Secure email

I have been looking at neomailbox and a few other "secure" web-based
email services.

Neomailbox: https://neomailbox.com/

A concern I have is protection against key loggers, packet sniffers,
and other methods for stealing my password.

Neomailbox talks about something called an iKey. Below is an excerpt
from their web site.

"When you choose the option to "Store password on iKey" in SecureBat!,
this will activate a hardware implementation of the CRAM-HMAC
Challenge/Response (RFC-2095) authentication. A special non-replicable
hardware token, iKey by Rainbow Technologies, is used to store the
password and to produce Keyed Hashing."

The above paragraph sounds good, but I know very little about these
things. Are there any disadvantages to using this hardware key?
Apparently, if I understand things correctly, it generates a unique
and usable "digest" password each time I log in. This "digest"
password can only be used once. Are there any loopholes that would
allow attackers to duplicate my hardware token?

Does anyone have opinions on secure email and/or neomailbox?

Thanks for any input!

Re: Secure email

"teabox" (07-02-28 15:03:22):

> I have been looking at neomailbox and a few other "secure" web-based
> email services.
>
> Neomailbox: https://neomailbox.com/

Secure mail is generated locally using your private key to sign your
mails, and public keys of others to encrypt them. Things like
Neomailbox only secure the connections between you and the server.
That's it. Firstly, most email providers allow that, and secondly, it's
almost useless.

The reasons are simple: The administrators of Neomailbox are still able
to read your mails, as well as any other person potentially between
Neomailbox and the intended receiver. Even if the mail goes from a NMB
user to an NMB user, still the NMB administrators are able to read the
mails.

Use proper encryption and signature schemes. Have a look at PGP [1] or
GnuPG [2]. The latter is more difficult to use, but I trust it more
than PGP, for whatever reason. Maybe because PGP is an american
product, and because it's commercial (it's still free of charge).
However, that's a matter of taste.


Regards,
E.S.


References:
[1] http://www.pgp.com/
[2] http://www.gnupg.org/

Re: Secure email

On Thu, 1 Mar 2007 01:17:18 +0100, Ertugrul Soeylemez
wrote:

>"teabox" (07-02-28 15:03:22):
>
>> I have been looking at neomailbox and a few other "secure" web-based
>> email services.
>>
>> Neomailbox: https://neomailbox.com/
>
>Secure mail is generated locally using your private key to sign your
>mails, and public keys of others to encrypt them. Things like
>Neomailbox only secure the connections between you and the server.
>That's it. Firstly, most email providers allow that, and secondly, it's
>almost useless.
>
>The reasons are simple: The administrators of Neomailbox are still able
>to read your mails, as well as any other person potentially between
>Neomailbox and the intended receiver. Even if the mail goes from a NMB
>user to an NMB user, still the NMB administrators are able to read the
>mails.
>
>Use proper encryption and signature schemes. Have a look at PGP [1] or
>GnuPG [2]. The latter is more difficult to use, but I trust it more
>than PGP, for whatever reason. Maybe because PGP is an american
>product, and because it's commercial (it's still free of charge).
>However, that's a matter of taste.
>
>
>Regards,
>E.S.
>
>
>References:
>[1] http://www.pgp.com/
>[2] http://www.gnupg.org/

You could also look at IronMail from SecureComputing
http://www.securecomputing.com/index.cfm?skey=26
Gartner Leaders Quadrant for E-Mail Security Boundary

Re: Secure email

Security Freak (07-02-28 20:43:17):

> > > I have been looking at neomailbox and a few other "secure"
> > > web-based email services.
> > >
> > > Neomailbox: https://neomailbox.com/
> >
> > Secure mail is generated locally using your private key to sign your
> > mails, and public keys of others to encrypt them. Things like
> > Neomailbox only secure the connections between you and the server.
> > That's it. Firstly, most email providers allow that, and secondly,
> > it's almost useless.
> >
> > The reasons are simple: The administrators of Neomailbox are still
> > able to read your mails, as well as any other person potentially
> > between Neomailbox and the intended receiver. Even if the mail goes
> > from a NMB user to an NMB user, still the NMB administrators are
> > able to read the mails.
> >
> > Use proper encryption and signature schemes. Have a look at PGP [1]
> > or GnuPG [2]. The latter is more difficult to use, but I trust it
> > more than PGP, for whatever reason. Maybe because PGP is an
> > american product, and because it's commercial (it's still free of
> > charge). However, that's a matter of taste.
>
> You could also look at IronMail from SecureComputing
> http://www.securecomputing.com/index.cfm?skey=26
> Gartner Leaders Quadrant for E-Mail Security Boundary

Essentially the same useless crap as Neomailbox. You'll want to read
more carefully.


Regards,
E.S.