[unisog] PGP and S/MIME

Christopher Crowley ccrowley at tulane.edu
Thu Nov 3 15:00:07 GMT 2005


My experience with PGP is that it works well for a limited deployment scope.  I
have set up about 10 people to be able to send sensitive data via e-mail.  We
have some people using Enigmail + Thunderbird + OpenPGP, and some people using
Outlook + PGP.

For the people who won't always remember to check the encrypt box, I find that
Enigmail's per-recipient rules are invaluable.  The only caveat I have found to
this is if you have a system that automatically updates your mozilla or
thunderbird, enigmail is NOT automatically updated.  Enigmail is a plugin to
Mozilla.  A version upgrade ( say an RPM update from yum ) doesn't provide you
seamless upgrade for the enigmail.  This is fine if the person using it is
security conscious. But it is a legitmate concern if you are depending on the
application to be responsible for a non-security conscious person.

On the other hand, there are commercial alternatives that will inspect messages
for sensitive content, intercept that mail, and replace it with a notice to the
intended recipient.  The intended recipient has to sign in to a website to
retrieve the data.  I don't know of any open source applications that perform
this function, but creative application of your anti-spam application might be
able to accomplish this.  I haven't done it, but something like MailScanner +
custom perl code could probably accomplish forced encryption for a defined set
of recipients.  You could "scan" for your sensitive data, or sender / recipient
pairs.  The problem with this is the data is transferred for the first hop
un-encrypted and is probably stored in a Sent folder somewhere without being
encrypted.




Christopher Crowley
Technology Services
Tulane University
ccrowley at tulane.edu
Tel: 713.212.1378 (Houston Temporary)



Quoting "T. Charles Yun" <tcyun at internet2.edu>:

> Thunderbird/Win32 + GPG/OpenPGP + Enigmail (a plugin) seems to work
> quite well for me.  Still testing it out, but I've seen little that
> causes problems.
>
>
>
>
> Christensen, Eric wrote:
> > Has anyone done a serious rollout of secure e-mail?  I've been trying to
> get
> > folks to use S/MIME certificates (like Thawte) but not everyone sees the
> > benefits.  I was testing out PGP for the last few days but it really taxed
> > my computer (using PGP Desktop).  I see that at least one person on this
> > list is using PGP.  Anyone else?  Opinions?
> >
> >
> > Thanks,
> > Eric Christensen
> > Technology Support Specialist
> >
> > ECU Police Department
> > 608C E 10th St
> > Greenville NC 27858-4353
> > http://www.ecu.edu/police
> >
> > EMERGENCY DIAL 911
> > (252)328-1155 - Office
> > (252)328-6787 - 911 Communications
> > (252)328-6965 - Fax
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
>
> --
>   T. Charles Yun  tcyun internet2 edu
>        Internet2  1000 Oakbrook Suite 300, Ann Arbor, MI  48108
>    desk,cell,fax  734.352.4960, 734.730.3300, 734.913.4255
>              web  people.internet2.edu/~tcyun
>    yahoo,msn,aim  tcharlesyun
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>


More information about the unisog mailing list