Had a closer look at SEPP. From what I can tell, it fails in three
ways:
- It assumes that the recipient has a Windows platform, as it
attaches an executable which asks for a password to decrypt, and
also allows for the encryption of a reply. I am not 100% as the
marketing docs are not clear (surprise!), but I cannot imagine
another way (they boast not needing any client software). They
could go through a webpage, but then that would suck just about
as much.
- Users are beginning to understand that they are not to run
executable attachments. Now it's supposed to become a feature?
Many mail readers and/or content scanners might well block the
attachments.
- It uses a password -- symmetric encryption -- which thus falls
short in all the ways that symmetric encryption falls short. In
particular, anyone might be able to sniff the password, or
launch a social engineering attack. If the password has been
disclosed, noone knows, nor can the sensitive data be
protected/revoked.
Just my two cents, because I am really interested in this. I have
not seen a product that actually solves the problems without
creating new ones.
PS: I have no beef with SEPP or the company, so please don't read
this as random bashing.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature