Page 2 of 2 FirstFirst 12
Results 16 to 28 of 28
  1. #16
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,329
    Thanks
    140
    Thanked 117 Times in 100 Posts
    Quote Originally Posted by partner View Post
    Does anyone know how to get an email service that Frontier can NOT scan? It would perhaps be a service where incoming mail would go to an intermediate and the whole email including pictures, addresses etc would be encrypted and then sent to my ISP and when in Thunderbird I opened the email it would be un-encrypted??!!

    The reverse would happen on outgoing in that Thunderbird would encrypt the whole thing, send the mail to an intermediate, un-encrypt and send to the recipient(s).

    And that would be great if everything coming in or out would cause Frontier (and other intruders) to see only an encrypted text. http://windowssecrets.com/forums/images/icons/icon8.png
    "If you need secure end-to-end communication, email is probably the wrong way to do it."
    http://www.extremetech.com/extreme/1...t-alternatives

    As I posted before, Yahoo does not permit encrypted messages, contrary to what is implied in the ExtremeTech article. I don't know about GMail, but I suspect similar restrictions may exist in their Terms of Service.

    Two services reviewed in the article, Countermail and Neomailbox, have their own issues, and may not be totally private or secure.

    Fastmail which is based in Australia, no longer has free accounts. But they insist they do not scan email coming or going. They are one of only a very few services I know of which make this promise.

    TOR Mail used to be like the service model you describe, but it and several others like it got shut down by FBI legal actions. Or they shut themselves down when they discovered they were under US court orders to divulge subscribers' info or their email contents.

    No one escapes spying like NSA and the FBI have been doing, so if you're sending or receiving inside the USA, forget about email privacy.
    Last edited by bobprimak; 2014-03-30 at 06:18.
    -- Bob Primak --

  2. #17
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,915
    Thanks
    91
    Thanked 356 Times in 320 Posts
    Quote Originally Posted by bobprimak View Post
    HTTPS and SSL are only two of the security measures used in secure web site connections.
    Only one security measure there really, since HTTPS is just HTTP on top of SSL.


    Quote Originally Posted by bobprimak View Post
    Web sites can use additional means to protect secure logins and other interactions.
    Like what?


    Quote Originally Posted by bobprimak View Post
    With the Linux GNU-TLS Bug, the issue with TLS not being secure is mitigated by the fact that GNU-TLS does not stand alone in most secure web connections.
    What else stands with it? (OpenSSL is an alternative.)


    Bruce

  3. #18
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,329
    Thanks
    140
    Thanked 117 Times in 100 Posts
    Let's just let the two articles I referenced in my earlier post speak for themselves.
    Last edited by bobprimak; 2014-04-10 at 11:47.
    -- Bob Primak --

  4. #19
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,915
    Thanks
    91
    Thanked 356 Times in 320 Posts
    Quote Originally Posted by bobprimak View Post
    Let's just let the two articles I referenced i my earlier post speak for themselves.
    I can't find any reference in either of those articles to your mystery ingredient X for secure web connections.

    Bruce

  5. #20
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    USA
    Posts
    165
    Thanks
    3
    Thanked 21 Times in 17 Posts
    Quote Originally Posted by BruceR View Post
    Only one security measure there really, since HTTPS is just HTTP on top of SSL.



    Like what?



    What else stands with it? (OpenSSL is an alternative.)


    Bruce

    EV Certificates, client-side certificates (rare), and certificate/public key pinning are possibilities. Chromium based browsers utilize certificate/public key pinning on some websites.
    Last edited by cloudsandskye; 2014-04-09 at 23:16.

  6. #21
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,329
    Thanks
    140
    Thanked 117 Times in 100 Posts
    Quote Originally Posted by BruceR View Post
    I can't find any reference in either of those articles to your mystery ingredient X for secure web connections.

    Bruce
    I'm guessing SSL is a much broader term than I had originally thought.
    -- Bob Primak --

  7. #22
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,915
    Thanks
    91
    Thanked 356 Times in 320 Posts
    Quote Originally Posted by cloudsandskye View Post
    EV Certificates, client-side certificates (rare), and certificate/public key pinning are possibilities. Chromium based browsers utilize certificate/public key pinning on some websites.
    But each of those certificate enhancements to improve identity verification of the two end-points still relies on SSL to protect all data transmission between the two, including passwords, right? (The original comment was about additional means to protect secure logins.)

    Bruce
    Last edited by BruceR; 2014-04-10 at 12:14.

  8. #23
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    USA
    Posts
    165
    Thanks
    3
    Thanked 21 Times in 17 Posts
    EV Certificates tend to be more of a warning flag, but pinning, at least from the point of view of OWASP, came about as an additional means to secure the channel due to the failure of SSL and TSL to provide proper security under certain types of attacks.

  9. #24
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,915
    Thanks
    91
    Thanked 356 Times in 320 Posts
    Quote Originally Posted by cloudsandskye View Post
    EV Certificates tend to be more of a warning flag, but pinning, at least from the point of view of OWASP, came about as an additional means to secure the channel due to the failure of SSL and TSL to provide proper security under certain types of attacks.
    Isn't certificate pinning something which is implemented in the client/browser for "outgoing" connections, rather than something which web sites can implement for all "incoming" connections? (The original comment was about extra steps available to web sites to secure logins beyond SSL.)

    Bruce

  10. #25
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    USA
    Posts
    165
    Thanks
    3
    Thanked 21 Times in 17 Posts
    Yes, pinning is usually going to come from the browser. Sorry, I thought this thread was about the whole pipeline, not just the website. So, looking back at post #9, where this subject appears to have originated (“connection is far more secure than ordinary SSL, and it uses different security protocols”), my guess would be that what Yahoo is referring to is probably an Extended Validation SSL Certificate. This SSL certificate came out of The Certification Authority Browser Forum (https://cabforum.org) a couple years ago and has security enhancements not available with a standard SSL certificate. Although EV is more secure than ordinary SSL, whether it’s “far more secure,” or not, is debatable.

  11. #26
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,329
    Thanks
    140
    Thanked 117 Times in 100 Posts
    The OP wasn't really asking about security details.

    What was asked about is what Frontier might be asking for and why, when they said to upgrade the email client's security settings.

    This usually refers to requiring SSL or STARTTLS in the Account Profile. (I'm using the Thinderbird term for Account Settings.)

    It's done in order to enable a secure connection, which in light of the recent Heartbleed revelations, has until recently not been all that secure after all. But that issue aside, it's always reassuring to see in a browser the Padlock, and to have a similar secure connection in an email client.

    I think anything more technical is a bit of overkill here.
    -- Bob Primak --

  12. #27
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,915
    Thanks
    91
    Thanked 356 Times in 320 Posts
    Quote Originally Posted by bobprimak View Post
    The OP wasn't really asking about security details.

    ...

    I think anything more technical is a bit of overkill here.
    It was your oblique references to other security measures and different security protocols which caused us to go off tangent.

    Bruce

  13. #28
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,329
    Thanks
    140
    Thanked 117 Times in 100 Posts
    Quote Originally Posted by BruceR View Post
    It was your oblique references to other security measures and different security protocols which caused us to go off tangent.

    Bruce
    For which I apologize.
    -- Bob Primak --

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •