EmailDiscussions.com - View Single Post

scryptmail · 1 Dec 2014, 02:50 AM

Hm, very interesting approach. I can see the utility.
But let me explain why PIN. Let's assume doctor use scryptmail or lawyer. The patient called into his office, and secretary tell him, that for a question about your car, the correct answer is Ford Mustang. After a short 10 minutes of dialog, when client argue with her, that his car is actually Lexus

)
The PIN is more universal and well known. - So it's good for professionals.

For people concerned with security, the whole idea of sending private information to gmail or yahoo should not be an option. First of all, Hushmail and Startmail is a server side based encryption; the answer sent to server, and server tries to decrypt it, if it successful, plain text email sent back to client. It's out of scope to discuss if this approach is secure at all.

With end-to-end encryption, server has to send encrypted message to the client, and thus leaving a wide open door for brute force attack. Making pin or question looking hard, is just giving a false sense of security. When most answers will be short, using only English alphabet and may be digits, but still disclosing sender and recipient.

In such prospective, PIN is good to send something insecure, more like just for invitation to use scryptmail. And exchange secured and private information only between two scryptmail accounts

But there may be something I miss, and would like to hear it.

1 Dec 2014, 02:50 AM	#35
scryptmail Senior Member Join Date: Nov 2014 Posts: 127 Representative of: Scryptmail.com	Hm, very interesting approach. I can see the utility. But let me explain why PIN. Let's assume doctor use scryptmail or lawyer. The patient called into his office, and secretary tell him, that for a question about your car, the correct answer is Ford Mustang. After a short 10 minutes of dialog, when client argue with her, that his car is actually Lexus ) The PIN is more universal and well known. - So it's good for professionals. For people concerned with security, the whole idea of sending private information to gmail or yahoo should not be an option. First of all, Hushmail and Startmail is a server side based encryption; the answer sent to server, and server tries to decrypt it, if it successful, plain text email sent back to client. It's out of scope to discuss if this approach is secure at all. With end-to-end encryption, server has to send encrypted message to the client, and thus leaving a wide open door for brute force attack. Making pin or question looking hard, is just giving a false sense of security. When most answers will be short, using only English alphabet and may be digits, but still disclosing sender and recipient. In such prospective, PIN is good to send something insecure, more like just for invitation to use scryptmail. And exchange secured and private information only between two scryptmail accounts But there may be something I miss, and would like to hear it. Last edited by scryptmail : 1 Dec 2014 at 03:30 AM.