Private Key on the Server?

  • Resolved smartergeek

    (@smartergeek)


    8 years, 10 months ago

    Ok – so after switching from Mailvelope to CryptUp, I was able to easily get this working using my Google Apps/Work/GSuite email to receive the encrypted form. As a side note, I was using Gravity Forms but went ahead and just switched to Contact Form 7.

    Here is the question: this plugin creates a public/private key pair for signing the emails sending from the server. Why – since the private key is stored on the server?

    I’m not a security nor encryption expert, and I use WPENGINE which tends to be very good hosting and up to date. However, is it necessary to sign the form emails?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Meitar

    (@meitar)

    8 years, 10 months ago

    No, you do not need to sign outgoing emails. However, the point of signing emails is to verify that the emails you receive were sent from your server and not from some other server pretending to be yours. That requires a private key, by definiton. Generating a signing keypair is optional.

    Thread Starter smartergeek

    (@smartergeek)

    8 years, 10 months ago

    Gotcha and understood. However, if the private key can be compromised (more easily and exposed on a web server) then the key and signing is kinda pointless. Again – I understand though. 🙂

    Plugin Author Meitar

    (@meitar)

    8 years, 10 months ago

    Well, yeah. That’s why you should use a dedicated key for this purpose.

    Thread Starter smartergeek

    (@smartergeek)

    8 years, 10 months ago

    I kinda figured that. Do you have a suggestion or some tips for knowing if you key has been compromised and used (other than the obvious)? I don’t think there is a way?

    Plugin Author Meitar

    (@meitar)

    8 years, 10 months ago

    Nope.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Private Key on the Server?’ is closed to new replies.