[Swlug] Broken link on the website

Dave Cridland dave at cridland.net
Thu Nov 14 12:55:21 UTC 2013 

On Wed, Nov 13, 2013 at 11:13 PM, Mark Einon <mark.einon at linux.com> wrote:

> Am I missing something here? Is there a point to encrypting a public
> mailing list?
>
>
Well, I was talking specifically about the website, but you're right -
there's no point in encrypting the content of a public mailing list. There
*is*, however, a point to encrypting the traffic.


> Also, aren't CAs are known to be vunerable to NSA snooping...end-to-end
> encryption such as PGP would be more secure?
>
>
Actually, no - CAs have been - we think - coerced into signing certificates
for the NSA. That's different, because a CA has no more knowledge of the
private keys involved than you do if you signed a PGP key.

Given a CA compromised in this way by an attacker, the attacker could
obtain a certificate as Bob, and Alice would think it was Bob she was
talking to, with the attacker either posing as Bob or acting as a
Man-In-The-Middle. Either way, it requires a direct targetted attack - that
is, the NSA would in this instance need to be directly trying to snoop on
you or SWLUG.

Running opportunistic encryption everywhere at the TLS level, though - even
with self-signed certificates - prevents an *untargetted* attack, where the
attacker simply fishes with a broad net and looks for interesting things.

PGP, on the other hand - and indeed S/MIME, too, if you're into X.509 -
only encrypts the content and not the traffic overall, so an attacker would
still be unable to read the mails themselves, but would be able to read the
traffic (including header fields from the message, thus being able to see
what the message-id was and extract the messages from the public archives).
So it is, as you say, a bit pointless.

Of course, you could decide not to bother encrypting stuff to SWLUG, and
only encrypt traffic to other sites which you communicate high value
secrets to. In which case that traffic sticks out, rather, to the attacker.


> Public key attached if anyone is into that sort of thing :p
>

Which is worthless, as there's no way to authenticate you with it. ;-)

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/swlug/attachments/20131114/f73cf9d6/attachment.html>

More information about the Swlug mailing list