[Crypto-chi] Follow up on March 14 crypto meeting at PS1
Brian Kroll
brian at fiberoverethernet.com
Sat Apr 4 03:02:50 CDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
"Whilst using plug ins like enigmail for Thunderbird is great and
everything , we need to be cognizant that quite often we are using
webmail of one sort or another."
Most, if not all web-mail providers give you mailbox access via
POP3, or IMAP protocols which you can use with Thunderbird keeping the
content both plaintext and encrypted on your local system which is more
secure then browser based applications.
"Especially for those of on our mobile devices."
On Android, there is K-9 Mail and OpenKeyChain-- both work
quite well, but as I said in my talk mobile platforms are severely
broken in many ways. I would not store my private keys on a mobile phone
ever. Mobile devices are very easy to loose too.
"Fortunately there are various bowser extensions that facilitate this.
For gpg we can count on the following..."
Counting on software that has not passed community audits by security
professionals or professional cryptographers is dangerous and should
be avoided for sensitive use.
"Google has yet to release its own Chrome plug in"
I'm looking forward to this project, however I do wonder what Google
will do to continue scanning your email to serve you ads based on the
content so they can make money.
"It's alpha not yet ready for prime time.."
Don't trust early stage software especially new crypto to sensitive
needs, it may harm you.
"..don't know wot's taking them so long."
Strong cryptography, and good code is not a rush job as any oversight
can possibly compromise the security of the project in turn your safety.
"Even Windows has support for GPG through VisualGPF."
"..Windows app that does key management stuff like sign, decrypt
and key maintenance. It's GUI based so you don't have to use the CLI to
perform these tasks."
GPG4Win has a nice interface and support for Windows.
http://www.gpg4win.org/
"...even MS Outlook has its own GnuPG plugin. Though there are some
grumblings about Outlook being closed source, I think this can overcome
that objection."
Just using a plug-in that is open source does not make the client less
susceptible to compromise. This plug-in is also not written by Microsoft.
".. let's not forget our smartphones. Chatsecure, Textsecure, Redphone.."
Yes, you should use all of these! They use strong crypto and have been
audited by professionals. 10/10!
All the best,
- -Brian
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVH5qgAAoJEFjBjkteF9VaY7kP/jmh7EG+wLsLuf+uk+mvgpfT
vbYP++JktbhrXKXrcgqNdgLvHFyaLkMlVQ8Gp84ixTWIrkYJ77wi414hV5k7E8cF
NnznQ0En0Z3GEJ5FlajvQQ3PE7cPBBcB6hqb8toU+ZKsduIwLqNAN1LYuJ65UgiV
3SWTn8DO8ZImiJ6cFsT3qY15X0+lqendmczyclBnsGt2+nYe38vT9i1Ksgtjo49B
aiwkmWJZlF8OFtXQw8oFCF9KlJPscR+TmceC/80h8sI4gpSqaOx9j5f4CKz843tj
BRVZjnC8/+p2eN6MfxE7fGQLlNRR3Tmr8dr2bPNMOuNpAHNVqsXa5S9e2cKwMWgC
fRt2spug/GVD5OGQAaQ+VIyxRA4SZlJDqG+03+/mK7AFLgf2qOfrAb/hB+ZwZZFF
LX+HCqwZuvIZsaPZLIldmYDAp91aPhIpIXuv6jhrmEGkDhqbIj4TZIHUgygH34DS
AJ2GYdAQd5HVNx0puAmbmuF532L7fC9W4PK53pYByZ5gaEAEliJVlS96BpcP58tD
rmRfKJMI363S649Oekx14PjOwXZ5M4/4ousoqcaP6MLSvp+jBj9hcomxyfv79MLz
B/zdzxoFvMdk7z6rK2LzY6XdCKviklo2tq6C88Nqp3ZhK3sqSbLGjL69NInZaihm
qXMwkZLzsbnJhT3dxv46
=VNmV
-----END PGP SIGNATURE-----
More information about the cryptoparty-chi
mailing list