Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to andyv420
Re: Poll: What is most secure Web-based email?
I personally like Squirrelmail, and I use it as the interface to the mail server that I built myself. I'm using 256-bit AES for both login and all subsequent viewing of mail, and any sensitive email data is encrypted by PGP.
Between Squirrelmail and Horde/IMP, I'd have to say that Squirrelmail is probably more secure given no specific informaiton on the matter. I say this based solely on the fact that Squirrelmail is far smaller, i.e. less code than the Horde project that has many facets and directions.
Hope this helps...
--
dmiessler.com - grep understanding knowledge |
|
sded
Premium
join:2002-11-04
San Diego, CA
 ·DSL EXTREME
| reply to andyv420
One of the main beneficiaries of SSL email is public wireless use. With Gmail, or SSL/TLS access to you ISP mailservers, at least you can send and receive email anywhere without others reading and exploiting it. And it is free and not difficult to administer. |
|
ghicken
Premium
join:2004-12-01
Taneytown, MD
| reply to andyv420
The original poster doesn't clarify what is meant by 'web-based'. I don't think he is talking about Hotmail/Yahoo!/Google but rather IMP or Squirrelmail type of application.
I used IMP when I ran a home-based web server. I sacrificed my static IP for affordable high speed so I switched my main email to Gmail and run it in https mode. I ran IMP over Apache in https. I will agree that it doesn't make plain text emails any more secure but I don't like POP or IMAP clients anymore and having access to a web-based email client is very convenient. The SSL and/or TLS connect to the server just makes me feel better.
Many people I emailed in the mid nineties used PGP and it was nice to sign and/or encrypt the emails often. I don't think a tool has been made yet to make encrypting emails a user-friendly option and I never trusted PGP since the government dropped their case against Zimmermann. |
|
leeb00
join:2001-08-09
|  reply to andyv420
SSL is great, but it only encrypts the email between you and your email provider! From that point the email hits MANY servers in an unencrypted state before it reaches it final destination.
Don't get me wrong, I insist on an email provider that has SSL logins and sessions. For me the best email company out there if Fastmail. www.fastmail.fm
The only really secure email solution is using PGP/GPG, and NOT storing your private key on any server other than your own PC, but I think this requirement would eliminate a web-based email solution. |
|
nonymous
join:2003-09-08
Glendale, AZ
| reply to sded
said by sded  :The only secure Web based email I have used is gmail. Yahoo and Hotmail are not, except for login. Best is an ISP that supports secure SSL/TLS email for POP and IMAP, along with a secure webmail site (mine does). Or enable the secure POP interface for gmail if you need it. Note on gmail: In FF I get redirected to an http site after https login, and need to access the page again with https from the address bar for secure messages. PITA. Opera does it correctly. IE appears to also. just read the gmail disclosure or whatever it is called. lol
custom advertising? well how could it do that? |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
·TekSavvy Solutions..
| reply to andyv420
I like »www.squirrelmail.org
Not sure if it's the most secure one, but you can use SSL to access the page and IMAPS when accessing mailboxes.
...and it's free  |
|
Raphion
join:2000-10-14
Samsara
|  reply to sded
said by sded :Note on gmail: In FF I get redirected to an http site after https login, and need to access the page again with https from the address bar for secure messages. PITA. Opera does it correctly. IE appears to also. I figured out a fix for this. Just change your Gmail bookmark to include the 's' for secure, like: »https://gmail.google.com/gmail . If you do that, you'll be directed to the secure inbox right after login. |
|
BillRoland
Premium
join:2001-01-21
Ocala, FL
clubs:
1 edit | reply to andyv420
I just use point to point telepathy. Safest method I've found so far, YMMV.
--
"Don't steal. The government hates competition." |
|
sded
Premium
join:2002-11-04
San Diego, CA
·DSL EXTREME
3 edits | reply to marti
For gmail, at least, you can't read email via port 110 of an email client or send via port 25 unencrypted, so I think saying you can read it using any email client is not recognizing the inherent security of gmail-they deserve some credit. It can only be read/sent using encrypted SSL access to the gmail server. I mentioned above that I think allowing unsecured http access to it is an anomaly, and I certainly wouldn't use it, but they do also provide a secure https webmail alternative not supported by either Hotmail or Yahoo mail. And I don't really understand the question either. Or what one might ask in a poll?:) |
|
marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs: | reply to sded
sded,
I use SSL email everyday, and I do understand how it works. The OP asked about a secure web-based email provider.
Again, my question to the OP is why are you asking the question? |
|
sded
Premium
join:2002-11-04
San Diego, CA
·DSL EXTREME
4 edits | reply to marti
SSL supports secure email. You can read it via https from a web browser or a pop3 client that supports it. The email is secure from the server to your email client; after that it is your problem. Yahoo and Hotmail do only secure login, and send the email in the clear to you-not good if you have a wireless link, for example. One deficiency of gmail is that you can also read it through a standard http page that is not encrypted-why they allow that for the website I don't understand, it is disallowed for pop access. But both the https website and the pop3 access via ports 995 (pop3) and 587 (smtp) are secure and discussed on their pop setup page. I use both. Message encryption is another issue, and assumes you have a plaintext link or are being intercepted by someone within your LAN after you have decrypted the SSL email in your client. Difference between owning a STU and a copy of PGP. |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
1 edit | reply to andyv420
The problem with insecure email goes beyond someone signing on to your account.
First, unless you digitally sign your email, and the recipients know how to validate your signature, anyone can fake sending an email by you -- even if they cannot sign onto your actual email account. They simply have to spoof the sent-by address. Something most POP3 based email tools will allow them to do.
Second, unless the recipient of your email is using the same service, AND unless ALL the web pages presenting the email have the "lock" icon in the window border, then your email will be passing, unencrypted through various email relays on the internet. And at any of these points the email contents could be read.
So answering this question really does require knowing what kind of security you are looking for.
As to storing contacts in a webmail address book, I do that.
Just make sure you have a copy of the address book you can access and read locally, independant of the webmail tool, in case the webmail account suddenly stops working (which can happen if there is an errant spam complaint). |
|
mboy
Premium
join:2001-04-13
Little Falls, NJ | reply to andyv420
ziplip.com is very secure (even checked by sniffing traffic). Obviosuly, you have to use the encrypt feature, but it does Secure Sockets at the very least.
Too bad they will cease to exist by June. |
|
marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs: | reply to andyv420
SSL is not secure email, as I can read emails sent to me via a SSL connection, in any POP3 email client, or web-based email account.
Maybe the OP should tell us why he (she?) is asking the question? |
|
silasshu
join:2004-04-25
Vancouver, BC | reply to andyv420
Here's a good email forum:
»www.emailaddresses.com/forum/for···rumid=16 |
|
zetan
Heart Of Steel
Premium
join:2003-11-22
Vallejo, CA
| reply to sMh
said by sMh :Does anyone here trust web based email services enough to use them to store contacts addresses/phone numbers etc? I'd never put my address book on any web based email. Also, all the emails used are for just casual use, and heavily encrypted files for storage.
I do use Gmail's G-drive thing, so I can store some data, but they're of medium sensitivity and encrypted up to 1344 bit strength.
Other than that, no way no how. My HD is vulnerable enough. Although it is also fully encrypted. So call me paranoid - again 
--
Life is an Express Elevator to Hell. |
|
sMh
join:2003-08-24 | reply to andyv420
Does anyone here trust web based email services enough to use them to store contacts addresses/phone numbers etc? |
|
zetan
Heart Of Steel
Premium
join:2003-11-22
Vallejo, CA
| reply to andyv420
Encrypt the text of the Email. Then upload it.
Whoever downloads it, needs the password. Then they manage the stuff locally.
Software for Steganography (hiding text in pictures and wav files) is what I use for sensitive material. Even if intercepted, if the software is good - they got nothing. Use a strong password and voila.
You can also make self un encrypting files, so the other person does not need to have the same program. It will self unpack.
Any text sent unencrypted is going to be on someone's server, to be read by anyone who has access.
I'm not an expert. Far from it. Some of these guys here are. But I thought I chime in, since this has been working for me very well for many years.
--
Life is an Express Elevator to Hell. |
|
g3guy
join:2002-08-03
Sedona, AZ | reply to andyv420
And what does a secure login get me? My point is that when you see "secure", just as in banking, credit, puchases, on line, the entire event is secured. So your login info is encrypted and your mail is in plain sight. Makes sense to me! |
|
