NYCPHP Meetup

NYPHP.org

[nycphp-talk] Security and POP/IMAP/HTTPS

michael lists at genoverly.net
Tue Oct 10 09:06:58 EDT 2006 

On Tue, 10 Oct 2006 08:26:45 -0400
Aaron Fischer <agfische at email.smith.edu> wrote:

> Greetings,
> 
> Someone was proposing sending PDFs containing sensitive info over
> email. I was thinking of recommending against it, citing the lack of
> security in the POP/IMAP protocols.  Is that a legitimate concern?

POP/IMAP is used when you connect your mail client (MUA) to the server
to send and retrieve mail.  It can be very secure, most clients I have
used allow you to check the TLS/SSL box to encrypt the initial and
subsequent conversations with a mail server (MDA).

SMTP is used to route mail from server to server (MTA) over the
internet. This is where your mail will fly naked.

You may want to consider encrypt the mail at the source and decrypt at
the target. Not only does this method secure the message it also
handles the 'other' concern in security:  the sender is who he says he
is.

Found on Amazon for $17.22

	PGP & GPG: Email for the Practical Paranoid [ILLUSTRATED]
	(Paperback) by Michael W Lucas (Author) "You don't need to
	understand everything about modern cryptography to use OpenPGP
	successfully..." 


MUA = mail user agent 		(thuderbird, sylpheed, etc)
MDA = mail delivery agent	(courier-imap, dovecot, etc)
MTA = mail transfer agent	(postfix, sendmail, etc)

Wikipedia can give a good overview of email protocols.. read it.

> An alternative would be to email them with a link to the PDF which
> would be protected with a login system (That's where the PHP would
> come in).
> 
> Thoughts?
> 
> Thanks,
> 
> -Aaron

Sending emails with large attachments (images, spreadsheets, pdfs, etc)
is really not a good practice, and frankly, pretty annoying.  Your idea
of just sending the link and hosting the documents on a server is a
preferred method (well done!).  It is much less hassle to set up -and-
you get the added bonus of being able to make corrections and additions
to the document (are they ever done right the first time? [grin]). You
only have to repost to the web and not resend to all the target
recipients.  Not to mention.. you don't have to teach them PGP/GPG.

-- 

michael

More information about the talk mailing list