3 messages in net.sourceforge.lists.courier-sqwebmailRe: [sqwebmail] gpg - decrypted msgs ...
FromSent OnAttachments
Matus HrusovskyFeb 22, 2005 7:41 am 
Laurent WacrenierFeb 22, 2005 8:22 am 
Matus HrusovskyFeb 22, 2005 10:06 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [sqwebmail] gpg - decrypted msgs in tmp dirActions...
From:Matus Hrusovsky (mat@hrusovsky.sk)
Date:Feb 22, 2005 10:06:32 am
List:net.sourceforge.lists.courier-sqwebmail

Laurent Wacrenier wrote:

Le Mar 22 fév 16:41:46 2005, Matus Hrusovsky écrit:

After logout from sqw, there are still decrypted messagess in $MAILDIR/tmp directory. They are deleted not after logout but after next login procedure, this is very insecure. Anyway, is there any reason to write decrypted msg to tmp dir ?

As far I've seen, it's needed to avoid multiple decryptions of the same file.

Why ? Bad way. Preferably decrypt it as much times as needed will be *much* better (and secure) as writing them to file.

IMHO, this way its broking all security needs for using gpg.

Files in the mailbox hve to be readable by the user only.

Yes, its OK, but it has nothing with encrypted msgs. People are using encryption in msgs to avoid have it saved anywhere in readable form.

As the user private keys are stored uncrypted, any user with read access to the mailbox is already able to decrypt the messages parts.

Private keys are secured with passphrases. Yes, I know that they are using it in unsecure memory on server.

How to delete decrypted msgs from tmp dir after logout, maybe directly after usage ? Is it possible to avoid sqw to write decrypted msgs to tmp dir ?

MH