[liberationtech] In defense of client-side encryption

Sun Aug 11 11:27:13 PDT 2013

Side note: please don't use LibTech as a marketing tool. Occasional
mentions are good, but I feel like you're flagging it a little too
much and too often. Just a friendly note. :)

On Sun, Aug 11, 2013 at 1:10 PM, Francisco Ruiz <ruiz at iit.edu> wrote:
> Twice again, privacy has taken a hit across the land. Lavabit and Silent
> Mail are gone, and to quote Phil Zimmermann, “the writing is on the wall”
> for any other encrypted email provider located in US territory. This is sure
> to be repeated for servers located in Europe and other countries. Is this
> the end of encrypted email?
>
> It might well be the end of encrypted email _servers_, at least for a while,
> but not of encrypted email itself. I’ve posted this a few times here, but
> let me repeat it: you only get real security if the encryption is handled
> completely client-side. Then you don’t rely on a server that can be shut
> down. You can use any mail system, web-based or otherwise. They’d have to
> shut down every mail provider and every text provider in order to shut you
> down. This is what PGP was when it started. We need to go back to that.
>
> And yes, client-side today might mean JavaScript. What’s so wrong with that?
> Sure, it is easy to intercept and modify, but it is also transparent and
> easy to check. If the user is willing to check a hash of the source code,
> JavaScript isn’t any less tamper-proof than compiled code. And who even gets
> to look at compiled code these days (especially if it resides in a server)?
>
> This is one of the reasons why I am developing PassLok. Thanks to feedback
> from members of this forum, the security provided by PassLok is stronger
> than ever, but you don’t have to believe me. Download it from its source at
> https://passlok.site44.com (once you have it once, you have it forever),
> look at it, run it, test it. Get its SHA256 hash from its help page and
> check it. If you’re as paranoid as I am, you can watch me reading that hash
> (with some nice background music to make tampering with it more difficult),
> in this youtube video: https://www.youtube.com/watch?v=VHR_w0FCkC0
>
> There’s no legal action that can shut down PassLok because it consist of
> pure code, and pure code is speech, protected from government interference
> under the 1st amendment to the US Constitution.
>
> If you don’t think this is enough, let us all know. Let’s come up with a
> solution. Meanwhile, I appreciate any suggestions on how to make PassLok
> more secure and easier to use.
>
>
> --
> Francisco Ruiz
> Associate Professor
> MMAE department
> Illinois Institute of Technology
>
> PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok
>
> get the PassLok privacy app at: http://passlok.com
>
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
> change to digest, or change password by emailing moderator at
> companys at stanford.edu.

-- 
@kylemaxwell