Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: SMTP Encryption (S/MIME) for Outlook question
From: "Crist J. Clark" <cristjc () comcast net>
Date: Tue, 30 Mar 2004 17:39:59 -0800

On Wed, Mar 24, 2004 at 05:17:36PM -0600, Fetch, Brandon wrote:
No flames here please.  I've just been asked about running some form of
encryption on our mail clients (Outlook) to send encrypted SMTP across the
Internet and would like some opinions/directions.

Our userbase isn't that technical so we'd need something that is pretty user
friendly (I know, divergent goals) but is still secure to a point.

Most email clients are pretty easy to use with respect to
S/MIME... Once you get the certificates installed. PKI. Managing
certificates for a decent-sized luser base is not fun.

I don't know the exact details on their goals other than preventing random
eavesdropping (sniffing) of clear-text SMTP traffic across the Internet to a
remote, non-internal destination.

What do other Win/Exchange/Outlook IT admins use for S/MIME?  

BTW, if there's something that will run on top of the SMTP gateway server or
the internal Exchange server to encrypt the message before being routed to
the Internet, this is also acceptable.  I figure there must be something
available that works like this.

To encypt the individual messages? You need, or maybe the people
laying this on you, need to think about this a bit more. For good
encryption you need two things: an eavsedropper cannot easily recover
the clear text and (people sometimes forget this part) the recipient
CAN easily recover the plain text. Since we're talking S/MIME, how
does the SMTP server figure out whose public keys to encrypt the
message with? The SMTP server has to have the certs for _every single
recipient your organization mails to?_

The problem here is that in order to send an encrypted message to
someone, they have to be using S/MIME (i.e. have their own cert and
private keys). You cannot unilatterally just encrypt your outgoing
email[0]. The recipients have to want to play along. And good luck
forcing your security policies on all of the external organizations
you deal with.

Someone else mentioned TLS for the SMTP connetion. This doesn't
encrypt the message per sae, but the communication channel (to the
next server anyway, who knows where they might relay it next)
is. Still, the remote server has to be willing to play (certs 'n' all)
to do this.

The bottom line, for external groups you can talk or coerce into this,
it could work, but if you still want to be able to send an email to
joe.user () the-internet net, it's going to be going in clear text.

[0] I suppose you could, but then you need to make the keys easily
available, and if you do that, what's the point in encrypting?
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]