On Mar 19, 2016, at 8:09 PM, Albert Manfredi <albert.e.manfredi@xxxxxxxxxxx>
wrote:
No. So here's a clue, Craig. The ONLY credible purpose for
encryption-in-the-middle, provided either by ISPs or by your iCloud, is to
protect the network.
Not the user's data. For example, if provided by ISPs, it protects the ISP's
routing tables, it protects the configuration of their nodes, and so on. For
Apple, it protects their iCloud servers. That's the purpose.
It is not protection for the user! In your case, all you have to do is tap in
somewhere outside this iCloud, and with DPI, any packet from the iCloud
traveling outside that iCloud can be read, if it hasn't been encrypted end to
end. The iCloud is not the entire Internet, Craig. If you knew what you were
doing, you'd never trust iCloud encryption alone for your online bank
transactions, for example. That would be foolish.
I've repeated this point countless times.
Repeating this again. This is false. As long as the decryption of that iCloud
email is occurring at an ISP's mail server, and not at my own PC, it means
that the ISP can read the email.
You would know if your email client was set up for encryption, Craig. BecauseThose capabilities are native to iOS.
you would be the one having to acquire and renew certificates, and you would
be the one having to figure out what type of encryption certificates are
needed by whoever it is you need to communicate securely with.
So here's the deal, Craig. As long as my email client is not decrypting that
email, and I know this because I have not enabled encryption for the email,
it means that the ISP's mail server is decrypting it, before sending it on to
my PC.
Everybody knows that simply knowing how an encryption algorithm works doesSo choose an e-mail client that is encrypted end-to-end.
not mean you can decode encrypted messages, Craig. The point is, if YOUR OWN
client is not doing the decrypting, that message is going to be plaintext
going from server to client. The ISP *has* to be able to decrypt the email,
in short, when it's using encryption in the middle only.
Here are the main points that (as usual) are taking way too long to get
across:
1. To protect user data, the protection must be end to end. Like, between
your PC and the bank's internal server. Or between your email client and the
email client of the other guy. If it's not end to end, then it's not
protected as far as the user is concerned.
2. An individual user typically has *no control* over what gets encrypted end
to end. Bank transactions do, as well as anything requiring payment. Other
than that, very little indeed.
3. If ISPs can use deep packet inspection, for WHATEVER reason, it's exactly
the same thing as wiretapping your phone. The user can protect against that,
sure, WITH END TO END ENCRYPTION. It doesn't matter whether the wiretapping
is done to "sell" the information, or for any other reason. Your information
is not private.