Sunday, 15 March 2015

Secure PGP for Webmail – Making your communications private

What people don't realise is that all email communication is public. It is all sent via the SMTP protocol and is always in plain text. Everything is readable just by picking the message out of the wire(s). It is never private by default. These days all email is scanned by email servers and, in the case of Google, scanned to provide you with advertisements to pay for your 'free' email.

The impact on revelations by Edward Snowden, The Guardian and other newspapers has been to make people think about how they use online services. Many people have also been looking how they can have a degree of privacy in communication. Whether privacy is desirable, wanted or required is a different political and social question.

If you decide to start using PGP (Pretty Good Privacy) to encrypt your mail and provide yourself with more privacy you will find there are a number of programs out there to help you. In addition the official release of the open source pgp includes a plugin to add capabilities to Microsoft Outlook. However right now many people have found the functionality of Gmail, outlook.com (formerly Hotmail), Yahoo etc comes under the category of 'good enough'. Addins can also be a bit fiddly to setup and use within an email program.

To deal with that you can use a Chrome browser extension called Mailvelope. Mailvelope offers encryption within a webmail program like Gmail. You can create a private/public key pair and then publish the public key to a key server such as the MIT keyserver or use a Onename account.

As a quick reminder the private key is always secret and provides security. For this reason private keys need to be kept securely.The public key can always be shared to people who want to send you encrypted communications.

Tuesday, 3 March 2015

CitizenFour and Privacy

Channel 4 screened the documentary Citizenfour in recent days. It would be over-simplistic to describe it as the Edward Snowden documentary although to a certain extent it is. Basically the documentary takes place mostly in Snowden's bedroom in a hotel in Hong Kong as you see the story of him revealing the NSA / GCHQ spying programme bit by bit. Underlying it all is how the keyword 'terrorism' has become an excuse for making us all suspects. I am always particularly disturbed by the well-worn statement that 'if you have nothing to hide you have nothing to fear'. This is of course simply ridiculous because I am sure the people who think that would not like government CCTV in their homes monitoring them 24/7 if they have 'nothing to hide'.

However the rather interesting bit, away from the threats governments pose to civil liberty, is the use of encryption to send messages between Snowden and the journalists. Every so often you would see a bust of data onscreen. I have long been in favour of all email being encrypted and the use of encryption being considered 'normal'. Some months ago I created a public key so that people can send me encrypted email. I publish the key at onename.com – my address is; https://onename.com/ponsaelius

Onename acts as both a place to publish your public key and a place to assert a digital identity by using some of your social networks as digital proof of your id and, in this case, a place to put your Bitcoin address. The idea is simple, if you want to send me encrypted files or email, just my public key as the encryption key. When I receive the data only my private key, kept secret by me, can decrypt the information.

Everyone can create a private/public key pair. Download a copy of the Gnu Privacy Guard from here; https://www.gnupg.org/

Versions for Linux, Windows and Mac exist. All you do is run the program and create a key pair. Publish you public key to anyone who wants it or use Onename. To encrypt a message just get someone's public key and encode your text or document with the software.

What about terrorism I hear the scream. The security services won't be able to read your email. If they really suspect me of doing something they can use the good old fashioned method – convince a judge to issue a warrant for a private key. Just the same as getting access to any other private property.