Uri Even-Chen |
Phone: +972-54-3995700 Email: u...@speedy.net Website: http://www.speedysoftware.com/uri/en/ |
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAMQ2MsHDNLRuth59FRAtXwMXY14LyMUibxHCFxZswdD7Jw4oyg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Uri Even-Chen |
Phone: +972-54-3995700 Email: u...@speedy.net Website: http://www.speedysoftware.com/uri/en/ |
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CACW_pa3PGDg0b6zNQertR0NXHZPDd75oh1ZcVU12SXy9aN%3DmiQ%40mail.gmail.com.
Looks like it is not hard to change postfix maildrop agent to crypt mail passing to user dir. But some work should be done at mua side.
Anyway it is not a question of django
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAMQ2MsFooQD32PiVxQOFy8jOT8J0bL_16Y8E3_MY%3DA_LhV0-GQ%40mail.gmail.com.
On Sat, 15 Aug 2015 12:47:17 +0300, Uri Even-Chen <u...@speedy.net>
declaimed the following:
>To Python, Django and Speedy Mail Software developers,
>
>Is it possible to make Speedy Mail encrypted? I want mail to be encrypted
>on the server, and only the user will be able to read his/her mail. The
>user's password will be encrypted on the server and nobody will be able to
Most systems I know of don't store the password on the server in the
first place. They store a one-way hash generated from the password
(possibly using a randomly generated salt that is also saved with the hash
-- that is, rather than just hash "password" into "hashstring", they hash
"saltpassword" into "otherhash" and prepend the "salt" -> "saltotherhash".
When user comes to connect later, they match the user name in the password
database, extract the "salt" from "saltotherhash", attach it to the
password given by the user, generate the hash, and see if it matches the
rest of the saved hash). The hash value is only used for matching purposes,
not for any subsequent processing -- it is not a cryptography key, nor is
any cryptography key used to produce it.
>I believe a user's mail is something personal, like his thoughts. I don't
>want the police to read my mail and it's similar to reading my thoughts.
>
And the solution, in my mind, is to not use a central mail repository
(no webmail client, nor even an IMAP client) and always do a
delete-from-server when the POP3 client fetches the mail (and the server
should do some sort of secure scrub of the deleted file area on disk). That
way the only mail that will ever be found on the server is the mail the
user hasn't logged in to retrieve yet, or outgoing messages that the SMTP
daemon hasn't gotten around to forwarding to the destination (and deleting
once the receiving server ACKs the message). (This also reduces the storage
needed by the server, and likely speeds access to mail if using MBOX format
as it doesn't have to scan humongous files).
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAMQ2MsF73cgTQ-dyZ2thF%2BGsLqSjjAQDTDjo4OLbNY%2Bdid%3DLgg%40mail.gmail.com.
no, passwords shouldn't be encrypted, you should store hashes, just use the django default auth app
Anyway this not solve Uri problem. Man in black ask about access to the user private data. Problem with auth by hash? It is not a problem. Reset password generates new hash.
Let's imagine:
Bad guy hack into system and has all data. passwords hash other tricks hosting at the server side is not a problem. This guy has time to sort out all parts. One good way is use public and private keys private is stored at user PC only. Retrieving crypted data to user PC and uncrypt at client side is a way to solve this problem.
If some market is for this task it is possible to start, but not for free.
Software part requires 6-8k$. But you should check some rules with lawyer.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAMQ2MsEn4ZeUjNVoXOX0AEe67_q_SLH-bz57_nrPS%3DwgFhz2Pg%40mail.gmail.com.