[nycphp-talk] Security and POP/IMAP/HTTPS
michael
lists at genoverly.net
Tue Oct 10 09:06:58 EDT 2006
On Tue, 10 Oct 2006 08:26:45 -0400
Aaron Fischer <agfische at email.smith.edu> wrote:
> Greetings,
>
> Someone was proposing sending PDFs containing sensitive info over
> email. I was thinking of recommending against it, citing the lack of
> security in the POP/IMAP protocols. Is that a legitimate concern?
POP/IMAP is used when you connect your mail client (MUA) to the server
to send and retrieve mail. It can be very secure, most clients I have
used allow you to check the TLS/SSL box to encrypt the initial and
subsequent conversations with a mail server (MDA).
SMTP is used to route mail from server to server (MTA) over the
internet. This is where your mail will fly naked.
You may want to consider encrypt the mail at the source and decrypt at
the target. Not only does this method secure the message it also
handles the 'other' concern in security: the sender is who he says he
is.
Found on Amazon for $17.22
PGP & GPG: Email for the Practical Paranoid [ILLUSTRATED]
(Paperback) by Michael W Lucas (Author) "You don't need to
understand everything about modern cryptography to use OpenPGP
successfully..."
MUA = mail user agent (thuderbird, sylpheed, etc)
MDA = mail delivery agent (courier-imap, dovecot, etc)
MTA = mail transfer agent (postfix, sendmail, etc)
Wikipedia can give a good overview of email protocols.. read it.
> An alternative would be to email them with a link to the PDF which
> would be protected with a login system (That's where the PHP would
> come in).
>
> Thoughts?
>
> Thanks,
>
> -Aaron
Sending emails with large attachments (images, spreadsheets, pdfs, etc)
is really not a good practice, and frankly, pretty annoying. Your idea
of just sending the link and hosting the documents on a server is a
preferred method (well done!). It is much less hassle to set up -and-
you get the added bonus of being able to make corrections and additions
to the document (are they ever done right the first time? [grin]). You
only have to repost to the web and not resend to all the target
recipients. Not to mention.. you don't have to teach them PGP/GPG.
--
michael
More information about the talk
mailing list