RE: [mv] more security

[Ben Myles <benlm@mail.com>]

On 12-Nov-99 Michael James wrote:
> Are the security implications different for the following three
> scenarios
> 1. Credit card number collected via the secure server and saved in a
> mail box on the local machine.

I take it you mean the mail is stored on your mailbox on the secure
server? If you telnet in to get it, you're transmitting the details
unencrypted as you read them. If you use SSH to create an encrypted
'tunnel' then this method would be fairly safe. You also need to consider
who else might have access to the mailbox on the server.

> 2.  As above but sent to a mailbox on the local network

Most of the above applies here. You can take care of one problem by using
SSH. This method has a somewhat larger security concern since there is
most likely now more people with access to the local network. YMMV

> 3. As 2 above but collected by someone who has a dial up ppp account
> with the server.

The access problem from above applies here also, since, depending on how
often you collect your mail there will always be people on the remote
machine with physical access. Add to that the fact that the ppp client is
downloading the mail cleartext over the Internet (in the above example we
remedied this by using SSH).

The simplest and most effective option by far is simply to encrypt
everything that needs to remain confidential. Then the issues above don't
really apply, so long as encryption is strong enough and you don't
unencrypt until you have the mail physically on your box.

I'm no security expert, that's just my take. As everyone keeps stressing,
for ultimate security you have to take care of all the weak links.

-Ben