On Thu, Jan 06, 2011 at 02:05:29PM -0500, Michael Orlitzky wrote:
This still doesn't work, because the administrator is the one who tells the system to encrypt messages as they arrive. He can peek at the messages before they're encrypted with the user's public key.
That's a small window of opportunity, compared to letting anyone who has access or can break into the filesystem/backup-system get access to all messages without any further complications.
I.e. currently it takes a "read-any-file" vulnerability (or access) to read all users messages, with server-side encrypted mailfiles it will require "read-any-file" + strace processes while user is active. Then you no longer need to worry about anyone getting access to your backups, read dead/decomissioned drives, sysadmins "accidentally" reading files, etc..
It's impossible to hide the contents of a plain-text message from the person who receives it in plain text (the administrator). PGP/GPG is the only option.
Sure, end to end encrypted messages is the only way to be completely sure they're not read in transit.. But the fact that ~0% of our users send/receive encrypted messages doesn't mean that we should disable SSL for POP/IMAP connections. Sysadmin/network-admins can just read the incoming plain text message anyway, so why use SSL on the last mile ? ;-)
-jf