OpenPGP and Key Servers
Last week we did a quick start on using OpenPGP email encryption with webmail like Gmail. This week I'd like to touch on some details we skimmed past as well as discuss some usability concerns.
It is important to note that the security is in the message, not the transport. Best practice is to assume monitoring. Essentially every node your message passes through is a potential man-in-the-middle attack.
That said, as long as Alice and Bob keep their private keys secure the integrity and security of the message is intact. Anyone with Alice's Public key can send her encrypted emails only she can read - same goes for Bob.
As web apps and service dominate the Internet, OpenPGP proves one adequate way to maintain ownership of content. The Mailvelope Chrome extension achieves this with as little headache as possible, integrating with several popular webmail providers
There are several implementations of OpenPGP - a good example is GNU Privacy Guard, sometimes called GnuPG or GPG.
Basically they all follow the OpenPGP standard, RFC 4880, so it doesn't matter if I'm using Mailvelope on Chrome with Gmail and you're using Thunderbird with Enigmail and GPG.
That's the beauty of Email and OpenPGP - nobody owns it - it's open and free - Anyone can use it and it's secure, like, military grade crypto secure. This is a massive departure from the likes of Facebook and Twitter who own your content, run a closed system and keep your content in plaintext. And if CISPA passses, freely and anonymously gives it up to the Government.
So, we can all agree PGP is great, but for it to be widely used it has to be easy. Mailvelope and the likes of OpenPGP.js have gone to great lengths to make it easier, there's still the issue of exchanging public keys. Thankfully this can be made easier using Keyservers.
Keyservers are used to distribute cryptographic keys, typically public keys for use with an asymmetric key encryption algorithm like OpenPGP. One of the oldest keyservers on the web is hosted by MIT. The premise is simple - you submit your ascii-armored key and others can search for it by name or email. (Ascii-Armored is just a term for Binary-to-Text encoding. Its what PGP uses for keys and ciphertext since the body of an email really isn't made for binary data.) Another popular PGP keyserver is the PGP Global Directory.
Finally, a fun way to distribute your key is to make a QR, or Quick Reference, code or Data Matrix. I like the generator at invx.com. I also find it convenient to link to the keyserver listing in my email signature.
Turn your IRC client into a chat client
Use Bitlbee in your favorite IRC client to connect to chat programs!
- apt-get install bitlbee
- In Xchat, connect on your favorite network, then join /server localhost. The bitlbee server is running on your computer and online.
- Type help for all of the commands.
- To add your accounts: account add msn (or twitter, etc) handle password.
- Type account on.
- Add new people with add 0 firstname.lastname@example.org
- To chat, use Hak5Darren: Hello!
- /away sets you to away. /away Food sets your away status to whatever is closest for your chat clients.
- Use help to do other things, like learn how to create channels, delete accounts, and change your screenname.