If you’ve been around the blog for a while, you know that I’m a big fan of the use of encryption for the sake of privacy. I’ve ranted about PGP and S/MIME, tried to break steganography and complained about the privacy issues I face as a Gmail user. This post is to let you know about a tool for securing your communication that is so simple to use, my mother uses it on a daily basis. This tool is TextSecure from Open Whisper Systems. Go install it right now.
It used to be that encrypting your communications required installing and learning a strong, user-proof tool like GnuPG or some random IM client with an OTR plugin. Now that apps are the unit of software and users routinely install apps, it is a trivial thing to tell someone to install a new app. It’s so easy that I’m only allowing two excuses for not securing your everyday instant messaging with TextSecure:
You don’t use an Android smartphone or
You don’t communicate with anyone over any sort of instant messaging.
That’s all. Other excuses are invalid. (When the iOS version is available even fewer of you will have a valid excuse.) Now go install it.
You don’t often stop to think about x.509 and the Public Key Infrastructure (PKI) that authenticates our Internet connections. Allow me to explain why you should.
Transport Layer Security (TLS) uses x.509 certificates to authenticate connections. In your every-day use of the Internet, this means that you get a certificate from a server when you connect over HTTPS (for example.) This certificate is the only reasonable means you have to verify the identity of a server.
Your e-mail account is probably the most valuable online account you control.
The security of most of your other accounts depends on the security of your
e-mail account. (Think I’m wrong? Have you ever recovered a lost password?)
For this reason, it is worth considering how best to protect it.
I use Gmail for my personal e-mail. In this article, I’m going to discuss the
benefits and costs of letting Google manage my e-mail. Then I will focus on
how those benefits and costs affect the security of my personal communications.
About a year ago, I wrote a post titled “Keeping E-mail Private“. Thinking back over the last five months, my advice seems woefully inadequate. To give the matter of private communications a more proper treatment, I’m going to write a series of articles on the topic of the security of communications systems. I’m going to expand the scope beyond e-mail, though I’ll have to be picky so I’m not writing until the next century. In this first article, I’ll be discussing threat modeling. Later articles will delve into threats of insecure protocols, trusted third-parties and more. Where possible, I’ll also discuss mitigation strategies so you don’t have to feel that the sky is falling (unless you want to.)
Threat modeling is a tool which allows us to decide which trade-offs we can make. Some times we will give up security for the sake of convenience and others we will give up convenience for the sake of better security.
Think back to the web of fifteen years ago. Most of the web sites of the time consisted of a few pages of content along with a contact page (and maybe even a guestbook.) Most often that contact page was backed by a script that mailed the results to a fixed e-mail address. Is anyone willing to admit to using formmail.pl? In the least, we can admit that we didn’t move data around in the most secure way.