In article 18682 at nlm.nih.gov, gish at host.nlm.nih.gov (Warren Gish) writes:
>In article <Cus7zC.I57 at phibred.com> brookerg at phibred.com (Glenn Brooke) writes:
>> Earlier I asked about encryption of BLAST mail server queries, and
>>learned that RIPEM is a supported method for BLAST (thanks!). Someone
>>also suggested that using a BLAST form via WWW would be more secure --
>>is this true? Why? Thanks in advance,
>>WWW might be considered somewhat more secure than un-encrypted BLAST e-mail for
>a few reasons. First, if e-mail from your location is handled by one or more
>mail relay computers on its way to/from the NCBI BLAST server, use of WWW
>circumvents the relay computers and their associated security risks by providing
>direct communications between your computer and the BLAST server.
This is not necessarily accurate. All packets, be they mail or text communicated
by telnet are relayed, that is the nature of the net. Unless the two machines
are directly connected to each other, all information is relayed and any
person with the capability to intercept your mail is likely able to intercept
that sort of packet as well.
>>Second, even if e-mail is sent directly between your location and the NCBI,
>depending on how e-mail messages are handled at your location before
>transmission, your query might exist at least transiently in a file somewhere
>on the system awaiting transmission; and the search results returned by the
>BLAST E-mail server may sit in a file for an indefinite period of time awaiting
>your retrieval of them. Either way, the query or the results could be read by
>a system operator or intruder. But an intruder might be able to rifle through
>your files and grab your sequence data anyway. The strength of security here
>presumes proper configuration of the e-mail and other system software, assumes
>difficult-to-guess choices have been made for system administrator and user
>passwords, and assumes your files are not generally readable by anyone sharing
>the same computer with you.
You might also note that quite often, http messages are cached. They are able
to be cached by both client and server. Furthermore, http servers can act as
proxies to other http servers meaning that your http connection might not
be as direct as you think, and your http submissions may be cached at
several places.
>>Despite efforts to avoid the above risks, given the proper software someone
>with a simple PC attached to the network can peek at all data that passes along
>the same network segment -- no cracking of passwords required.
>passing data along numerous network segments and through numerous network
>routers, all of which are potential points of attack. If the transmitted data
>are encrypted, though, depending on the strength of the encryption method
>that was used, the data will be basically useless to a network eavesdropper.
Quite correct.
>>Lastly, as mentioned earlier in this or a related thread, by using WWW the
>risk of specifying an incorrect e-mail address is avoided.
The best reason for using the WWW interface (though you can specify the PATH).
Actually, the mos secure method is to run BLAST locally on some machine.
If you machine can't run BLAST (ie, not enough disk space, slow as molasses
processor, etc.), then apply for access to one that does. You can keep your
data encrypted, BLAST it locally, and have the results encrypted right there.
>>Warren Gish
>NCBI/NLM
>
---
James McIninch james at amber.gatech.edu
School of Biology
Georgia Institute of Technology, Atlanta, GA 30332-0230
