[liberationtech] Burn Note
Chris Ball
cjb at laptop.org
Sat Feb 4 08:48:35 PST 2012
Hi,
On Sat, Feb 04 2012, Michael Rogers wrote:
> On 04/02/12 05:56, Chris Ball wrote:
>> I don't know how others on the list feel, but I'd probably recommend
>> e-mail (let's say Gmail) over using this site -- Gmail's use of SSL
>> means the passwords won't go over the wire in plaintext,
>
> Using SSL between your computer and Gmail doesn't guarantee that the
> password won't travel in plain text between the Gmail server and the
> recipient's mail server, or between the recipient's mail server and the
> recipient's computer.
Thanks, I should have mentioned that -- I was imagining replacing a
coordinated use of onetimesecret.com between two people with a
coordinated use of two Gmail accounts via Gmail's SSL web interface,
nothing else.
> Does Google even guarantee that email between two Gmail users won't
> travel in plain text between two Gmail servers?
Gmail's backend servers are all in RFC1918 space (10.0.0.0/8), as you
can see from the mail headers of messages sent between Gmail users.
So while I would expect that they *do* use TLS between internal hosts,
I don't think it matters to this trust decision since the messages
aren't being routed outside of their local network.
I don't want to sound like I'm bashing solutions like GPG -- remember
that the conversation is about whether use of Gmail accounts would make
more sense than use of onetimesecret.com, not of whether there are other
solutions that offer more security than either for more effort (there
certainly are).
Best,
- Chris.
--
Chris Ball <cjb at laptop.org> <http://printf.net/>
One Laptop Per Child
More information about the liberationtech
mailing list