Details

This time on the show, Encrypt all the things! We're continuing our discussion on OpenPGP and Keyservers! Then, connecting social media and Chat through IRC! Plus, secure Google Docs tricks. All that and more, this time on Hak5!

Download HD Download MP4

OpenPGP and Key Servers

Last week we did a quick start on using OpenPGP email encryption with webmail like Gmail. This week I'd like to touch on some details we skimmed past as well as discuss some usability concerns.

It is important to note that the security is in the message, not the transport. Best practice is to assume monitoring. Essentially every node your message passes through is a potential man-in-the-middle attack.

That said, as long as Alice and Bob keep their private keys secure the integrity and security of the message is intact. Anyone with Alice's Public key can send her encrypted emails only she can read - same goes for Bob.

As web apps and service dominate the Internet, OpenPGP proves one adequate way to maintain ownership of content. The Mailvelope Chrome extension achieves this with as little headache as possible, integrating with several popular webmail providers

The core of Mailvelope is OpenPGP.js - an open source OpenPGP library written in Javascript that can be used by any HTML5 compliant device.

There are several implementations of OpenPGP - a good example is GNU Privacy Guard, sometimes called GnuPG or GPG.

Basically they all follow the OpenPGP standard, RFC 4880, so it doesn't matter if I'm using Mailvelope on Chrome with Gmail and you're using Thunderbird with Enigmail and GPG.

That's the beauty of Email and OpenPGP - nobody owns it - it's open and free - Anyone can use it and it's secure, like, military grade crypto secure. This is a massive departure from the likes of Facebook and Twitter who own your content, run a closed system and keep your content in plaintext. And if CISPA passses, freely and anonymously gives it up to the Government.

So, we can all agree PGP is great, but for it to be widely used it has to be easy. Mailvelope and the likes of OpenPGP.js have gone to great lengths to make it easier, there's still the issue of exchanging public keys. Thankfully this can be made easier using Keyservers.

Keyservers are used to distribute cryptographic keys, typically public keys for use with an asymmetric key encryption algorithm like OpenPGP. One of the oldest keyservers on the web is hosted by MIT. The premise is simple - you submit your ascii-armored key and others can search for it by name or email. (Ascii-Armored is just a term for Binary-to-Text encoding. Its what PGP uses for keys and ciphertext since the body of an email really isn't made for binary data.) Another popular PGP keyserver is the PGP Global Directory.

Finally, a fun way to distribute your key is to make a QR, or Quick Reference, code or Data Matrix. I like the generator at invx.com. I also find it convenient to link to the keyserver listing in my email signature.

Turn your IRC client into a chat client

Use Bitlbee in your favorite IRC client to connect to chat programs!

  • apt-get install bitlbee

  • In Xchat, connect on your favorite network, then join /server localhost. The bitlbee server is running on your computer and online.
  • Type help for all of the commands.
  • To add your accounts: account add msn (or twitter, etc) handle password.
  • Type account on.
  • Add new people with add 0 snubs@twitter.com
  • To chat, use Hak5Darren: Hello!
  • /away sets you to away. /away Food sets your away status to whatever is closest for your chat clients.
  • Use help to do other things, like learn how to create channels, delete accounts, and change your screenname.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

4 Comments

  • Nice show!

    I use bitlbee for a while now, and really like it, there are other features like, if you send a reply to someone on root channel (&bitlbee) the conversation will happen there, and not on a specific channel (I like it more than having one channel for each person i’m speaking)

    You can also append of prepend texts to nicks depending on which network they are, so you can have like gtalk_darren and msn_darren for example. (but for that you need to edit the conf file for yourself, it’s burried somewhere on bitlbee wiki how to do it the right way I believe)

    I use it for facebook chat as well!

    Anyway, really great show guys :)

    • I forgot to mention, there are some public bitlbee servers, but i’m not sure if they’re secure, maybe you guys could take a look on some off those :)

      I use it setup on autologin on irssi, so I just need to open it and it log me in everywhere :)

  • I’m using bitlbee in conjunction with znc.
    Everything runs on my root Server. The setup is like this:

    weechat => znc => bitlbee

    With this setup i have irc, twitter and all other messenger protocolls (xmpp, icq etc.)

  • tatramaco 11 months ago

    I am a little sceptical. We are letting a chrome (owned by google) extension create/store our private key? I bet it is synced to the google cloud or a 3rd party server so you can use it on multiple machines that have the extension installed? I may be a little paranoid but I don’t want my private key in the cloud, especially if I don’t own it…..