Necessity of GPG when using SSL

Janusz A. Urbanowicz alex at bofh.net.pl
Wed Feb 15 12:11:31 CET 2006


On Tue, Feb 14, 2006 at 10:34:38PM +0100, Jim Berland wrote:
> Hi everybody,
> 
> I understand the use of GPG end-to-end-encryption and use it with a  
> few of my contacts. What I want to make sure is the following.
> 
> I am going to move to China for some time. My email ISP is located  
> outside China and I connect to it via SSL. So if I am only concerned  
> about the Chinese (whatever the reason; maybe my doubts are  
> unreasonable?) and not about the complete end-to-end-encryption of  
> GPG, the SSL encryption alone will do the job. Is that correct?

You haven't specified your threat model precisely enough, for the
vague one you presented the answer is both yes and no. SSL webmail and
GPG protect against different things.

Yes - because SSL webmail access is good enough to prevent the
operators of great chinese firewall of snooping into what do you do on
your mailbox.

No - because SSL protects only against eavesdropping of mailbox
access. It doesn't protect your email in transit from server to server
(unless all the servers in the way support SMTP/TLS and you trust the
operators of the servers). For example, if you write from your SSL
webmail to someone in .cn, the contentrs of the mail can be observed
by the operatros of said firewall.

Alex



More information about the Gnupg-users mailing list