On 6 sep 2013, at 05:39, jnc(_at_)mercury(_dot_)lcs(_dot_)mit(_dot_)edu (Noel
Chiappa) wrote:
From: Phillip Hallam-Baker <hallam(_at_)gmail(_dot_)com>
S/MIME is almost what we need to secure email.
If by "secure email" you mean 'render email impervious to being looked at
while on the wire', perhaps. If, however, you mean 'render it secure from
ever being looked at by anyone else', no way.
Even if it's stored on the destination host in encrypted form, if that host is
compromised, the contents of that email are now at risk. Even if the key is
not stored on that machine, the next time it's entered into that machine (or,
more broadly, the encrypted email and the key are brought near each other), it
can be lifted, _if that computer has been compromised_.
This and several other comments about the endpoint threat thus far in this
thread does not seem to understand a very vital point:
Bruce was in
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
not suggesting that more encryption on the wire by open protocols can starve
off attacks on endpoints.
He was not suggesting that backdoors in eg. network driver's firmwares cannot
provide special access to host memory, extremely hard to detect and never
utilized in friendly territories where raw opto tapping provides cheaper access
anyway.
But he IS suggesting that encrypting everything on the wire makes both metadata
and payload collection from wires less valuable.
Here comes the key point:
Encrypting everything on the wire raises the cost for untargeted mass
surveillance significantly. And that is what it is all about.
And best is of course if this can be end to end, though hiding metadata
requires either something onion like or transport encryption by layers below
said metadata.
/M