Enigmail Standard In Mandrake 9.0 181
AxelTorvalds writes "The Mozilla 1.1 RPMs in Mandrake 9.0 contain the enigmail plugin. It seemlessly encrypts, signs, decrypts and authenticate email with GPG or PGP in the Mozilla Mail client. This is the first major distributor I know of to support enigmail. With this and Evolution and Kmail both supporting GPG and PGP are we at the dawn of that golden age when encrypted email will be commonplace?" Update: 09/15 17:26 GMT by T : Borked link fixed.
For the lazy typers (Score:1)
This is of course the correct link [mozdev.org].
Excellent... except (Score:2, Interesting)
Re:Excellent... except (Score:2)
Re:Excellent... except (Score:2)
Re:Excellent... except (Score:2)
Re:Excellent... except (Score:1)
Was not XP released many years after KMail supported encryption?
Also to troll (sorry) what use email encryption if a virus can send the contents of your inbox + personal files to everyone in your address book?
Re:Excellent... except (Score:2)
What use is CD copy protection when someone working at the pressing plant can steal a copy for him/herself?
What use is 40 bit encryption when some groups have Cray X1's?
The possibility that a rare and unlikely scenario may bypass a protection mechanism does not entirely preclude the usefulness of the mechanism.
Encryption works great in 99% of cases where someone might be snooping.
Re:Excellent... except (Score:1)
"Excellent, except as I recall, Microsoft Outlook has had this ability [email encryption] since the release of Windows XP."
XPlightcycler: (in reply)
"Also to troll (sorry) what use email encryption if a virus can send the contents of your inbox + personal files to everyone in your address book?"
Sivar: (in reply to the reply)
"The possibility that a rare and unlikely scenario may bypass a protection mechanism does not entirely preclude the usefulness of the mechanism."
This [sivar's] point is valid, but I have to ask, where do Outlook's suceptability to virii/remailer worms and 'rare and unlikely' meet. Outlook (& it's cousin Outlook Express) are extremely susceptable to them, in my experience atleast. Just because these pieces of software can do good encryption doesn't make them secure, for that you would atleast need to add a third party virus scanner.
Re:Excellent... except (Score:1)
<paranoia mode="tinfoil beanie">
Or one that just mails your private keyring back to black helicopter command. It would save the NSA millennia of computer time if they could just steal keys instead of having to crack them all. If it only stole one file and then deleted itself, few users would even notice it.
</paranoia>
Re:Excellent... except (Score:2, Funny)
Shakes head (Score:3, Insightful)
With this and Evolution and Kmail both supporting GPG and PGP are we at the dawn of that golden age when encrypted email will be commonplace?
Of course! Because we know that the only thing holding back encrypted e-mail is the fact that Linux didn't have it built in! (rolls eyes)
Of course, the fact that it's extremely difficult (if not impossible) to make it fully automatic for the users has nothing to do with it.
actually, it can be easy (Score:2)
But you are right - the lack of Linux (or Mac) support is not what has kept secure email from becoming more wide-spread.
Re:Shakes head (Score:4, Insightful)
I'd say that is indeed a big step forward.
Enigmail has been there for a while (Score:1)
I've been using it for a while, and since this is only in Mandrake (AFAIK) I doubt it would make that much difference.
Re:Shakes head (Score:1)
But you're right that Mutt probably isn't much luser friendly.
Once setup it is easy (Score:2)
I do agree though that once it is a seamless process from setup to use then it will become more popular.
Re:Shakes head (Score:3, Informative)
Just because Microsoft has made it difficult and/or impossible to have secure mail, doesn't mean other vendors have such difficulties.
Re:Shakes head (Score:2)
or are you just talking out of your ass again?
As usual, I know exactly what I'm talking about.
The whole point of enigmail, which I have installed on this system, is to make it as seamless and automatic as possible to encrypt/decrypt messages.
Key words: "as possible". This does not make it easy or transparent.
Currently, I have it set up to automatically sign my messages by default, though switching to automatic encryption is simply a matter of changing a menu option.
This shows your lack of understanding of the problem. Sure, you could just "flip the switch", but think about how that has to work. To encrypt a message to someone, you have to have their public key. This requires the user to make a concious choice to get another person's public key before they can send an e-mail. Do you really think Grandma is going to ask for my public key before sending me an e-mail? I know all about these things, and *I'm* not going to bother to do it.
The only way encryption is ever going to be mainstream is if it's supported at the SMTP level -- I send a query to an e-mail recipient for their public key, it gets sent back, I encrypt, then send the mail. That's the ONLY way it's ever going to happen.
Unfortunately, it also means reworking a lot of how SMTP works, including SMTP forwarding, etc. Not to mention the authentication problems imposed by this solution (man in the middle substitutes a different public key, for example).
The other way it could be done is to have a centralized public key registry index by e-mail address, but who runs it? Who pays for it? And how do you get all the e-mail clients to recognize it as an authority? Probably the way it should be done is decentralized, somewhat like DNS.
There's a reason these problems haven't been solved up until now: they're EXTREMELY difficult.
Re:Shakes head (Score:2)
The point is that there are a LOT of proposals, but no consensus about how public key management should work.
People could make money just like they do with SSL certs - charging a nominal fee for storage of their verified keys.
Ah, the kiss of death. There is an implicit assumption here that people care about encrypting their e-mail. Quite frankly, they don't. Honestly, I don't even care. If it were completely transparent, I'd probably do it (why not?), but it's just not that big a deal.
That's why I proposed that it has to happen at the SMTP level. The only way this is going to work is if the users don't even know that encryption is happening. In other words, transparent means transparent -- absolutely zero action on the part of the user. If it takes any action, no matter how trivial, it will fail. The users just don't care enough.
mutt! (Score:2)
Actually, while the setup is still not idiot-proof, actually using gpg in mutt is really, really easy, and works exactly the way I like. I automatically sign everything I send. mutt caches my password in memory so I don't have to type it over and over when sending a quick succession of emails. I automatically verify incoming signed emails, and download their keys if I don't have them from the keyservers automatically. Mutt gives me a status on whether the web of trust includes the key signing a letter. Dunno about encryption, since I can't find anyone else using pgp/gpg with encryption to find out with....
Just what I need... (Score:2, Funny)
Re:Just what I need... (Score:1)
Good point, but in reverse (Score:2)
Will this result in ubiquitous encryption? (Score:1, Insightful)
The thing holding up encryption isn't Mandrake, or Linux, or the NSA. It's making it easy for my mom to use when she sends me a hoax chain letter from her AOL account, promising me that Bill Gates is going to send me $500 if I forward it to all my friends too.
Seriously, though, it's the least common denominator. Maybe with the adoption of DNSSEC and SMTP extensions we can eventually have pseudo end-to-end encryption handled by the mail servers themselves. But until the more common email clients perform encryption on their own, no pgp keys to import, etc., don't look for my mom to start using it.
Encryption on their own... (Score:1)
The way to make mail encryption prolific is to make key creation, key escrow, and key exchange a simple process. Personally, I think the best way to handle that is to establish a government program for the issuance and authentication of "Internet ID's". Basically, a person applies for an IID by providing verified proof of their identity, then they are issued a smartcard which contains their secret key. To use the card, you need a smartcard reader on your PC (or a cheap aftermarket USB reader). When you want to send a key signed email or decrypt an encrypted email send to you, you insert your card in the reader, and type in your password or PIN.
When someone receives a signed email from you, they don't need to exchange your public key with you, since their software automatically connects to the government key server via the Internet, requests your public key and verifies the signature. Likewise, when they want to send you mail, their mail client searches the federal key database for the recipient's key, and if available, either offers the option to encrypt, or does so automatically (a user-defined option).
Of course, the NSA and the National Security Council will likely poo-poo such a plan, unless of course they are allowed to escrow the secret keys, thus enabling them to decrypt anyone's email. I don't know that this is such a big deal though, since unless you regularly encrypt your email, the government is already reading it.
Re:Encryption on their own... (Score:1)
> take place without any key exchange?
PGP and GPG work on public-key principles. In brief, there
are _two_ keys, one used to do the mangling and the other used
to do the unmangling. One of these two keys is public, and the
other is (supposed to be) not shared. If you encrypt with your
private key, then anyone can read it (with the public key, which
is shared), but they can verify that it was encrypted by the
holder of the private key. If you want only one party to be
able to read it, you get his public key (which is publically
shared) and encrypt with that, and then his private key (which
you don't have) is needed to read it.
The thing holding common encryption of email back is plain
and simple: to almost everyone, the privacy of encrypted
mail is unnecessary, but knowing that the recipient will be
able to read the message (whether his mail client knows
about encryption or not) is important. Encrypted mail is
really only useful if the person you're sending the message
to maintains a publically available public key and keeps
his private key private on a secure system. No amount of
client support will change that. However, client support
_does_ mean that people who specifically want to exchange
encrypted mail with one another can, without a lot of
technical knowledge. But people who don't need the privacy
of encrypted mail still won't bother, and I don't see how
that's a bad thing. People who don't mind getting phone
calls don't have unlisted numbers, either. Some of us just
don't have a lot of really sensitive information that would
be any huge disaster if random people found out about it.
Those of you who do can use the feature when exchanging
mail with one another, and the rest of us can ignore it.
Just wait until the spammers get the wrong idea and start
sending encrypted messages, advertising encryption software
like as not...
just in time (Score:2, Insightful)
And with the coming of quantum computing as reported in past articles, this golden age, like any, will have a definite ending point
Re:just in time (Score:2)
Re:just in time (Score:2)
The correct link (Score:1, Redundant)
This is the correct link [mozdev.org].
Gentoo ships enigmail with moz1.1 (Score:5, Informative)
Re:Gentoo ships enigmail with moz1.1 (Score:4, Insightful)
its only masked because we are in a feeature freazee pendin the release of gentoo 1.4
Regards
Re:Gentoo ships enigmail with moz1.1 (Score:2)
I doubt that.
Mandrake 9.0, which according to various sources within Mandrakesoft (specifically Warly, who is the guy who makes these decisions), will be released within two days of September 15, iow, within the next two days.
Will Gentoo beat Mandrake to the punch?
Wrong, Gentoo was the first (Score:3, Informative)
Gentoo was the first, and yes, gentoo IS major.
Gentoo is *small* (Score:2)
No. (Score:1)
Because we are not all paranoid?
What's next? Scrambling your voice over the telephone?
Do you send all letters by postcard? (Score:1)
Re:No. (Score:2)
Re:No. (Score:1)
http://www.pgpi.org/products/pgpfone/ [pgpi.org]
Re:No. (Score:5, Insightful)
>What's next? Scrambling your voice over the
>telephone?
You really don't get the point about common-place message encryption yet.
I hope I can illustrate this in a helpful way, without appearing to condescend:
All plain-text e-mail - without encryption - can be likened in the snail-mail model, to a post-card. The message contents, sender and receiver, are all in plain view of anyone who might take a notice. At its most mundane, message cryptography can be seen as providing the equivalent of a digital envelope.
Of course, e-mail is not a postcard. In fact, the situation is better compared to sending postcards through a system which photocopies your message every time it passes through another station or container in its transit.... Oh, and every time it is photocopied, it is done by a different individuals and agencies, many of whom you may never have had any prior contact or relationship.
The desire to manage who has access to thecontent of such messages is not paranoia. If you are in the habit of sending e-mail in the context of any business, deploying encryption and certificate technologies would fall under the domain of "Due Dilligence". Not using them routinely would constitute failure to exercise "Due Care" - both of which have considerable legal and regulatory implications.
If you are an executive, a middle-manager or systems administrator, a tool like PGP now enables mail as a trusted path for exchange within your own organization sensitive information that would otherwise have to be circulated by more cumbersome means.
When you consider the wide variety of purposes for which most all people use SMTP as a transport, it is irresponsible to marginalize the use of encrypting mechanisms, or to view advocates of their use with suspicion.
Or, you can keep stapling your phone-bill to a 3x5 card! ;-)
Excellent explanation. (Score:2)
Excellent explanation. Mod parent up!!!!
Re: Information wants to be free 8-) (Score:2)
Of course, I have nothing against anyone using encryption. I'd use it myself if I felt it was needed for a particular message. But I don't see ubiqitous encryption as a golden age.
Re: Information wants to be free 8-) (Score:2)
If the U.K. govenment starts the monitoring and surveillance of Nationals who have made repeat visits to countries governed by suspect regiemes (Vietnam), or home to significant revolutionary guerilla movements (Peru), you would have no objection?
If -- by extra-legislative intelligence agreements -- they shared this information with unaccountable foriegn agencies in the U.S., Canada and Australia... You'd still be comfortable with that? I'm sorry if I have taken the argument closer to the "paranoia" scenario.
I take your point about "Golden Age" hyperbole. But the issues are farther reaching, by implication, than even most well-informed people are aware of.
Re: Information wants to be free 8-) (Score:2)
I also don't have a problem with government agencies sharing information in order to track down the real crooks. International cooperation is important. The real crooks are probably using strong encryption anyway. At least MI6 and the CIA will be able to eliminate me from their enquiries quickly 8-)
Re: Information wants to be free 8-) (Score:2)
I am glad you are unconcerned by the free traffic of personal and sensitive communications into hands of unintended recipients with indeterminate motives.
I think it naive to view MI6, etc. as "Good Guys" who will accurately use this intelligence to correctly identify "Bad Guys". The historical performance by U.K. and U.S. on these counts is miserable. Sometimes the "Bad Guys" are villagers trying to clean up foreign polluters in Malaysia, or people like Nelson Mandela... I won't try to convince you further on this point. Read, and draw your own conclusions.
Even when the agenda and motive of, say MI6, are not in doubt, do you want to be Mr. Buttle from Brazil?
Oh, and the "Bad Guys" aren't generally using strong encryption. This was one of the Red Herring issues in the pseudo-intelligence speculation after 9/11. Talking Heads from "expert" think-tanks spouted these claims like mad, and started a mini craze on searching for encrypted terror communiques. Never happened. All the communications were plain text and regular phone conversations. The interviewees last week on Al Jazeereh explained clearly how coded phrases were used to pass information on open channels.
What is harmful in your attitude is that you imply there is again something criminally suspect in the casual use of encryption technologies. I refer you to my earlier post in this thread - There is potential criminal and civil liability in NOT employing encryption, when commonly available.
Re: Information wants to be free 8-) (Score:2)
In all seriousness, I don't see the use of strong encryption as necessarily suspect. I think everyone should make up their own mind on that, based on their view of what they do and don't mind others knowing about themselves. I personally would only bother with it for something that I wanted to keep private. Some things [goldby.net] are just too boring to bother keeping private
And yes, I stand corrected on the 11 Sept stuff - now you mention it I do remember hearing that codewords were used instead of encryption.
Re:I Am A Family Law Lawyer... (Score:2)
We will be waiting a very long time. There is no end to the power of inertia.
Golden Age Ahead (Score:5, Funny)
Yes, definitely. With the three most popular e-mail clients in the world (Mozilla Mail, KMail and Evolution) all supporting encryption, I'm sure e-mail encryption will finally be the rule.
Re:Golden Age Ahead (Score:1)
I hear some folks are using Outlook and Outlook Express, too.
Cheap shot (Re:Golden Age Ahead) (Score:2)
Please, AxelTorvalds was obviously talking about the Linux world. You could also object that he said "the first major distributor" instead of "the first major GNU/Linux distributor". What's the need for a cheap shot ?. How about being a bit nicer to other posters ?.
Re:Golden Age Ahead (Score:1)
Personally I don't think the golden age of mail cryptography is at hand, although I wish it was, but all in all I would prefere a golden age of digital signatures more than anything.
Re:Golden Age Ahead (Score:3, Informative)
A person would still have to know that people need their public key in order for anything to work, but the option to send it is there.
Commonplace Encryption? Not Yet. (Score:4, Insightful)
Nope. Not until all the most popular mail clients include functionality to make it ridiculously easy for a nontechnical user to use encryption (including key generation and management), will we see commonplace encrypted email. The inclusion of an extension to mozilla on a linux distribution hardly fulfills this requirement.
oh for RFC 2440 (Score:2)
http://www.ietf.org/rfc/rfc2440.txt [ietf.org]
what clients would actually need to support this for it to become really standard ?
Outlook (express)
Eudora
Lotus Notes
I cant think of any more really can you ?
regards
John Jones
Re:oh for RFC 2440 (Score:1)
Well, netscape, on windows and mac, but the point really is the ridiculously easy GUI. The average user doesn't know or care enough to figure out how to generate a key and send it to a keyserver - or to manage the private key between machines. Thus the mail client would have to make this really simple. As someone else mentioned, probably the most difficult part is managing the private key between machines, which the software can't necessarily handle anyway.
What we need is freenet-like email (Score:4, Insightful)
What we need is a way to be able to send mail to anyone without you ISP/whatever to be able to notice. And no, just running an SMTP on your linux box isn't enough.
Re:What we need is freenet-like email (Score:1)
You mean like an anonymous remailer [google.com]?
Re:What we need is freenet-like email (Score:1)
No (Score:4, Insightful)
With this and Evolution and Kmail both supporting GPG and PGP are we at the dawn of that golden age when encrypted email will be commonplace?
No. The biggest problem with public key encryption is that you can't use it on multiple computers without some way of transferring the private key. Plus you have to keep a backup of your private key somewhere outside your main computer's location, yet somewhere it will remain secure.
So, ultimately, unless you carry around a CD everywhere you go, you're probably relying on passwords in the end anyway.
Re:No (Score:1)
unless you carry around a CD everywhere you go, you're probably relying on passwords in the end anyway.
I've got a usb keychain filesystem with my
keys on it for just that purpose.
Re:No (Score:5, Insightful)
Excellent Idea, but it needs more work (Score:5, Insightful)
To the best of my knowledge, PGP looks at a path you specify for the keyring files, now on windows I imagine when you stick the USB keychain disk in, it gets whatever available drive letter it gets. So them you have to go set PGP to look at the right drive.
Under linux I guess it would always mount to the same path, but how does the system know what user inserted the card? Would it mount as UID root? Thats not good. If it's formatted ext2 I guess the UIDs would have to match. But thats weak.
What i'm thinking is PGP (etc) need an API so you can press a button that says "I am going to stick in my keychain with my keyrings on it now", and when the device is detected, the system only allows PGP access to read it, and only to the current user.
Dunno if that makes sense, but the USB keychains are perfect for that sort of thing, cause your private never needs to be readily available unless you're actively using it. And then only breifly. Leaving it sitting in ~/.pgp (or "C:\Documents And Settings\Application Data\Network Associates\PGP") is just uneeded risk.
Re:Excellent Idea, but it needs more work (Score:2)
Why the hell doesn't everyone do this? I guess Solaris will at least mount cdroms by both volume name and cdromn, that's way the hell ahead of most operating systems.
Re:Excellent Idea, but it needs more work (Score:2)
Something like S/Key or a smartcard is a far better solution. At least then a keystroke logger can't record your pass, then copy your key file. (well it can, but it's not of any use)
Re:Excellent Idea, but it needs more work (Score:2)
What i'm thinking is PGP (etc) need an API so you can press a button that says "I am going to stick in my keychain with my keyrings on it now", and when the device is detected, the system only allows PGP access to read it, and only to the current user.
Maybe it's a totally different method, but I'm reminded of the way Ogle DVD doesn't actually mount the DVD disc to play the movie, and how you have to click "Open Disc" to start playback.
Re:Excellent Idea, but it needs more work (Score:2)
Something tells me an encrypted secret key is easier to break than a public key encrypted message.
Of course, my passphrase is over 50 chars long. Good luck with it. I'll keep it safe though just the same.
Re:No (Score:2)
Why not? So many people already carry bags full of useless stuff, so why couldnt they add a cd or disk or minidisc or whatever small thing is needed?
Re:No (Score:2)
Why not? So many people already carry bags full of useless stuff, so why couldnt they add a cd or disk or minidisc or whatever small thing is needed?
At that point the problem becomes the fact that I can't easily add the key temporarily to Netscape or IE or Outlook. I need to be able to access email easily on the go. A simple PGP module built into IE would solve the problem for the most part. But instead Microsoft counts on passport... Bleh.
Re:No (Score:1)
since it's console-based, you can always get your mail system, without dealing with configuring the box you're on. And it's had GPG tied in for ages.
www.mutt.org
Re:No (Score:2)
which is why mutt is such a great client.
But that ultimately relies on passwords and trusting your hosting provider. I already use an SSL connection to my IMAP account through Outlook, or an https connection to my web-based email. Yes, GPG would protect the email en route to my server, but for the hassles to the people sending the email it's just not worth it.
Re:No (Score:2)
Re:No (Score:2)
I'd like a web client that can do the public key stuff on the server. It's nice to be able to check your mail with just a https:// capable web browser, without having to install stuff on the computer you want to use.
I used to prefer using mutt over ssh, but you often cannot find ssh at cyber cafes and such. Web mail always works.
steveha
Re:No (Score:2)
I suppose that in any cyber cafe you need to worry about the risk that the web browsers have actually been modified to keep records of what people read on them, what passwords people type in, etc. So I will just have to have two email accounts, the one I use every day, and one that I never access from cyber cafes. That's no big deal to me. (I already change my email password after I go on vacation and read mail from cyber cafes.)
I'd like to, for example, be able to discuss personal stuff in email and have the email GPG-encrypted... but I still might want to be able to pull that email up from someplace other than my home.
steveha
Important notes! (Score:3, Informative)
Is Enigmail working?
So why isn't this standard in Mozilla? (Score:3, Insightful)
Mozilla should have the ability to receive all major forms of encrypted mail as standard. (As with other formats, the "player" needs to be more widely distributed than the "authoring" program.) That will help Mozilla's market share.
I'd like to see Mozilla marketed as "the browser for business" - popup blocking, encrypted mail, spam filtering, virus blocking, etc. Contrast this with Microsoft Explorer, which is a home entertainment center whether you like it or not.
Do NOT encrypt your email. (Score:3, Funny)
Please, don't use encryption!!!
SATIRE WIRE (Score:2)
The point was that since encryption isnt very wide spread, weather or not an email is encrypted tells you alot... which is bad. While the content is encrypted, the headers are not, which means if someone sees that you are sending encrypted mail, they will know who is sending it and who is receiving it and will become suspecious. This is actually a very good argument for proliferation of encryption, and use of encryption on everday "boreing stuff".
Not only does it need to be supported... (Score:1)
RFC3156 (Score:3, Informative)
Thank god they follow the MIME/OpenPGP standard! Now maybe us Sylpheed users will be able to decrypt email from non-Sylpheed users without having to jump through a slew of goddamn copy-to-clipboard hoops.
Email client developers, take note. [faqs.org] Please don't reinvent the wheel. It only slows down adoption of encryption.
Dawn? (Score:2)
No, because M$ Outlook [Exress] doesn't have it enabled by default.
What's the point (Score:3, Insightful)
Why has this most glaring of all security problems not been addressed for the general public? Why Why Why Why?
Want hear something funny and typical. My webhost for my business which also does my email, requires SSH to log into my shell account to do things like upload files to changes my website etc. But I have to use the same fricking logon and password to check my email. Does that make any sense at all? I'd out them right now so you would know not to use them but I don't want my website cut off.
O.K. just relax.....I'm on a beach.....
Re:What's the point (Score:2)
Well, dunno about you, but I don't. Have ssh, will travel.
There's also no need to do so with POP either - APOP and POP-over-SSL both exist.
Besides, if the mail is encrypted, what's the point in intercepting the POP3 password? Isn't that exactly why you *should* be encrypting the mail?
Re:What's the point (Score:2)
And this helps the 99% of people who use regular POP3 how?
"There's also no need to do so with POP either - APOP and POP-over-SSL both exist"
And how many ISP's use this?
"Besides, if the mail is encrypted, what's the point in intercepting the POP3 password? Isn't that exactly why you *should* be encrypting the mail? "
If every email that is ever sent to you is encypted your fine. If even one of them is not that is "the point in intercepting the POP3 password".
Re:What's the point (Score:2)
Most, that I've seen. If not, what are you doing whining here?
But it really is an insignificant concern, as long as the mails you want to have encrypted are sent encrypted, anyway.
Re:What's the point (Score:2)
Sigh... I don't have a mail server. My ISP has a mail server. I cannot access my ISP's mail server without sending my password in the clear.
Re:What's the point (Score:1)
Even more shocking, secure IMAP and POP does exist.
/joeyo
Re:What's the point (Score:2)
Gee really. The point is 1) most people don't use pgp and 2) your logon and password is still going across the net unencrypted. So unless every email ever sent to you is encrypted I can sniff you packets and then read your emails on your server before you even get them.
"Even more shocking, secure IMAP and POP does exist."
Again no Sh**t. What percent of the general public uses this? Right.
Re:What's the point (Score:2)
Also like I clearly stated. This is a real problem for the 99% of users who don't use PGP and are on a regular POP3 server.
Re:What's the point (Score:3, Insightful)
You are of course correct: The benefits of PGP are not confered upon email correspondents that do not use it. You also said, "Yes if you encrypt all of your emails and if everyone who ever emails you encrypts their's your a step up, but that clear text thing kinda makes it all worthless. "
And that is not correct at all. If everyone you correspond with uses PGP, and all your passwords are sent in cleartext, then no one can impersonate you, and no one can snoop your email. They could only delete your incoming mail. That's a pretty significant step up.
Re:What's the point (Score:2)
Is the shell host near the mail host, or the same one? You could ssh-tunnel to the shell host and then log in to the mail host from there.
Did someone say, bork? (Score:2)
Great news for enig, but what about the other distros? Will this news carry any weight, giving the other offerings a desire to carry enigmail?
What about ximian support?
Seems to get included in more distros (Score:3, Informative)
Not sure why this is a big deal. (Score:2)
Golden age? (Score:3, Insightful)
Great! (Score:3, Insightful)
The OpenPGP and it's public keyring trust system are very complex and not something most users will ever understand. And there are so many other weak links in the chain that it just turns out to be overkill.
Anyone have ideas on how secure e-mail could be brought to the masses? Because shipping PGP is not it. PGP has been around a long, long time (in Internet years), and if there was demand, it would have taken off already.
The Golden Age? Nah... (Score:3, Interesting)
No.
There are still two important pieces missing. Without them the non-geek will not be using encrypted email.
The first is key generation. No matter how simple of a front end you have for it, the user still has to consciously sit down and create a strong key. We all know from experience that the average user will not want to do this.
The second is even more problematic. That's key management. Where is the average user going to store their private keys? On their harddrive or on a floppy disk? And will they be conscientious participants in a web of trust?
So far most proposed methods of automated key management have been detrimental to our privacy (Clipper chip, Passport, etc). But here's one idea: create and market a USB dongle that has a write-once key that is generated during its first use (or the user could initialize it with a preexisting key). Such keys would be automatically signed by the manufacturer. It might not work, but it's something to think about.
Re:not quite... Gentoo had it first :-) (Score:1)
I've always been partial to mandrake, this is good stuff. I doubt it's gonna bring about a revolution in email, but high availability in and end-user distro can't hurt.
Are you sure? Cooker had it since 1.0.0-8mdk (Score:1)
Enigmail was added to Mozilla-1.0.0 in cooker on 17 July 2002.
The only problem is, I am not totally sure if it's working now (it worked in 1.0.0, it worked in one of the 1.0.1 releases, but it seems broken now, even if using the XPIs from mozdev.org).
It crashes mozilla when reading a signed or encrypted mail for which you have a key. Encryption and signing seem to work fine.
Re:Hm (Score:1)
Re:Hm (Score:2)