From: Euricelia V. W. <eur...@tr...> - 2002-03-21 16:03:31
|
Is there any initiative of plugin or option in SquirrelMail to integrate with pgp or gnupg to sign and crypt messages? Thanks, Euricelia. |
From: <squ...@te...> - 2002-03-21 16:26:25
|
> > Is there any initiative of plugin or option in SquirrelMail to > integrate with pgp or gnupg to sign and crypt messages? > > Thanks, > > Euricelia. I dont know of anyone doing this, but Ive thought about it and Im not capable of writing it with the time I have. There is HIGH intrest in it on my part though. Bryan +------------------------+ | My BlowFish ate my MD5 | +------------------------+ |
From: Angus D M. <ii...@to...> - 2002-03-21 18:13:06
|
Euricelia Viana Wanderley, Thu, Mar 21, 2002 at 01:05:04PM -0300:=20 >=20 > Is there any initiative of plugin or option in SquirrelMail to integrate > with pgp or gnupg to sign and crypt messages? >=20 Encrypting messages could be implemented fairly easily with a plugin if gnupg was installed on the server. It would need to be called with exec() or sys() as there are no currently no libararies for gnupg (and no php support). Signing messages would be much more difficult to implement, because that would imply storing a private key on the server (very bad idea) and also transmitting the passphrase to the key (could be easily logged by an unscrupulous admin). I would not recommend storing your private gpg key on a box where you are not root or do not trust the admin implicitly. That said, you could generate a key for the squirrelmail server to sign messages, but that would defeat the purpose of signing messages as everyone's message would be signed with the same key. g |
From: <squ...@te...> - 2002-03-21 18:23:00
|
> Euricelia Viana Wanderley, Thu, Mar 21, 2002 at 01:05:04PM -0300: >> >> Is there any initiative of plugin or option in SquirrelMail to >> integrate with pgp or gnupg to sign and crypt messages? >> > > Encrypting messages could be implemented fairly easily with a plugin if > gnupg was installed on the server. It would need to be called with > exec() or sys() as there are no currently no libararies for gnupg (and > no php support). > > Signing messages would be much more difficult to implement, because > that would imply storing a private key on the server (very bad idea) > and also transmitting the passphrase to the key (could be easily logged > by an unscrupulous admin). > > I would not recommend storing your private gpg key on a box where you > are not root or do not trust the admin implicitly. > > That said, you could generate a key for the squirrelmail server to sign > messages, but that would defeat the purpose of signing messages as > everyone's message would be signed with the same key. > > g There are always going to be security issues with the web, but the only way I can see to do this with minimal security is an applet over an ssl connection. Be the applet flash(prefered) or java(blech) it will offer a littel bit more security. The other option is to store the keys encrypted and use a password for them that is passed over an ssl line, but that would be way to much hassle in my opinion. Either way you will want to check with the crypto guys who actualy know what they are doing to find the best solution. I would start with the GNUpgp mailing list and dev lists. Bryan +------------------------+ | My BlowFish ate my MD5 | +------------------------+ |
From: Angus D M. <ii...@to...> - 2002-03-21 20:37:14
|
squ...@te..., Thu, Mar 21, 2002 at 08:48:14AM -0500:=20 >=20 > There are always going to be security issues with the web, but the only w= ay > I can see to do this with minimal security is an applet over an ssl > connection. Be the applet flash(prefered) or java(blech) it will offer a > littel bit more security. The other option is to store the keys encrypted > and use a password for them that is passed over an ssl line, but that wou= ld > be way to much hassle in my opinion. Either way you will want to check > with the crypto guys who actualy know what they are doing to find the best > solution. I would start with the GNUpgp mailing list and dev lists. >=20 Can applets access files on the local machine? I thought plugin security did not allow that. g |