topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 6:00 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Poll

Q1: Do you know what PGP is? (no fair cheating and googling it if you don't know) Q2: Do you always use it?

A1: Yes, I know what it is.
29 (50.9%)
A1: No, I do not know what it is.
3 (5.3%)
A2: Yes, I always use it (or an alternative).
0 (0%)
A2: No, I do not use it.
19 (33.3%)
A2: I only use it (or an alternative) sometimes.
6 (10.5%)

Total Members Voted: 33

Last post Author Topic: *Email privacy and security survey*  (Read 18059 times)

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
*Email privacy and security survey*
« on: August 16, 2013, 11:36 AM »
After a number of recent discussions about email privacy and security, I decided to ask this question here and elsewhere, as I am curious as to the responses among DC members and the general public.

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #1 on: August 16, 2013, 11:55 AM »
Yes, I know what it is, and I also know the Gnu version, GPG, and about the OpenPGP standard.
Do I use it for email?  No.  Why, if I was whining so loudly about my beloved Lavabit shutting down?
Because 1- I just don't go emailing around sensitive information that would require it.  I'm not that important and neither are my email messages to friends and family.  My primary concern was to prevent "casual hacking" which might reveal passwords or other information I had stored in email (not smart, I know, and I started using POP3 instead of IMAP after someone apparently brute-forced my password to start sending out spam.  *sigh* Different story.)
2- I would have to teach my brothers, mother, grandmother, cousins and aunts/uncles and friends all about how to use it and why they can't read emails from me unless they did.  No thanks.

In my post about Lavabit shutting down, I described my very simple reason for using an email service that was encrypted, and it was about simple prevention of "casual hacking" which might reveal passwords or other information I had stored in email (not smart, I know, and I started using POP3 instead of IMAP and erasing messages from the server after someone apparently brute-forced my password to start sending out spam.  *sigh* Different story.)

Anyways, I do use GPG to encrypt my password vault, does that count?

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #2 on: August 16, 2013, 12:04 PM »
Like Edvard, I'm up on it, have GPG installed, but only rarely use it for much the same reasons he gave.
 8)

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,192
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #3 on: August 16, 2013, 12:08 PM »
Same as above.
I use encryption locally (via TrueCrypt) more than any other form.

Jibz

  • Developer
  • Joined in 2005
  • ***
  • Posts: 1,187
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #4 on: August 16, 2013, 12:25 PM »
I know what it is, but I am not using it. The problem I see with GPG/PGP for e-mail is that, unless you are mailing somebody involved in linux development, chances are they don't have anything installed that can check/decrypt it. This sums it up nicely:

http://xkcd.com/1181/

A polished solution for this should have been part of thunderbird for a decade instead of relying on clunky plugins or obscure tools if it should have had any chance.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #5 on: August 16, 2013, 01:57 PM »
I know what it is, but I am not using it.

+1 - Because all encrypted communications do is draw unnecessary attention to your activities, and regardless of what you use it's not going to stop an elite focused (governmental...) attack. So the bulk of it strikes me as a waste of (cycle) time.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #6 on: August 16, 2013, 02:07 PM »
I know what it is, but I am not using it.

+1 - Because all encrypted communications do is draw unnecessary attention to your activities, and regardless of what you use it's not going to stop an elite focused (governmental...) attack. So the bulk of it strikes me as a waste of (cycle) time.

I don't think it would be a waste of time if one were a business and it was used for securely transferring password information between you and a client, but in the case of businesses that deal with common people that don't have any clue what PGP or an alternative is, or don't have what they need to use it installed, then it certainly makes things much more difficult to transfer that type of information securely (which is a problem I am facing right now, and to which I have not found a free easy moron-proof cross-platform solution)

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #7 on: August 16, 2013, 02:13 PM »
Like others, I'm very familiar with what PGP/GPG is, have it installed, but rarely use it.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #8 on: August 16, 2013, 03:52 PM »
I know what it is, but I am not using it.

+1 - Because all encrypted communications do is draw unnecessary attention to your activities, and regardless of what you use it's not going to stop an elite focused (governmental...) attack. So the bulk of it strikes me as a waste of (cycle) time.

I don't think it would be a waste of time if one were a business and it was used for securely transferring password information between you and a client, but in the case of businesses that deal with common people that don't have any clue what PGP or an alternative is, or don't have what they need to use it installed, then it certainly makes things much more difficult to transfer that type of information securely (which is a problem I am facing right now, and to which I have not found a free easy moron-proof cross-platform solution)

I'm in favor of the single use ephemeral "reset" password scheme.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #9 on: August 16, 2013, 03:58 PM »
I'm in favor of the single use ephemeral "reset" password scheme.

What is this?

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #10 on: August 16, 2013, 04:33 PM »
I use Thunderbird and have Enigmail installed and configured. However there aren't too many circumstances when it's actually useful. Only 2 people I communicate with via email use it themselves.

One of them always signs his emails - not surprising since he also wrote and administered the first public PGP keyserver. I don't encrypt emails I send to him, but I do sign them.

The other is Mike Masnick. I've started encrypting all my messages to him just because I figure he's pissed the NSA off so much they probably read his email on general principle. I'm not sending anything I expect them to care about, but that's sort of the point. If there's even an outside chance they will waste resources cracking the encryption it seems like the responsible thing to do.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #11 on: August 16, 2013, 06:54 PM »
I'm in favor of the single use ephemeral "reset" password scheme.
What is this?

A really bad (rushed...) description of something we've all seen many times?

Most sites if you click the lost password link send a reset password link to the accounts Email address that typically expires in 24 hours or less and allows the user to change their password to something that isn't lost.

I've done a variation on that for clients (in a pinch) if I know they are sitting there waiting/trying to login. I log into the server, set their account to require a pw change on next login, and then Email the password to where ever they would like because it ain't gonna be any good in less than 60 seconds anyhow.

I really don't think there is a truly secure way of sending passwords. You can try encrypting it sure...but then what do you do with the encryption key (Infinite loop anybody?)?? So it's really just best to minimize the exposure window by keeping the timeline as tight as possible.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #12 on: August 16, 2013, 07:58 PM »
I've done a variation on that for clients (in a pinch) if I know they are sitting there waiting/trying to login. I log into the server, set their account to require a pw change on next login, and then Email the password to where ever they would like because it ain't gonna be any good in less than 60 seconds anyhow.

My situation is slightly different, in that I need Grandma Dum-Dum to be able to send the info to me, not the other way around. And if after receiving the info, I go and change her passwords on her (because she sent them insecurely), and she can't log into her cpanel or ftp, she is going to panic and think I have hijacked her website instead of securing it for her. I'd like to be able to have her give the info to me securely, use it to complete the job she hired me for, then suggest she change the passwords when the job is done. If at that point she doesn't take my advice, at least with it being me that has the password info, with my knowing I won't do anything harmful with it (if I can't trust myself, then who can I trust?), I won't have to worry as much.

I really don't think there is a truly secure way of sending passwords. You can try encrypting it sure...but then what do you do with the encryption key (Infinite loop anybody?)??

Bingo! Now you fully understand my problem.  :(

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #13 on: August 16, 2013, 08:27 PM »
I really don't think there is a truly secure way of sending passwords. You can try encrypting it sure...but then what do you do with the encryption key (Infinite loop anybody?)??

Go scuba diving in an underwater cave with a grease pencil and board to write on. Oh, and a good memory as you don't can't do this twice. Erase the board after you're done then set charges and blow up the cave after you leave - NOT before you leave! Important point there - AFTER! Not before! ;) ;D
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #14 on: August 16, 2013, 09:37 PM »
I really don't think there is a truly secure way of sending passwords. You can try encrypting it sure...but then what do you do with the encryption key (Infinite loop anybody?)??

Go scuba diving in an underwater cave with a grease pencil and board to write on. Oh, and a good memory as you don't can't do this twice. Erase the board after you're done then set charges and blow up the cave after you leave - NOT before you leave! Important point there - AFTER! Not before! ;) ;D

Never underestimate the intelligence of dolphins. I am pretty sure they would hack your website, if given the chance...and your password.

laughing-dolphin.gif
He's laughing because he knows it's true!

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #15 on: August 16, 2013, 10:10 PM »
Never underestimate the intelligence of dolphins. I am pretty sure they would hack your website, if given the chance...and your password.

Insidious creatures, they are! I don't know why we tolerate alien invaders, even if they're supposed to be "observers" or whatever. And same goes for white mice... Grrrr...  :mad:
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #16 on: August 16, 2013, 10:10 PM »
My situation is slightly different, in that I need Grandma Dum-Dum to be able to send the info to me, not the other way around. And if after receiving the info, I go and change her passwords on her (because she sent them insecurely), and she can't log into her cpanel or ftp, she is going to panic and think I have hijacked her website instead of securing it for her. I'd like to be able to have her give the info to me securely, use it to complete the job she hired me for, then suggest she change the passwords when the job is done. If at that point she doesn't take my advice, at least with it being me that has the password info, with my knowing I won't do anything harmful with it (if I can't trust myself, then who can I trust?), I won't have to worry as much.

Why can't they create a new user for you?  That's what I do in those cases.  And if she knows how to use cpanel, then that's not that big of a deal to do.  Same for wordpress.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #17 on: August 16, 2013, 10:18 PM »
Why can't they create a new user for you?  That's what I do in those cases.  And if she knows how to use cpanel, then that's not that big of a deal to do.  Same for wordpress.

Because:

...Dum-Dum...

I'm currently using Plesk, but if CPanel is remotely similar now (haven't used it in over 10 years), then asking a mere mortal to sift through it is akin to demanding a kindergarten class invade Pluto. Just finding functionality in Plesk is a daunting task. Using it? Oh god...

Wordpress is organized much better, though still could present a problem for a lot of people.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #18 on: August 16, 2013, 11:23 PM »
Been aware of PGP since its earliest incarnation on the Amiga, used it sporadically but that was before I switched over to x86 hardware.

A polished solution for this should have been part of thunderbird for a decade instead of relying on clunky plugins or obscure tools if it should have had any chance.

I can't tell you how long it's been there but Thunderbird->Write->Options->Encrypt Message

2013-08-17 14_18_57-.png

You just need a SSL Certificate, (which are free), and the recipient needs to use digitally signed email, (so you have the recipient key to encrypt with).

Very easy.

Jibz

  • Developer
  • Joined in 2005
  • ***
  • Posts: 1,187
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #19 on: August 17, 2013, 03:55 AM »
A polished solution for this should have been part of thunderbird for a decade instead of relying on clunky plugins or obscure tools if it should have had any chance.

I can't tell you how long it's been there but Thunderbird->Write->Options->Encrypt Message

That's S/MIME as far as I can tell, which is actually supported by many e-mail clients. To get PGP support I think you still need to install both Enigmail and GnuPG.

And the problem of not many people having support for PGP extends to the trust model. In theory the web of trust is a great idea, but in practice it's probably easier to trust certificates from a CA than self-signed PGP keys that nobody has verified :-\.

cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,041
    • View Profile
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #20 on: August 17, 2013, 09:20 AM »
Yes, I know what it is, and no, I don't use it.  I rarely if ever have anything in my email worth hiding from the world.  Also, almost no one I write to uses it or wants to be bothered. 

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #21 on: August 17, 2013, 09:52 AM »
Also, almost no one I write to uses it or wants to be bothered. 

And my guess there is because it's too darn hard to get working and email is broken anyways. :P
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #22 on: August 17, 2013, 11:06 AM »
There are a couple big problems the way I see it, and they're not specific to email. The first is simplicity and useability. For ordinary people something like PGP is obviously way too complicated - not because it's actually that hard but because it has the appearance of difficulty. Honestly, though, even something relatively simple like just going to Comodo and getting a free SSL certificate is just as intimidating.

I consider myself something of an expert on this particular subject. Most complex software is well within the grasp of most people but people like me who are good at both understanding and explaining it are few and far between. I don't know what the answer to that one is besides just keep doing what I do.

The other side of the problem is the solution providers. As someone has already noted, self signed security like PGP can be hard to trust but third party providers are inherently risky as well. Even if they're trustworthy, they represent single points of vulnerability which can impact everybody everywhere. A web of trust is the only solution to both problems but it needs to involve the industry players as well.

At the end of the day it probably comes down to mindset. Even if you don't give a rat's ass about anybody else, the less secure everybody else's systems are, the more vulnerable yours is. It needs to start by picking off the low hanging fruit by establishing some kind of reasonable baseline.

There are a lot of things I think go into that, but the first one is this. At least when it comes to getting the message out to the masses, we need to stop talking about security and start talking about privacy. Mention security and most people will tune you out before you start the next sentence. Say privacy - especially right now - and you've got people's attention. They neither want nor need to know the big picture. They just need to know how to do their part to protect themselves so we can focus on taking the next step.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #23 on: August 17, 2013, 11:32 AM »
The other side of the problem is the solution providers. As someone has already noted, self signed security like PGP can be hard to trust but third party providers are inherently risky as well. Even if they're trustworthy, they represent single points of vulnerability which can impact everybody everywhere. A web of trust is the only solution to both problems but it needs to involve the industry players as well.

And that's EXACTLY why I'm hopeful for Bitmessage to sort its problems and enter the arena of strong encryption that we can trust.

There are a couple big problems the way I see it, and they're not specific to email. The first is simplicity and useability. For ordinary people something like PGP is obviously way too complicated - not because it's actually that hard but because it has the appearance of difficulty. Honestly, though, even something relatively simple like just going to Comodo and getting a free SSL certificate is just as intimidating.

This is the biggest problem right now.

While I *could* get it working for *ME*... doesn't mean jack if other people aren't on board.

The barrier is a function of difficulty, tech savviness, broad adoption, and willingness to use it. And willingness is a function of "how damn long will this take me to get it running, and who can I use it with?" Blah blah, etc. etc.

I've had a bitch of a time trying to get other people to use Jitsi with me. So far I've got 1 (one) friend to use Jitsi with me. And half the time we end up on Skype. Jitsi is great, but it ain't prime time yet. :(

Then there's email... hopeless. It's just total dog s4!+.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: *Email privacy and security survey*
« Reply #24 on: August 17, 2013, 01:49 PM »
The other side of the problem is the solution providers. As someone has already noted, self signed security like PGP can be hard to trust but third party providers are inherently risky as well. Even if they're trustworthy, they represent single points of vulnerability which can impact everybody everywhere. A web of trust is the only solution to both problems but it needs to involve the industry players as well.

And that's EXACTLY why I'm hopeful for Bitmessage to sort its problems and enter the arena of strong encryption that we can trust.
 

That's exactly what I'm talking about.  :Thmbsup:  Services like that are also important because if/when they become successful there's another piece of the roadmap for developing other services.

I also think the more small to medium size players we have trying to gain a foothold in the enterprise market, the more we'll see business models catering to both individuals and business. A company like Comodo benefits most from expanding the market and stimulating competition. A company like Verisign or Microsoft benefits most from controlling the market and maintaining the status quo.

This is the biggest problem right now.

While I *could* get it working for *ME*... doesn't mean jack if other people aren't on board.

The barrier is a function of difficulty, tech savviness, broad adoption, and willingness to use it. And willingness is a function of "how damn long will this take me to get it running, and who can I use it with?" Blah blah, etc. etc.

I've had a bitch of a time trying to get other people to use Jitsi with me. So far I've got 1 (one) friend to use Jitsi with me. And half the time we end up on Skype. Jitsi is great, but it ain't prime time yet. :(

Yep. And that's where people like me fit into the picture. Without users who are at least reasonably competent how can developers get useful feedback? There's just too much trial and error on both sides which can only be solved if they meet in the middle. Lots of developers are already there waiting. The public, on the other hand, needs some herding.

Then there's email... hopeless. It's just total dog s4!+.

It's not just email either. To paraphrase one of my favorite (made up) Einstein quotes, we cannot solve our problems using the same thinking that created them.

Email, passwords, and even independent security authorities are obsolete. They're modeled on outdated corporate processes and technical limitations that no longer apply. Building replacements requires a completely different perspective based on current needs and technology. It's sort of like the transition from horseless carriages to cars.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.