[tor-talk] Private mail server (Was: i saw your response on the Tor talk list)
Julian Yon
julian at yon.org.uk
Sun Nov 18 20:07:36 UTC 2012
On Sun, 18 Nov 2012 09:50:20 +0100
Jérémy Bobbio <lunar at debian.org> wrote:
> With Postfix and probably other mail servers, you can configure a
> per server TLS policy. You can make sure that the communication with
> SMTP servers used by your peers is properly encrypted (and not
> MITM'ed). It makes interception a lot harder.
>
> And you can be sure that what you receive in your mailbox will not be
> harvested for data collection. Unfortunately, you are never alone:
> this also depends on the server used to send the email...
i.e. you can't actually be sure of anything. Unless you control every
link from sender to your server, you should assume your message can
be (or even has been) intercepted. So your peers encrypt their
traffic to you; doesn't mean that traffic to them was encrypted,
nor does it mean that plaintext messages can't be plucked straight from
their queues. While you gain the possibility to control your own
storage, you don't control anything that any intermediaries (or
those watching your intermediaries) store. This massively limits your
advantage, while you have to deal with all the headaches that come with
running a mail server.
It worries me that this point isn't better understood. It's the same
faulty reasoning that leads to people wanting 1-hop Tor routes.
Control of your end and trusting the other end is not enough. Do you
gain something? Technically yes. Is it enough to phase your
adversaries? Almost certainly not. Having a fully anonymised mail
service would be of benefit, but just running your own server doesn't
even come close to providing adequate security, because SMTP *is
insecure by design*.
Julian
--
3072D/F3A66B3A Julian Yon (2012 General Use) <pgp.2012 at jry.me>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20121118/60312640/attachment.pgp>
More information about the tor-talk
mailing list