[tor-talk] Secure email with limited usable metadata

Mike Cardwell tor at lists.grepular.com
Mon Jul 1 09:27:11 UTC 2013


* on the Sun, Jun 30, 2013 at 06:18:01PM -0600, AK wrote:

> That's why I'm setting up my own mail server at home. And also plan to
> access it via web interface if using someone else's machine (like at
> home). I would only allow web access via SSL and password, and only
> show the emails of the last week (not more). Trying postfix, dovecot,
> and SquirrelMail. Still in progress :)

If you're going to use somebody elses machine to access your webmail,
you probably want to make sure it has a unique password. Even to the
extent that your IMAP password for the same account is different. This
is because you should also be using two factor authentication for
webmail in case the untrusted machine is trojanned/keylogged. Then even
if it is keylogged they wont be able to do anything with the password
they gained.

The open source webmail application Roundcube http://roundcube.net/
has several plugins to handle two factor authentication using
different types of hardware tokens and protocols:

http://trac.roundcube.net/wiki/Plugin_Repository#Authentication

It's worth noting also that Roundcube has a PGP plugin now too based
on openpgp.js:

https://github.com/qnrq/rc_openpgpjs

Your PGP key is never uploaded to the server. You paste it into a
textarea after logging in, and then it is stored in your browsers
"localStorage" (http://diveintohtml5.info/storage.html)

Ordinarily I still wouldn't trust in-browser PGP, as every time you
log in, you have to hope that the server didn't send you some new
backdoored JS. However, if it's your own webmail installation on your
own server, you're using your own browser and all traffic goes over
https, you might feel that you can trust it.

Personally, I avoid using untrusted machines to access my email.

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20130701/ab7fb4a9/attachment.sig>


More information about the tor-talk mailing list