Re: Help spread strong cryptography now!

"privacy concerned" <privacyconcerned@xxxxxxxxx> writes:

Gordon Burditt wrote:

Any recipient who opens an EaSecure message
for the first time will have a pair of public/private keys
automatically generated,

If opening an email message causes anything to "automatically"
happen, you have a *SERIOUS* security problem and you're probably
vulnerable to just about every virus out there. I'd seriously
consider keeping a 1-kilometer air gap between the computer and any
power source (including batteries), and a 1-kilometer air gap between
the computer and any network cable or wireless network device.
Maybe you're better off dropping pieces of it down several active
volcanos on different continents.

and will be able to send encrypted emails to
ANYONE who has an email address, even if the recipient is not yet an
EaSecure user.

If the intended recipient can receive an encrypted email and
decode it, without any prior setup of shared secrets, what
prevents a non-intended recipient from doing the same thing first?

Please read "How it works?" at http://www.easecure.com/ carefully. Not
just anybody can open the first EaSecure message. You need to enter a
one-time password. The one-time password is sent to the recipient's
email address from the EaSecure server. What automatically happens is
the generation of public/private keys and posting the public key to the
server when the one-time password is verified.

You can think this as a type of email address verification used in
issuing class 1 certificate. If you go to VeriSign to apply for a class
1 digital ID to be used for secure email, they really just send you
some secret to your email address and verify that you can receive it.
The one-time password verification is no more and no less, about the
same security level as class 1 certificate.

Complete horse ***. What they do is to verify that you are who you claim
to be. They then sign your PUBLIC key which you sent them, to verify that
that public key belongs to the person it claims to belong to . THEY do NOT
generate a key for you. You do that yourself with whatever software you
want to use.


Of course, if someone intercepts both the one-time-password-protected
EaSecure message and the one-time password email (usually sent from
different locations), then he can open this first EaSecure message.
This is unlikely, since most prying eyes want to spy on your without

??? This is completely insecure.

being noticed. Because the one-time password can only be used once, you
cannot use it again if someone has already used it, and you will notice
that you have been spied upon. In other words, the one-time password
protection make is impossible to spy on your emails without being

Lets see, you went from "unlikey" to "impossible" in one sentence. Hm.


noticed. For this reason, although one-time password protection is not
as good as public-key encryption, it is still much better than
plaintext email.

Maybe. That is not what you claim however, and furthermore there is
absolutely no protection against EaSecure being a completely fruadent
organisation who will sell your information to the highest bidder. Oh--
"trust me". Yeah. That really is secure.


Please note: one-time password protection is only used before the
recipient opens the first EaSecure message (before the recipient has
public/private keys). Once the recipient opens the first EaSecure
message, the recipient will have public/private keys so subsequent

Generated by software designed and compiled by EaSecure. How do I know that
that same software does not immediately send a copy of the private key to
EaSecure. Or generate keys which are easily broken by EaSecure? Oh, "trust
me" again.


messages will be encrypted by the public and have the same security as
any PGP or S/MIME messages.


No. They will not.

.