Re: Mail Security Issue

From: The Doctor (doctor_at_edmontonab.ca)
Date: 07/30/04 

Date: Fri, 30 Jul 2004 01:29:09 +0000 (UTC)

In article <f0vig0ltt9e5tpno85chu651q3qo7aagot@4ax.com>,
Claire Tucker <fake@invalid.invalid> wrote:
>On Thu, 29 Jul 2004 22:28:54 +0000 (UTC), doctor@edmontonab.ca (The
>Doctor) wrote:
>
>>I have the following scenario:
>>
>>On a Secure Web Site, we have an e-mail sign up form.
>>
>>The person wanting to develop this is concerned about spammer intercepting
>>the e-mail address of signee.
>>
>>We are using Apache and SSL.
>>
>>What issues should myself, the system admin, and the developer be looking
>>out for and how far can we secure this site.
>
>You've cross-posted this to several groups which have very different
>focuses, and so I can't tell what point of view you're thinking of
>here.

1) Security 2) E-mail Security 3) Web Security 4) SSL implications

>
>You say you are using SSL, so presumably you aren't concerned about
>the address being submitted from the browser to the web server. I
>guess, then, that you must be thinking of the outgoing mail.

Broswer point to Secure Web Server for Sign Up to Mailing list.
You then e-mail to join mailing list.
>
>You aren't exactly clear about what your site is doing. I *think* what
>you're saying is that you're asking for an email address and then
>presumably sending mail to the new user, perhaps to "validate" the
>given email address.

Validation should be part of the process, however this is to join
a confidential mailing list.

>
>In this case, there's not really much you can do about the mail
>transfer; SMTP in general operates over unencrypted links, and the
>mail you're sending could pass through several mail servers before it
>reaches its ultimate destination. If this concerns you, then I have to
>say that perhaps your only option is to not send the mail at all.

What about SMTP via SSL?

>
>Assuming I've got your focus and situation right here, I'm going to
>trim the followups to comp.security.misc which seems to be the only
>applicable newsgroup you crossposted to.
>
>All the best,
>-Claire 

-- 
Member - Liberal International	
This is doctor@nl2k.ab.ca	Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Microsoft is not the solution; it is the question; what is the answer?? NO!!

Relevant Pages

  • RE: ssh and ids
    ... external system is something that's done routinely with SSL ... Should an attacker root your web server, how safe will your private keys ... As far as IDS being able to do much with encrypted traffic, ...
    (Focus-IDS)
  • Re: Mail Security Issue
    ... >>We are using Apache and SSL. ... Broswer point to Secure Web Server for Sign Up to Mailing list. ... What about SMTP via SSL? ...
    (comp.security.unix)
  • RE: SSL and BizTalk?
    ... When making an HTTPS connection to an SSL secured web server the only thing ... SSL cert on the web server. ... If you open Internet Explorer on the BizTalk machine and try browsing to ...
    (microsoft.public.biztalk.general)
  • Re: More SSL questions
    ... Have you tested that the redirection is actually working correctly? ... I also added the Location path entry in my web.config for the ... should be SSL? ... SSL web server before. ...
    (microsoft.public.dotnet.security)
  • Re: What version of SSL in 5.0 Web Server
    ... I haven't seen this problem running Firefox 7 against the CE 5.0 web server ... you do not need to disable SSL 3.0 on ... the webserver is configured for TLS, TLS will be negotiated since it is ... given a higher priority in the protocol negotiation. ...
    (microsoft.public.windowsce.platbuilder)