Recently in E-Mail Security Category

There's an interesting story at The Register about the recent leaking of embassy credentials amongst others, by an individual in Sweden.

The story is that someone set up some Tor exit nodes and then sniffed the traffic that came out over them.

There's several interesting points that come out from this, I think.

• Understand the type of security provided by a system. Tor is not end-to-end encryption and you are trusting the exit node as you would trust an ISP router.
• What was done here can be done by any ISP employee. A Tor exit node is essentially like an ISP router. Anything that can be gained by sniffing a TOR exit node could also be gained by any employee of an ISP for the traffic that that ISP handles.
• Embassy users are logging on to their services in the clear!? The main problem here seems to be that embassy staff are logging on to e-mail systems in the clear over an untrusted network (the Internet). It seems odd that they'd go to the trouble of using Tor to anonymise their traffic but not go to the trouble of using SSL or an equivalent to protect their logon credentials end-to-end...

Espion automates e-mail encryption

Maybe I'm missing something here but reading this article it seems that someone's come up with an encrypted mail product that's pretty insecure... from the article

"MXLock uses two-key encryption; one of the 1,024-bit keys resides at the sender’s gateway, the other is delivered to the recipient as part of the e-mail. When the recipient gets an e-mail from an MXLock user who has encrypted a message, the recipient is directed to click on a link embedded in the e-mail. Once at this Web page, the recipient’s key is authenticated against the key stored in MXLock and a browser window is opened for viewing or downloading the decrypted message, Chakravarthi explains. "

so if you intercept the mail enroute to the recipient, you get the key that's sent (it can't be encrypted as there would be no way to decrypt it) then you click on the link and allow the key to be authenticated and read the mail... how would this be any use? The risk you are mitigating (interception and reading of the mail in transit) isn't mitigated because you can just use the intercepted key and link to get to the mail anyway!

I checked the website of the vendor for a whitepaper but there's none that I can see....

In an article over at Yahoo we're told Mail Security Service Model Marches On. Its interesting as there definately is an interesting proposition on outsourcing things like management of e-mail security. However I must say, I'd not be too comfortable outsourcing something as critical as e-mail without some very good assurances and SLA's surrounding it.

for example I'd hate to be the e-mail admin who has to troubleshoot their mail delivery when I didn't control the whole path for the mail out to the recipient, especially if there's a possibility of false positives as there is with many e-mail spam/virus management packages.....