[liberationtech] The security and ethics of mapping in repressive environments
Jacob Appelbaum
jacob at appelbaum.net
Tue Feb 8 23:49:44 PST 2011
On 02/08/2011 11:40 PM, Jonah Silas Sheridan wrote:
> I'm no Jacob, nor do I play one on TV (or even on YouTube!)... But as a
> former NPO IT guy mayhaps I can point you in the right direction.
Ha!
>
> AFAIK, if you want to send encrypted mail using GMail, your best (read
> cheapest) bet is to connect to Gmail using Thunderbird, and use GPG and
> TBird's enigmail plugin. I have set this up numerous times, and although
> not trivial it is not massively difficult either. Using OSS, it can be
> installed on most any major OS including OSX, Windows and *nix. This is
> adequate for an individual, but not great if you want to set up email
> encryption for a large network.
>
I totally agree. The new Mac OS X packages are actually really great.
Nothing is a substitute for an hour of reading about theory though...
> You can find Enigmail downloads and a Quick Start guide here:
> http://enigmail.mozdev.or/home/index.php.html
>
> You can also opt for the PGP alternative. It is a more robust suite of
> tools, but proprietary so you have to buy them from Symantec. It can
> work on many email clients, and only on Windows or OSX. It has some
> enterprise type key management features if deploying in a whole
> office/department/etc.
>
> See more here: http://www.symantec.com/business/desktop-email
>
> Once upon a time there was a quest to build a Firefox plugin
> (FireGPG:http://getfiregpg.org/) that would operate similarly to
> Enigmail for using Gmail on the web, but it has been discontinued. Until
> someone picks that up, or more likely unless Google decides to support
> and develop it, that is a non-option.
Moxie owned FireGPG really nicely:
http://www.securityfocus.com/archive/1/497547
It seems prudent to avoid it.
>
> For web-based Gmail, your best bet is to type your message offline,
> encrypt and copy and paste. PGP has some nice GUI tools for that. GPG
> would leave you on the command line to perform the encryption.
This is of course a total pain but that's the trade-off. If you don't
trust Google for privacy, confidentiality, and integrity - at least with
GPG you'll be able to have some idea when those things violated.
> I will leave it to another time to discuss security authorities and key
> creation. Following the basic instructions is secure enough for most...
>
I suggest using 2048 (or up) RSA keys - one subkey for signing, one
subkey for encryption.
> That at least can get you started, I hope. I will await Jacob's reply,
> wherein he points out the numerous things I misunderstood and/or didn't
> know. ;-)
>
You've got it. It's why I like working with you - you've really got it.
All the best,
Jacob
More information about the liberationtech
mailing list