Re: Mail Security Issue
From: The Doctor (doctor_at_edmontonab.ca)
Date: 07/30/04
- Next message: Thor Kottelin: "Re: Mail Security Issue"
- Previous message: The Doctor: "Re: Mail Security Issue"
- In reply to: Claire Tucker: "Re: Mail Security Issue"
- Next in thread: Paul Rubin: "Re: Mail Security Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Jul 2004 01:39:06 +0000 (UTC)
In article <f0vig0ltt9e5tpno85chu651q3qo7aagot@4ax.com>,
Claire Tucker <fake@invalid.invalid> wrote:
>On Thu, 29 Jul 2004 22:28:54 +0000 (UTC), doctor@edmontonab.ca (The
>Doctor) wrote:
>
>>I have the following scenario:
>>
>>On a Secure Web Site, we have an e-mail sign up form.
>>
>>The person wanting to develop this is concerned about spammer intercepting
>>the e-mail address of signee.
>>
>>We are using Apache and SSL.
>>
>>What issues should myself, the system admin, and the developer be looking
>>out for and how far can we secure this site.
>
>You've cross-posted this to several groups which have very different
>focuses, and so I can't tell what point of view you're thinking of
>here.
>
>You say you are using SSL, so presumably you aren't concerned about
>the address being submitted from the browser to the web server. I
>guess, then, that you must be thinking of the outgoing mail.
>
>You aren't exactly clear about what your site is doing. I *think* what
>you're saying is that you're asking for an email address and then
>presumably sending mail to the new user, perhaps to "validate" the
>given email address.
>
>In this case, there's not really much you can do about the mail
>transfer; SMTP in general operates over unencrypted links, and the
>mail you're sending could pass through several mail servers before it
>reaches its ultimate destination. If this concerns you, then I have to
>say that perhaps your only option is to not send the mail at all.
>
>Assuming I've got your focus and situation right here, I'm going to
>trim the followups to comp.security.misc which seems to be the only
>applicable newsgroup you crossposted to.
>
>All the best,
>-Claire
Here is what the developer is concerned about:
So are you saying that all transmissions from a sign-up form on Sean's site
to your server will be secured under SSL?
At 10:55 AM 7/29/2004 -0600, you wrote:
>On Thu, Jul 29, 2004 at 11:03:35AM -0600, Developer wrote:
>>
>>
>> Administrator,
>>
>> The maker of a newsletter-management product I am considering for
>> customer's secure server writes this in answer to my question about sign-up
>> e-mail addresses being safe from interception:
>>
>> "The emails which are sent to both the
>> subscribers and to the administrators are sent unencrypted, however the
>> only way those can be intercepted is if another program is "listening"
>> on the same server. This can only happen if the server has been
>> "hacked" and is in the process of monitoring all inbound and outbound
>> traffic."
>>
>> I understood that email messages can pass through other servers on the way
>> to their destination. Is that true, or not? If so, then is it true that if
>> someone in, say, Bulgaria, signs up for the newsletter, an unencrypted
>> sign-up message could be intercepted enroute to Sean's secure site, and the
>> sender's email address extracted?
>>
>>
>
-- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God Queen and country! Beware Anti-Christ rising! Microsoft is not the solution; it is the question; what is the answer?? NO!!
- Next message: Thor Kottelin: "Re: Mail Security Issue"
- Previous message: The Doctor: "Re: Mail Security Issue"
- In reply to: Claire Tucker: "Re: Mail Security Issue"
- Next in thread: Paul Rubin: "Re: Mail Security Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
