Crypto So Easy My Mother Uses It

376797494_21cabea09f_z

Raven by tuchodi

If you’ve been around the blog for a while, you know that I’m a big fan of the use of encryption for the sake of privacy.  I’ve ranted about PGP and S/MIME, tried to break steganography and complained about the privacy issues I face as a Gmail user.  This post is to let you know about a tool for securing your communication that is so simple to use, my mother uses it on a daily basis.  This tool is TextSecure from Open Whisper Systems.  Go install it right now.

It used to be that encrypting your communications required installing and learning a strong, user-proof tool like GnuPG or some random IM client with an OTR plugin.  Now that apps are the unit of software and users routinely install apps, it is a trivial thing to tell someone to install a new app.  It’s so easy that I’m only allowing two excuses for not securing your everyday instant messaging with TextSecure:

  1. You don’t use an Android smartphone or
  2. You don’t communicate with anyone over any sort of instant messaging.

That’s all.  Other excuses are invalid.  (When the iOS version is available even fewer of you will have a valid excuse.)  Now go install it.

(more…)

What The x.509 Is Wrong With Gmail?

Elephants Family

Image by Benh LIEU SONG

You don’t often stop to think about x.509 and the Public Key Infrastructure
(PKI) that authenticates our Internet connections. Allow me to explain why you
should.

Transport Layer Security (TLS) uses x.509 certificates to authenticate
connections. In your every-day use of the Internet, this means that you get a
certificate from a server when you connect over HTTPS (for example.) This
certificate is the only reasonable means you have to verify the identity of a
server.

Why does this matter? I’m glad you asked.

(more…)

Target: Gmail

title

Image by bloggingberlin

Your e-mail account is probably the most valuable online account you control.
The security of most of your other accounts depends on the security of your
e-mail account. (Think I’m wrong? Have you ever recovered a lost password?)
For this reason, it is worth considering how best to protect it.

I use Gmail for my personal e-mail. In this article, I’m going to discuss the
benefits and costs of letting Google manage my e-mail. Then I will focus on
how those benefits and costs affect the security of my personal communications.

(more…)

Keeping E-mail Private (Revisited)

Image via http://www.flickr.com/photos/esparta/

Image via http://www.flickr.com/photos/esparta/

About a year ago, I wrote a post titled “Keeping E-mail Private“.  Thinking back over the last five months, my advice seems woefully inadequate.  To give the matter of private communications a more proper treatment, I’m going to write a series of articles on the topic of the security of communications systems.  I’m going to expand the scope beyond e-mail, though I’ll have to be picky so I’m not writing until the next century.  In this first article, I’ll be discussing threat modeling.  Later articles will delve into threats of insecure protocols, trusted third-parties and more.  Where possible, I’ll also discuss mitigation strategies so you don’t have to feel that the sky is falling (unless you want to.)

Threat modeling is a tool which allows us to decide which trade-offs we can make.  Some times we will give up security for the sake of convenience and others we will give up convenience for the sake of better security.

(more…)

Encrypting Your Messages With OpenPGP.js

terribleimage

Terrible mashup of OpenPGP.js logo and source code by the author (because
nothing says “Where’s the source?” like a bad logo.)

Last time I wrote, I showed you how to use Braintree.js to encrypt form values.
I even built a contact form to do it. It occurred to me that there might be a
better technology for encrypting contact form data. (There is.) Of course,
I’m not the first person to have this idea.

(more…)