted itself then your security is compromised as soon as you export? If it is data that can be copied and pasted from a secure email to yourself then OK.
    5 Hushmail uses a java applet in the free version but an Outlook plugin for the paid upgrade.
    6 Hushmail is very slow to start up!!
    7 The Hushmail registration process is quite reminicent of PGP itself.

    I WILL do the same tests I did for SAFe-mail but my initial impression is that Hushmail is not as good? At least not for me? I'm not sure yet.

    Regards Jo M
     
  12. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi Devinco,

    SAFe-mail.net does secure POP3 email! Either secure in your browser or secure POP3 in your email client (in my case Thunderbird 0.9)
    However Hushmail it would seem does not. You HAVE to use the Browser interface.
    Both are secure from fellow members of the service. However SAFe-mail also has a secure feature for email to non SAFe-mail users!

    Regards Jo M
     
  13. securityuser

    securityuser Guest

    Nobody in the professional infosec community uses safe-mail.net. Their advertising was even refused at a recent conference in Miami. Safe-Mail uses a proprietary algorithm which is a big no-no. Better choices are HushMail, by far the most respected, and MailVault. Sorry to offer the bad news about safe-mail.net. As for POP3 mail, use an smtp which you can tunnel to using Stunnel or Putty (free software) and it is encrypted 128/256-bit AES encryption. Can't go wrong with that. By the way, Hush and Mailvault do not pass along IP addresses in email like all the others, even if you send a plain text message via ssl.
     
  14. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Have a look here:

    http://www.cotse.net/basics-mailtypes.html

    That's a support site discussing mail protocols, but they are offering also a mail service (even with "Remailer interface for anonymous sending that can't even be traced back to us"). I've known the church of the swimming elephant (cotse) from a couple of other occasions and they're trustworthy, IMHO. You might want to browse their site a bit, there's much to be found there. Actually where the mail/webspace provider is sitting doesn't make a difference, since, once you're logged in via your ISP, you make the connection to your mail provider via an encrypted communication that can pass all the internet.

    HTHH,
    Andreas
     
    Last edited: Nov 16, 2004
  15. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    More info please!

    Hi security user,

    thanks for your opinions. Given that you are just a guest here and have given no links or means of following up on what you say, I am afraid that we must treat what you say as mere opinion!

    Fine SAFe-mail uses a "proprietory algorithm". PGP was once a "proprietory algorithm" too, until it became quite widely accepted and has gained near monopoly status. Perhaps you represent PGP o_O

    Perhaps the "security community" doesn't want users to use a different algorithm because there are backdoors in the PGP which the "secret service" insists on being there o_O The secret service perhaps has less control over a different "Proprietory algorithm" o_O

    On Hushmail (free) you CANNOT use your email client for secure mail. You have to pay to use IMAP. I would like to investigate the differences between IMAP and SSL!! I havn't found a reliable source yet. I'm afraid that so far you're not it.

    SAFe-mail uses an interesting way of communicating with non SAFe-mail users which doesn't seem possible in Hushmail? OK PGP is quite widespread, but currently NONE of my friends, family or contancts uses it! So this is a MAJOR issue. I can't see that PGP has provided as good a method to communicate securely with non users. Show us the info if I'm wrong!

    In the tests I did with SAFe-mail.net I did not SEE the IP being passed. As I did not save the logs I will need to re-do that to check.

    Regards Jo M
     
  16. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Re: More info please!

    If your main purpose was safety of your message, I'd rather have you encrypt your message on your system and then send it after a small steganography session with a heavy JPEG....
    But since you need to encrypt your password during transit... didya try gmail (www.gmail.com) yet? S'posed to work over HTTPS... (which itself, unfortunately, is seen to be insecure)... Anyway... to say anything more on it would be straying off-topic, and absolutely redundant (a simple Google search gives you millions of Blogs, sites, BBs dedicated to it)
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
    Jo M

    I sent Safe-Mail a question about their algorithm. I'll let you know here or pm you with the answer.
     
  18. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Re: More info please!

    Hi Jo M again,

    To me, what securityuser said does sound at least like something that deserves to be googled for - hushmail and mailvault, stunnel and puTTY are items to go after yorself (I don't know the mail providers, but I know the software items and agree that they are to be suggested/considered).


    Probably it's silly to insist on this, but don't confuse "proprietoriness" with rareness and "open software" with popularity. When something is widely accepted and gains near monopoly status, it still can be proprietary (like, say the Microsoft Windows OSs). PGP is non-proprietary (now) not because of it's popularity, but because of the fact that its code is public and can be reviewed and improved or modified by whoever feels the need to do so. Actually it's better to speak of OpenPGP in that case - NAI's PGP itself not being strictly OpenPGP compliant in all aspects and having some proprietary elements. Probably Zimmerman just had to lay open the code (because, at the time, that was a way to export it - in non-executable form), but if you read up on him and on his views, I suppose it was a move he was more than willing to make. The problem with "proprietory algorithms" in this case is, that you cannot know who has control over it and its implementation (unless you're the developer). With open algos, you still don't know this, but persons that understand (like, say, Bruce Schneier) it are free to have a look at it and tell you what they think about it. Now it's still up to you to find someone you trust to review that piece of software, but chances are high you will succeed and, at least it's possible in the first place.
    However, I take your comments above to be more of a rhetorical nature, so I resist from ranting further... :D


    IMAP, like SMTP and POP3 are mainly protocols for email delivery (where IMAP allows you to manage your mailbox while that can remain on the mail service provider's server, unlike POP3, where you (mostly) have to download it and manage it locally). SSL/TLS, Kerberos, and to a certain extent SSH, are ways to securely set up an encrypted communications channels, over which then mail or file transfers, web browsing sessions or login shell sessions can be deployed. POP3S, IMAPS, SMTPS, SFTPS are then variants of the original protocols (POP3, IMAP, SMPT, FTP) that have a certain authentication and encryption protocol built-in (SFTP uses SSH, SMTPS uses SSL/TLS etc.). ...Not what you'd call a reliable source yet (nor even sufficient information), but it may help you to get a picture and get you on the right tracks in your research.


    Right, the safe mail box is an interesting concept. But with regards to PGP the MAJOR issue is another one: it's precisely that none of your friends, family or contacts uses it. Period. Make them use pgp/gpg and you'll have helped yourself, them and us more than by using SAFe-mail.
    There's no method (not even a bad one) that PGP provides to communicate with non-pgp users, why should there be? It's technology everyone should be using, doesn't cost anything and does not interfere very much with your system. (BTW, I suspect that many spamfilters will filter out messages saying "there's a private encrypted message from Jo M waiting for you at www.123.com. Click here to view it.")

    (Finally, you could encrypt something into a password-protected self-decrypting archive that will allow non-almost-everything-users to still get it.)

    Probably all of this does sound more rigid/unfriendly than it's meant, but I don't want to go through the whole posting editing it again. I hope you understand.

    Cheers,
    Andreas


    (PS.: here's a nice cryptanalysis tool I've found referenced on the cotse page: cryptotool.)
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
    Andreas

    Mailvault is a good choice. Thanks.
     
  20. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Andreas1,

    Thank you for your excellent contribution to this thread.
    COTSE is just the thing I was looking for!

    I learned a lot here. :)
     
  21. securityuser

    securityuser Guest

    You don't understand what a proprietary algorithm is. It doesn't mean rare or not known. It means an algorithm that is closed and unavailable for review. Backdoors in PGP? First of all, PGP is not an algorithm, PGP is software that uses ALL open source, accepted algorithms. Safe-Mail uses an algorithm ('patent pending'} that is not open for review. As for the PGP software having a backdoor. It's an open source program in many variations. In 8.0 it's not truly open source, but source is available for review. But the algorithms sure are. Programs and services that use proprietary algorithms are know as snake oil. Oh, Andreas is right about COTSE, it's a great service.
     
  22. james232

    james232 Guest

    Yes it's all a game. They made a big deal about restricting exports of x bit encryption to make people think they can't break key sizes>x bits. In actual fact they can break probably keysizes up to 10x.
     
  23. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    kinda off topic, but since we're talking about encryption algos...
    http://www.klammeraffe.org/~fritsch/uni-sb/fsinfo/rsachan/businesswire.html
    And slightly more threatening (and also more popular in the underground)
    http://asia.cnet.com/news/security/0,39037064,39142307,00.htm
    Note the dates... 7 years old (real old) and one-and-a-half years old!!! But still, I don't see much mention of either (OK, the first one is not of concern to a home user 'coz its using a netork of 3,500 machines and needs 312 hours, but the second one's kinda scary, no?)
    -------
    I may not be an expert, but I'm scared... does this affect me as a home user?
     
    Last edited: Nov 17, 2004
  24. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Totally agree with james232 and Jo M. Anyone remembers Carnivore (FBI's pet) ?
    any details on that one?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.