Subj : Re: Thinking of posting a code a week
To   : Avon
From : apam
Date : Sun Sep 17 2017 11:19 am

 A> I agree with comments about the irony of trying to secure comms if the 
 A> poster is logged in via a telnet session. But assuming the login is a 
 A> local one on a system sitting inside a home LAN then I guess that issue i
 A> negated.

Yep, if you're the only one using the BBS, then it wouldn't matter. I
guess in this day and age where we're all Sysops it could work, it's when
you add users to the equation it gets complicated.

 A> As I understand it, the real issue becomes how to create a enviroment of 
 A> shared trust... so how does a key get exchanged in a secure way between 
 A> two parties prior to the encrypted exchanges taking place

You'd have to send the initial key some other way, ideally in person,
after that you could include subsequent keys inside the encrypted
message. That's why PGP would be wayy better because it solves the issue
of sharing the first key.

 A> Apam et al.. I do hope you can further bake some options in to your 
 A> platforms as I'd be keen to help with the development of this

I'd really like to, but as Nu said, the secrecy wouldn't be ideal, as
users messages could still be read by the sysop. I guess it would have to
come with some kind of disclaimer not to use it for nuclear launch codes
or the like ;P

 A> Xqtr and I did so some work playing with Mystic MPL and PGP a while ago. 
 A> I just need to find all of the work again :) But the idea was to use the 
 A> full screen editor and then have the output run through PGP then posted t
 A> the echomail area encrypted. It worked to a point but the shared key 
 A> thing was not flying as it should - does that sound right Xqtr

This would still suffer the same problem in that the sysop with the
shared key could read all the users encrypted mail.

So, while the sysop would have security, the users would only have an
illusion of security. I don't know if this is worse than having no
security at all in that, with no security the user is aware that his
communication can be read.

As Nu said copy/pasting PGP encrypted texts is the best solution, I think
the most ideal would be an offline reader with a PGP plugin.

Andrew

--- MagickaBBS v0.6alpha (Linux/x86_64)
 * Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)

.