×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Encrypt and Sign Gmail messages with FireGPG

CmdrTaco posted more than 6 years ago | from the can-you-spot-the-secret-message-in-this-dept-line dept.

206

Linux.com (Same owners as Slashdot) has a story up about FireGPG and says "Gmail may be an excellent Web-based email application, but there is no easy way to use it with privacy tools like GnuPG. The FireGPG extension for Firefox is designed to solve this problem. It integrates nicely into Gmail's interface and allows you...
Encrypt and sign Gmail messages with FireGPG

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

206 comments

Nerds with something to hide (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#19382505)

I don't understand this fascination with encryption. Why do people use it. Is it because you're hiding something illegal? It's kiddie porn isn't it? Be honest!

Re:Nerds with something to hide (-1, Flamebait)

Stormx2 (1003260) | more than 6 years ago | (#19382575)

Okay, who modded you funny? I find myself hoping heaven and hell do exist when I see comments like that; you'd inhabit the latter.

Re:Nerds with something to hide (5, Funny)

morgan_greywolf (835522) | more than 6 years ago | (#19382597)

I don't understand this fascination with encryption. Why do people use it. Is it because you're hiding something illegal? It's kiddie porn isn't it? Be honest!


Nope. It's secret terrorist plots to overthrow the tyrannical American Government!

Oh, wait! I wasn't supposed to say that, was I?

Re:Nerds with something to hide (4, Funny)

daeg (828071) | more than 6 years ago | (#19382857)

Clever. Hiding your kiddie porn encoded in anarchist rants! I'm onto you, buddy!

Re:Nerds with something to hide (0)

Anonymous Coward | more than 6 years ago | (#19383155)

Hm. Wanting to overthrow the tyrannical American Government is not necessarily being against Government in general - "Anarchist" is a bit of a stretch (I know, way to kill the humour, but it annoyed me).

Re:Nerds with something to hide (5, Insightful)

fluch (126140) | more than 6 years ago | (#19382609)

It is just that I don't want anybody to intrude my privacy. Do you close the envelope of a regular snail-mail letter? If so, do YOU have something to hide??

Re:Nerds with something to hide (1)

Kadin2048 (468275) | more than 6 years ago | (#19382643)

It is just that I don't want anybody to intrude my privacy. Do you close the envelope of a regular snail-mail letter? If so, do YOU have something to hide??

YHBT, I think ... (Though admittedly, it hasn't been moderated as such, yet.)

Re:Nerds with something to hide (2, Insightful)

kevin_conaway (585204) | more than 6 years ago | (#19382849)

Do you close the envelope of a regular snail-mail letter? If so, do YOU have something to hide??

I'm more concerned about the letter (or worse, a check) falling out.

Re:Nerds with something to hide (5, Insightful)

toleraen (831634) | more than 6 years ago | (#19382895)

I generally close the envelope of snail mail so the mail doesn't fall out.

I use security envelopes to obscure the contents of my mail. You probably would want to use that as an analogy instead.

Re:Nerds with something to hide (1, Interesting)

Anonymous Coward | more than 6 years ago | (#19383885)

So if I'll sell you envelopes that stay closed by some mechanism that is easily, unnoticeably opened and re-closed at a price that is substantially lower than that of the adhesive-using ones, will you buy and use them?

Re:Nerds with something to hide (-1)

aussie_a (778472) | more than 6 years ago | (#19383047)

Do you close the envelope of a regular snail-mail letter? If so, do YOU have something to hide??
No, I simply want to ensure it goes to the correct receiver (which if it fell out, wouldn't happen). I would put it on a postcard but it was simply too long. Next straw man!

Re:Nerds with something to hide (1)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#19383119)

No, I simply want to ensure it goes to the correct receiver (which if it fell out, wouldn't happen).

Here's a tip for you. Use a piece of tape to hold the pages of the letter shut. Write the address on the back, and add a stamp. You just saved the cost of an envelope.

Re:Nerds with something to hide (0)

Anonymous Coward | more than 6 years ago | (#19383293)

Who exactly was worried about the cost of an envelope?

Re:Nerds with something to hide (1)

644bd346996 (1012333) | more than 6 years ago | (#19383305)

Not all imperfect analogies are straw man attacks.

I highly doubt that, every time you mail something in an envelope, you consciously think about the possibility of the mail falling out if you didn't seal it. Also, with most envelopes, you can simply tuck the flap in and it will be secure enough that the contents won't fall out.

Re:Nerds with something to hide (5, Informative)

joe_cot (1011355) | more than 6 years ago | (#19382693)

I don't actually use it for encryption; I use it for verification.

Besides encryption, GPG also allows you to sign messages, ensuring that the message is indeed from you, and hasn't been modified after you've signed it. In the Ubuntu Community, this is important for a) verifying messages from developers are real, b) verifying that uploaded packages were created by trusted developers, c) verifying signatures (such as signing the code of conduct).

While FireGPG is useful, it's not so useful for signing messages; gmail auto-wordwraps messages after you send them, and FireGPG doesn't take that into account. Therefore, unless you wordwrap it yourself, gmail's going to add line breaks, and your signature will be invalid. When I need to sign messages, I either word wrap myself so that gmail doesn't, or send it through Thunderbird using Enigmail.

Re:Nerds with something to hide (3, Interesting)

XrayCharlie (932453) | more than 6 years ago | (#19383847)

I use FireGPG along with It's All Text! [mozilla.org] plugin, which I can edit a textfield with an external editor such as Vim. Vim handles wordwrap for me. The only problem I have is that Gmail automatically makes links for URLs or email addresses, which breaks the signature.

Re:Nerds with something to hide (5, Informative)

SCHecklerX (229973) | more than 6 years ago | (#19382783)

You are forgetting about authentication. Email is trivial to spoof. If you *always* sign your messages, then when some asshat, say, decides to send an explicitly detailed nastygram to your boss from 'you', it is easy to prove otherwise...

Or maybe from your secret lover, etc. You get the picture.

Re:Nerds with something to hide (5, Insightful)

Anonymous Coward | more than 6 years ago | (#19383005)

So if you "always" sign your messages, then you can tell off anyone you want as long as you don't sign it. Brilliant!

Re:Nerds with something to hide (5, Funny)

iago-vL (760581) | more than 6 years ago | (#19383721)

Or maybe from your secret lover, etc. You get the picture.
It's that Cathy, isn't it? She's always trying to break up Alice and Bob!

Re:Nerds with something to hide (0)

Anonymous Coward | more than 6 years ago | (#19383939)

Or maybe from your secret lover, etc. You get the picture.
Not yet. Which of my accounts did you send it to?

Re:Nerds with something to hide (1)

kie (30381) | more than 6 years ago | (#19382809)

It's not just about encrypting messages,

another use for this is for signing your messages
so that the receiver can be more certain that it was sent by you.

if you are using a local email client:
creating your keys and publishing them is as easy on linux as
$ gpg --gen-key
$ gpg --send-key XXXXXXXX

and don't forget a revocation key
$ gpg --output revoke.asc --gen-revoke XXXXXXXX

Re:Nerds with something to hide (4, Funny)

brunascle (994197) | more than 6 years ago | (#19382815)

perhaps because i'd like to send an email from work to my GF with something like "hey wanna fuck tonight?" and i'm not particularly keen on the network guys reading that.

Re:Nerds with something to hide (-1, Troll)

aussie_a (778472) | more than 6 years ago | (#19383063)

Perhaps you should be working at work, instead of planning sex? I'm sorry, but that's simply the most ridiculous reason I've seen for encrypting mail. People are certainly welcome to do it without being accused of peddling in child pornography (something the OP doesn't understand), but that's a ridiculous reason to encrypt it.

Your girlfriend called... (5, Funny)

xxxJonBoyxxx (565205) | more than 6 years ago | (#19383121)

Hey, your girlfriend called. She said she couldn't read the garbled message you sent. However, I passed on your "wanna...tonight" message to her and she said "yes" but I don't think your name came up. So...if you don't mind, I'd like to get out a little early tonight...

 

Re:Nerds with something to hide (3, Funny)

Rob T Firefly (844560) | more than 6 years ago | (#19383627)

This is your boss. The network guys tell me you've just used the Company's network to write "hey wanna fuck tonight?" on a public website. You're fired.

Re:Nerds with something to hide (0)

Anonymous Coward | more than 6 years ago | (#19382885)

A number of people have responded with the assertion that, more than encryption, signing is what they use GPG for. It begs the question of whether that might be a nice feature for google to include in gmail. Offer it as an option to sign all your emails. That shouldn't be a problem for the indexing aspect of their business that supports the free email since the message is still in clear text.

The Fascination with Encryption (5, Funny)

Ian McBeth (862517) | more than 6 years ago | (#19382535)

For me, I just like to use it, to make people think I am doing something.
Keeps the snoops on their toes.

Re:The Fascination with Encryption (5, Funny)

Bromskloss (750445) | more than 6 years ago | (#19382657)

For me, I just like to use it, to make people think I am doing something. Keeps the snoops on their toes.

I keep them on their toes by acting completely normal, having them looking for steganography.

Re:The Fascination with Encryption (2, Interesting)

UbuntuDupe (970646) | more than 6 years ago | (#19384071)

Actually, I heard that one old prank was to send postcards back and forth between major cities with simple, but cryptic sounding statements. For example:

"The birds rise at sundown. Where are the minnows?"
"All is well, north of the river."

Supposedly, the government would see them and get suspicious, thinking they were coded messages.

I've also wondered: why doesn't someone test whether the government is reading emails? For example, have some guys plot an imaginary terrorist attack via unencrypted email and see if they get questioned. Leave physical corroborating evidence in case they follow up. (Make sure to document with several third parties first, so you can prove it's an experiment.)

Re:The Fascination with Encryption (3, Funny)

jimstapleton (999106) | more than 6 years ago | (#19383039)

I only use one-time use pads when sending my emails. It keeps them busy and unable to decrypt the emails!

Re:The Fascination with Encryption (1)

Alzheimers (467217) | more than 6 years ago | (#19383171)

The only problem being is that with a carefully formed seed, they can make your encrypted message "Decrypt" into anything they want.

Re:The Fascination with Encryption (1)

ch-chuck (9622) | more than 6 years ago | (#19383105)

The old joke is about a scanner buff, his small town police department started scrambling their voice transmissions, using a simple frequency inversion scheme. Now he was really intriqued so he bought a descrambler to listen in. The first thing he heard on the scrambled channel was, "Yeah Lenny, make mine a ham and swiss on rye, no mayo. And don't forget the doughnuts".

And for the chat (4, Informative)

DrYak (748999) | more than 6 years ago | (#19382541)

And if want PGP encryption for chat (Gmail's associated GTalk or any other protocol like MSN, etc.) there is Pidgin [slashdot.org] (formely Gaim) with plugins :
  • Etiher Pidgin Encrypt [sourceforge.net] (formely Gaim Encryption)
  • Or OTR [cypherpunks.ca]


Re:And for the chat (4, Insightful)

stinerman (812158) | more than 6 years ago | (#19382601)

Note that OTR is "better". From the OTR site:

How is this different from the gaim-encryption plugin?
        The gaim-encryption plugin provides encryption and authentication, but not deniability or perfect forward secrecy. If an attacker or a virus gets access to your machine, all of your past gaim-encryption conversations are retroactively compromised. Further, since all of the messages are digitally signed, there is difficult-to-deny proof that you said what you did: not what we want for a supposedly private conversation!

Re:And for the chat (0)

kestasjk (933987) | more than 6 years ago | (#19382971)

Deniability? Isn't this one of the main things encryption is supposed to make difficult?

Re:And for the chat (0)

Anonymous Coward | more than 6 years ago | (#19383109)

Well in traditional crypto/signature schemes, having a provable relation between a specific message and specific sender is a desired attribute. While there are certainly situations where you would like to verify the identity of the person to which you are chatting (wife/girlfriend/boss/etc), it appears that is not one of the wanted 'features' of this encryption protocol. Forward and backward secrecy would certainly be something most would consider useful, however.

Re:And for the chat (1)

I. C. Wiener (1108307) | more than 6 years ago | (#19383253)

Note however that pidgin-otr saves messages it receives through an OTR-secured channel in clear by default!

RON PAUL on the Daily Show tonight (0)

Anonymous Coward | more than 6 years ago | (#19383739)

Ah yes, Ron Paul. The right wing's answer to Ralph Nader. I sincerely hope he wins the Republican primary, because that'd make the Dems unbeatable in 2008. Even Kucinich would be a shoo-in against that weirdo.

The overprivileged adolescents who buy into libertarianism may fall for Mr. Paul's song and dance, true, but fortunately they can't vote.

Say 'no' to gaim-encryption, use OTR (4, Interesting)

Kadin2048 (468275) | more than 6 years ago | (#19382735)

OTR is miles better than the gaim-encryption/pidgin-encrypt. Honestly, I don't understand why they won't just kill it and move to OTR for good; it's a fundamentally better security model for something transient like instant messages.

Particularly since having two mutually-incompatible encryption packages is a pretty crummy state of affairs; it just means that the few users who do use encryption, are going to be fragmented between incompatible systems.

OTR probably has the greatest market penetration of any IM-encryption system, outside of corporate clients (Sametime, I think, uses encryption by default, although I don't think it's end-to-end, only client-server, because there they want the ability to intercept on the server), because it's built into the fairly popular OS X Adium [adiumx.com] client. So there's already quite a few users out there who have software that supports it. If only some of the other IM clients would start building it in by default, rather than making it an optional addon, I think it would quickly gain traction as a de facto standard. (And that would be a good thing, since it's a good system and open source.)

Re:Say 'no' to gaim-encryption, use OTR (2, Insightful)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#19383349)

Particularly since having two mutually-incompatible encryption packages is a pretty crummy state of affairs; it just means that the few users who do use encryption, are going to be fragmented between incompatible systems.

This is what standards are for. We need a standard for IM encryption, possibly as part of a larger encryption framework. I have no problem advocating a standard, which I think is a lot better idea than advocating a given program/library.

If only some of the other IM clients would start building it in by default, rather than making it an optional addon, I think it would quickly gain traction as a de facto standard.

OTR is licensed as GPL/LGPL. As such, I'm not sure a lot of major software makers will be all that keen about implementing it. Take a look at iChat or Yahoo Messenger. They're not going to open source their application just to add an encryption format that is still pretty rare and where there is not a lot of demand. This is one of those rare instances where a BSD licensed implementation would be a whole lot more likely to solidify the de-facto standard. Realistically, I doubt that the major players are going to go open source for their clients, and as such I doubt there will be adoption of OTR unless it is submitted as a real, well documented standard and/or a BSD reference implementation is made available. We're a lot more likely to see Microsoft or AOL take over this space with a proprietary encryption scheme, which will be reverse engineered and pseudo-supported on other platforms/clients simply because people will need to communicate with the majority.

Re:Say 'no' to gaim-encryption, use OTR (1)

Alphager (957739) | more than 6 years ago | (#19383793)

OTR is licensed as GPL/LGPL. As such, I'm not sure a lot of major software makers will be all that keen about implementing it. Take a look at iChat or Yahoo Messenger. They're not going to open source their application just to add an encryption format that is still pretty rare and where there is not a lot of demand.

Which is why they use the LGPL, which allows usage without forcing openness.

I wouldn't think google would like this (5, Interesting)

kentmartin (244833) | more than 6 years ago | (#19382595)

I thought their business model worked on the idea that they could datamine all your email and (among other things) offer you targeted email based on the content therein... this'll screw with that idea...

"BUY jjhHDJEy6786ERLKLXhdfeprERIOUPewoenOIhgshgrgeyrew now for a low price on Ebay.co.uk"

Re:I wouldn't think google would like this (0, Troll)

mulvane (692631) | more than 6 years ago | (#19382629)

Google is in bed with NSA and has tools to decrypt all these emails on the fly. Might surprise you when you get child porn adverts when all your child porn email was encrypted to I bet.

Re:I wouldn't think google would like this (4, Insightful)

CreatureComfort (741652) | more than 6 years ago | (#19382915)


So... you are saying that the NSA has the ability and desire to break every ElGamel 2048-bit length encrypted message it captures with Echelon? I've seen too much of government from the inside to think that any agency operates as well as the NSA FUD would have us believe. Especially when you realize it is far easier and cheaper to make your enemies believe you have super powers than it is to actually develop those super powers, completely in-house with no outside knowledge or help.

Re:I wouldn't think google would like this (1)

mulvane (692631) | more than 6 years ago | (#19382933)

Damn, I knew I forgot something in my post... Really need a comment type selector where one can choose "sarcasm" as a post category. :-)

Re:I wouldn't think google would like this (1)

Threni (635302) | more than 6 years ago | (#19384137)

> I've seen too much of government from the inside to think that any agency operates as well as the NSA FUD would have us believe.

You can read either of James Bamford's books about the NSA if you want to know how much money they get, and how powerful their computers are - Puzzle Palace and Body Of Secrets.

If you live in the US or a country aligned to the US they'll get your passwords and just soak up your encrypted emails as and when they see fit.

Re:I wouldn't think google would like this (2)

blueZhift (652272) | more than 6 years ago | (#19383219)

Interesting question, because datamining email to target ads is exactly what Google said they wanted to do when gmail got started. Since encrypted mail would make this impossible, I wonder if they'll take actions to stop the use of encryption tools with gmail. On the other hand, as it stands, unless they offer such tools themselves, I don't see most users encrypting their gmail anytime soon. So the losses may be acceptable to Google.

Re:I wouldn't think google would like this (3, Informative)

morgan_greywolf (835522) | more than 6 years ago | (#19384111)

Gmail supports retrieval of mail via POP3 for free. So there's nothing to stop someone from using GPG and similar support already included in or available for a wide variety of e-mail clients such as Outlook, Thunderbird, Evolution, Eudora, etc.

Altered for slashdot (5, Funny)

LiquidCoooled (634315) | more than 6 years ago | (#19382605)

-----BEGIN PGP MESSAGE-----
Version: GNUPG v0.4.0 (GNU/Linux)
Comment: Wonderful
ewurnfi3u834j9few4jf9oewfqvi7y&H*&HAwr8hw78er7hfw8 f7hh4839h47f7e
wf8943f89jw3r8j9fesajaejro5gvl;rhyklyfp[ult0h43jg8 394g84953jgf84
fnw98efj89324rtuerjgeiorgtjerilgtjireogniregunreng erniguiregt980
werj
-----END PGP MESSAGE-----

I have nothing more to add

Re:Altered for slashdot (1)

iago-vL (760581) | more than 6 years ago | (#19383983)

What? How dare you!? My mother was a saint!

But seriously, is it a bad thing that I can identify something as not being actual base64 the instant you look at it?

Does not this break GMAIL's business model? (3, Interesting)

mi (197448) | more than 6 years ago | (#19382655)

I thought, their ability to automatically parse the messages — so as to show users the relevant advertisements, was the reason, I am getting an unlimited mailbox with nice interface for free.

If all/most of my messages are encrypted, how will they know, what to peddle to me? Can't do much on Subjects alone... Or can they?

Re:Does not this break GMAIL's business model? (5, Funny)

$RANDOMLUSER (804576) | more than 6 years ago | (#19382709)

If all/most of my messages are encrypted, how will they know, what to peddle to me?
Aluminum foil. Survival equipment. Wellbutrin.

Re:Does not this break GMAIL's business model? (2, Funny)

Anonymous Coward | more than 6 years ago | (#19384263)

Aluminum foil.

You need tin foil to make the hats - mind control rays pass right through aluminum!!! Don't you ever wonder why everyone still talks about "tin foil" even though all you can buy on store shelves nowadays is aluminum? It's because They don't want you to notice the switch!!!

Survival equipment.

Sure, if you want a compass that's got the New World Order's tracking devices already installed. I make my own survival equipment.

Wellbutrin.

You see how well my encryption has kept me under your radar? Don't you feel foolish trying to sell me anti-depressants, when I'm in my MANIC phase right now!?! Ha ha ha!

Re:Does not this break GMAIL's business model? (0)

Anonymous Coward | more than 6 years ago | (#19382773)

show users the relevant advertisements, was the reason,
Show advertisements, among other things which generate revenue. However, even restricted to just the advertisement segment, I doubt the business model will be disrupted by showing slightly less relevant ads (which are merely based on associative data of the non-GPG'ed communications of your identified social network) to less than 1% of users who might possibly use GPG all the time.

Lesson? You are not the center of the universe, but float in a sea of fools.

Re:Does not this break GMAIL's business model? (1)

Ronin SpoilSpot (86591) | more than 6 years ago | (#19383307)

I read all my gmail accounts using POP/SMTP in a real mail program, so I don't see any advertising anyway. Won't make a difference. Except if they try to figure out trends by actually keeping statistics on the content of e-mails going through their system.
Hmm, maybe that's the reason I need to start using encryption.
That, and to annoy the NSA of course. /RS 'M-x spook'

Re:Does not this break GMAIL's business model? (1)

Threni (635302) | more than 6 years ago | (#19384163)

> I thought, their ability to automatically parse the messages -- so as to show users the relevant advertisements, was the reason, I
> am getting an unlimited mailbox with nice interface for free.

Yeah, just wait until Google discover some people are using the POP3 access to Gmail to access their Gmail via POP3...

Or you can use an actual mail client (1)

Magus2501 (899681) | more than 6 years ago | (#19382661)

I use the pop3 support in gmail and have Thunderbird handle everything (via enigmail extension). Also works with Kmail (which integrates spamassassin and clamav nicely). Besides, I usually use Konqueror or Lynx.

Re:Or you can use an actual mail client (4, Informative)

Enoxice (993945) | more than 6 years ago | (#19382799)

Psh, Lynx. Get with the times, man, everyone is using links2 (perhaps links2 -g if they want to be on the bleeding edge).

Re:Or you can use an actual mail client (1)

Magus2501 (899681) | more than 6 years ago | (#19382955)

I always considered the two equivalent, but it seems I was wrong. Thanks for the heads-up!

Signing has issues still (0)

Anonymous Coward | more than 6 years ago | (#19382697)

FireGPG still has issues with signed messages via GMail at the moment -- GMail's formatter likes to strip off or replace certain types of whitespace, regardless of if you're in plaintext or HTML mode; the authors know about it and there are several threads on their forums relating to this issue, but it doesn't look like there's an easy fix for it.

Point & Click Encryption? (3, Insightful)

RubberChainsaw (669667) | more than 6 years ago | (#19382701)

This extension seems very cool, and I plan to try it out when I get home. When I first read the summary I thought to myself, "A firefox extension and gmail, how much simpler could it get!" But, unfortunately this is not point & click encryption. It requires an additional external program (GnuPG) to function. Even this small, relatively trivial step is too much for beginning to average computer users. Encrypted email is great and all, but I can only send it to other people with encryption-enabled email clients.

Where is the it-just-works email encrytion for dummies?

Re:Point & Click Encryption? (3, Funny)

LiquidCoooled (634315) | more than 6 years ago | (#19382797)

When I want to totally encrypt an email I just plug in my DVORAK keyboard, put on a blindfold and type as usual.

Re:Point & Click Encryption? (1)

UbuntuDupe (970646) | more than 6 years ago | (#19382829)

Where is the it-just-works email encrytion for dummies?

I don't know, but it seems really ... odd to me that:

1) Geeks really want such encryption to take off.
2) It shouldn't be that hard to implement.
3) Governments really, really, really don't want this to happen. (i.e. that everyone can efforlessly encrypt this well)

Is 3) or 1) working against 2)?

Re:Point & Click Encryption? (4, Insightful)

Kadin2048 (468275) | more than 6 years ago | (#19382927)

Where is the it-just-works email encrytion for dummies?

AFAICT, it doesn't exist. At least not outside of corporate environments. There are lots of companies that have their encryption set up so that it's transparent to non-technical employees, but it's a lot of work for the people who actually make it run. Lotus Notes, for instance, will do public-key cryptography, using company-wide keyservers -- although it's a proprietary algorithm, or was last time I checked. Once you have the infrastructure in place, the users don't have to think much about it, besides clicking 'encrypt and sign' on the emails they want secured.

I've also heard that within Apple, they use Apple Mail with S/MIME to great effect ... but if you're just a regular user, getting that feature working is a real PITA. (Though admittedly, most of the trouble is because of the certificate authorities.)

I think the problem with the free encryption tools is that they're still very much a 'hacker's product,' being designed by fairly advanced users, for other advanced users -- or at least, for users who don't have a problem installing extra software in order to communicate securely. This, IMO, is a mistake; in order for an encryption system to be useful, it has to be widely used. And that means getting it into the hands of people who might not even think, in advance, that they want it. There are lots of people who aren't going to go out and download/install encryption software, but if the feature was there, and working, all the time, they'd probably find themselves clicking the 'Encrypt' button quite a bit.

There's no real reason why encryption can't be built in. It's just that it tends to get viewed as a peripheral, rather than core, feature, in everything except some corporate packages. However, I think that if it was incorporated more widely, it would quickly become a core feature; but getting over that 'chicken and egg' hump is hard.

Re:Point & Click Encryption? (1)

TheLink (130905) | more than 6 years ago | (#19383713)

The last I heard, the US Gov will have access to X bits of the Lotus Notes keys (some of the keys bits are taken and encrypted to the US Gov key), so that they get a significant help to cracking stuff if they need to. Something like it's 40bit crypto for the US Gov, and 64 bit crypto for everyone else (other than the intended recipients).

Re:Point & Click Encryption? (1)

grassy_knoll (412409) | more than 6 years ago | (#19383031)

Encrypted email is great and all, but I can only send it to other people with encryption-enabled email clients.

Where is the it-just-works email encrytion for dummies?


Well, there's one problem. You'd have to have a consistent standard.

Also, how would you handle key exchange? For "it-just-works", you'd likely not even ask the user if they want to get a particular senders public key, which makes a man in the middle attack very feasable ( because no one has ever spoofed email headers... ).

Where would one get a public key from a particular sender, anyhow? From the sender? A central repository? If the sender, how do you trust them if you've never met them? If a central repository you've still got the trust issue, but also who'd manage it?

For the "it just works" crowd, you'd also have to explain why encryption is necessary. The people I've tried that with usually respond with something like "I'm not a secret agent! LOLLZ" or some such.

Re:Point & Click Encryption? (1)

Threni (635302) | more than 6 years ago | (#19384221)

> It requires an additional external program (GnuPG) to function.

And you have to register somewhere to get it. That's after you've allowed Firefox to download the extension. Seamless.

I wonder if you can use mailinator.com email addresses...

Re:Point & Click Encryption? (1)

ThosLives (686517) | more than 6 years ago | (#19384269)

Where is the it-just-works email encrytion for dummies?

I think it's the same as all true forms of message validation: delivery in person.

* grin *

There goes some of Slashdot's quality. (0, Troll)

Paperweight (865007) | more than 6 years ago | (#19382743)

Where are the editors? It looks like firehose-type blurbs are starting to make it to the front page...

Oh wait, it's CmdrTaco. Never mind.

javascript RSA cryptography demo (1)

brunascle (994197) | more than 6 years ago | (#19382775)

in my travels i can across this javascript-based RSA cryptography demo [stanford.edu]. if you want to use it, hit Generate, then send the first two numbers (Modulus and Public Exponent) to whoever you want to talk to. they have to do the same. you enter their modulus and exponent into another window to encrypt.

the code is BSD-licensed. i've been meaning to write a larger javascript app to hold your keys and everyone elses' in a single window, and with a click of a button create a block of XML that you can copy+paste to a file to store the keys, but i havent got around to it.

GMail S/MIME plugin for firefox (3, Informative)

emj (15659) | more than 6 years ago | (#19382819)

I've been using the S/MIME plugin for Firefox [jones.name]. and it's great. I'm not sure I like the way you have to apply for a certificate from Thawte, but it works and it's very painless.

This is not painless and easy, and IMHO S/MIME is alot nicer implemented than PGP signatures.

Re:GMail S/MIME plugin for firefox (2, Interesting)

Kadin2048 (468275) | more than 6 years ago | (#19383101)

This is not painless and easy, and IMHO S/MIME is alot nicer implemented than PGP signatures.

S/MIME is oftentimes more slickly implemented, because it tends to get more use on the corporate side, but I think that it's unsuited for wide use because of its reliance on centralized certificate authorities. The whole certificate-based infrastructure isn't anything that most people want to have to deal with.

For 90% of all communications, what people want is an email (or IM, or whatever) version of PGPfone -- they just want the data secured in transit, with the actual user authentication done via some side-channel (calling them up on the phone and exchanging key fingerprints, etc.).

If people have to get and install certificates, they're not going to use the system.

Re:GMail S/MIME plugin for firefox (1)

Lord Ender (156273) | more than 6 years ago | (#19383905)

One thing that is CERTAINLY true is that most email users have zero interest in maintaining a web of trust. That means PGP is right out.

S/MIME relies on people trusting third party certificate authorities and acquiring the certificates of other in order to send encrypted messages. This actually COULD work if the major email vendors agree to cooperate on some sort of certificate distribution method, and provide an easy way for people to get keypairs in the first place. This is at least possible.

Something with WEAK authentication, like PGPfone, is STILL going to require extra work on the end user's part, but does not depend on large companies cooperating. It's nice, but I just can't see this happening because, instead, it relies on an enormous group of non-technical people cooperating.

Email encryption will come eventually, but it will probably be in the form of S/MIME and be pushed by the likes of Google and Yahoo. There is no other way that is even remotely feasible.

Re:GMail S/MIME plugin for firefox (1)

emj (15659) | more than 6 years ago | (#19383103)

Perhaps I should explain abit more, the GPG plugin has problems with GMail wordwrap, and correctly verifying signatures of emails received by gmail.

But it works wonderfully to sign short messages, but nothing more complicated.

It took quite sometime for the S/MIME extension to mature enough to be usable, so this may work in a couple of months..

Re:GMail S/MIME plugin for firefox (1)

gad_zuki! (70830) | more than 6 years ago | (#19383197)

s/mime is great and simple. This is what geeks should be pushing onto their friends not gpg. Most mail clients support it. The worst of it is that you need to make a cert. That requires some hand holding, but it sure beats endless hand-holding with gpg or old pgp installs.

Re:GMail S/MIME plugin for firefox (1)

Chandon Seldon (43083) | more than 6 years ago | (#19383575)

Does that plugin actually support signatures yet? Encryption is great and all, but has way less useful security properties without signatures.

Only Gmail? (2, Interesting)

Rob T Firefly (844560) | more than 6 years ago | (#19382853)

While the site says only Gmail is supported, could this be made to work with other web apps? It'd be neat to have something like this for webmail on my own domains, forum-based messages, and so on.

Works with any textarea, by the way (5, Informative)

croddy (659025) | more than 6 years ago | (#19382877)

This works with any textarea, by the way, not just GMail. Not sure why the summary doesn't mention that.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This works with any textarea, by the way, not just GMail. Not sure why the summary doesn't mention that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org/

iD8DBQFGZDU/WCKEX KsCq6IRAvAtAJ96BAdus/rVCXS+NxlEbMsDdNxTCgCfe+da
T yi/KWbgNLQUq/qssCj2YR4=
=Y2mA
-----END PGP SIGNATURE-----

Re:Works with any textarea, by the way (0)

Anonymous Coward | more than 6 years ago | (#19383045)

Verification successful. I had to get the key out of a key server first, though.

$ xclip -o | gpg
This works with any textarea, by the way, not just GMail. Not sure why the summary doesn't mention that.
gpg: Signature made Mon 04 Jun 2007 10:52:31 AM CDT using DSA key ID AB02ABA2
gpg: Good signature from "Christopher M. Roddy <croddy@emory.edu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 20D1 D0F9 2301 92DF BB25 E5B6 5822 845C AB02 ABA2

Won't AJAX textboxes kill this? (5, Interesting)

biftek (145375) | more than 6 years ago | (#19383091)

I haven't used gmail that much, but I was under the impression that it saved drafts of what's in the composition textbox at intervals.

That data would be all cleartext wouldn't it? Seems a tad risky to me.

Re:Won't AJAX textboxes kill this? (1)

Jaqenn (996058) | more than 6 years ago | (#19383653)

Yikes. Not only that, but doesn't having a copy enough original messages and the encrypted messages give enough data to reverse engineer your private key? (Forgive me if that's FUD, I have minimal encryption experience).

Re:Won't AJAX textboxes kill this? (0)

Anonymous Coward | more than 6 years ago | (#19383965)

For the first point....I think the GP is right on. Google could still get the autosaved plaintext if they wanted to. I'm sure they don't store every autosave for very long though, even their hardware couldn't keep up with that, so they'd have to be making a targeted effort, presumably at the government's behest. So I guess it depends on who you're trying to protect against with regard to that. With regard to the parent's point....well, maybe for incoming mail. For outgoing mail, it shouldn't be a problem. Think about it. You're encrypting outgoing mail with the recipient's public key. If it was possible to get the private key using the public key and arbitrary text then the whole idea of asymmetric encryption would be flawed. But for incoming mail, if google could get both the plaintext of a message and the encrypted version that someone sent to you, it would certainly help in deducing your private key. Again, this pretty much presumes the gub'mint is after you.

Re:Won't AJAX textboxes kill this? (2, Informative)

X0563511 (793323) | more than 6 years ago | (#19384215)

No, you can't reverse engineer it like that. PGP uses "trapdoor" functions that are mathematically infeasible to work in reverse. It's possible, but it will take several thousand years.

This is a good point (1)

CranberryKing (776846) | more than 6 years ago | (#19383897)

Google just does too darn much. One option might be to use it in 'basic HTML' view. Another is to compose your messages in a text editor then cut and paste (but quickly!) when you are ready to send.. :/

In Web 4.0 the browser will watch you through your monitor and shout ads at you when you are at your desk.

Re:Won't AJAX textboxes kill this? (1)

Lord Ender (156273) | more than 6 years ago | (#19383927)

While you are correct that end-to-end encryption is best, having ISP-to-end encryption is still a million times better than having no encryption at all.

Useless if GMail accessed only via POP3 (2, Insightful)

macraig (621737) | more than 6 years ago | (#19383359)

FireGPG is great, I suppose, but doesn't help those of us who only use GMail via POP3/SMTP, both to avoid advertising and have mail archives under our own direct control.

In fact, FireGPG actually benefits Google and its advertising goals, since it only functions via Firefox and Google's ad-infested Web interface.

Re:Useless if GMail accessed only via POP3 (1)

grege222 (995375) | more than 6 years ago | (#19383623)

That's because there are already so many tools out there to do that already. Depending on what client you are using, Thunderbird has Enigmail as its wrapper around gpg. Kmail also has built-in support. This is great alternative for those who don't want to have to use POP3 to have a convenient way of using GPG.

Re:Useless if GMail accessed only via POP3 (1)

Krojack (575051) | more than 6 years ago | (#19383791)

You can install the Firefox plug-in "Customizegoogle" [customizegoogle.com] and block all those evil adds that sit on the right side and aren't even noticeable.

Re:Useless if GMail accessed only via POP3 (1)

macraig (621737) | more than 6 years ago | (#19384053)

You missed the other half of my point: only works with a browser and Google's Web site, doesn't work with POP3 use of GMail. I'd like to see a POP3 proxy version of the same thing, if that's even possible, for those of us who don't touch the GMail Web interface except for occasional management.

bizn4t3h (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#19383641)

an3 oTher party

PGP/GPG - inherent legal problem? (2, Interesting)

Cheesey (70139) | more than 6 years ago | (#19384159)

I understand that in some countries, you are legally compelled to provide the keys to access files encrypted with PGP, GPG, etc. if the authorities demand access. If you refuse to produce a working key, or claim to be unable to do so, a judge is able to assume that you are deliberately hiding something.

Firstly, I wondered if anyone could confirm this? I have heard that it is the case for Britain at least, although I don't see how it can possibly be legally compatible with the presumption of innocence.

Secondly, I wanted to suggest that perhaps this is a reason not to use PGP, because PGP encrypted information can always be decrypted using the recipient's key - even many years after the message was originally sent. So law enforcement officers will be able to get old PGP-encrypted documents from your email account (probably even if you delete them, thanks to backup tapes). They'll then be able to force you to decrypt them, and if you don't, they can assume you are witholding the key because the files are full of terrorist plans or whatever.

I suggest that people should only use cryptosystems where the session keys are destroyed immediately after use, such as SSH and (possibly) some secure instant messaging services. Even if law enforcement officers use a wiretap to record everything sent by you over an SSH connection, and then seize your computers, they still can't recover the plaintext because the session keys have already been deleted. It's impossible for you, the suspect, to produce the keys, which should help your legal defense. Here's a way to chat securely by SSH [vanemery.com].. if you need to transfer files, you can use SFTP.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...