[ILUG] Q of the moment: does SSL matter? ( for webmail & pop & imap & smtp & ... ? )

[Kae Verens]

Brendan Kehoe wrote:
> While we're on the topic of webmail clients, I'm curious ... I notice 
> that GMail has an option to let you use regular http vs https for your 
> GMail sessions, with it automatically redirecting you if necessary.
>
> I've been in the habit of encrypt-if-possible for a long time, and 
> thus folks using Horde+IMP on our host are also automatically 
> redirected to make sure they use the SSL-guarded connection.
>
> To be a devil's advocate: does it matter, really?  Except for sitting 
> in Internet cafes or libraries, do you need to use SSL when using a 
> webmail interface?  Or even when downloading your mail?  When's the 
> last time you read about an ISP being hacked so people could sniff 
> packets?  If your home wireless is set up with WPA, is that enough to 
> keep strangers lurking in the woods behind your house from watching 
> your browsing habits?
>
> I've gotten into a long long discussion with someone over this, and my 
> debate skills of US high school are long gone, so I couldn't hold my 
> side of the argument.  What would you say to the question of whether 
> SSL is actually necessary for things like email?
not going to even pretend to be an expert on this, but SSL is not just 
about security. in most uses, the certs are used to identify either the 
client or the server.

I'm currently working on allowing a USB-stick to be used to provide 
identification to log into a web server. This involves SSL, but not for 
its "on-the-wire" security, but for its private/public keys and the 
ability to use those keys to provide positive identification of the client.

SSL for email is probably useless where security is concerned, as when 
the emails are in transit between servers, they're mostly un-encrypted, 
and when stored on the various machines along the route to the mailbox, 
they're also unencrypted.

just my own thoughts.

Kae