Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] The security and ethics of mapping in repressive environments

Jacob Appelbaum jacob at appelbaum.net
Tue Feb 8 23:49:44 PST 2011


On 02/08/2011 11:40 PM, Jonah Silas Sheridan wrote:
> I'm no Jacob, nor do I play one on TV (or even on YouTube!)... But as a
> former NPO IT guy mayhaps I can point you in the right direction.

Ha!

> 
> AFAIK, if you want to send encrypted mail using GMail, your best (read
> cheapest) bet is to connect to Gmail using Thunderbird, and use GPG and
> TBird's enigmail plugin. I have set this up numerous times, and although
> not trivial it is not massively difficult either. Using OSS, it can be
> installed on most any major OS including OSX, Windows and *nix. This is
> adequate for an individual, but not great if you want to set up email
> encryption for a large network.
> 

I totally agree. The new Mac OS X packages are actually really great.
Nothing is a substitute for an hour of reading about theory though...

> You can find Enigmail downloads and a Quick Start guide here:
> http://enigmail.mozdev.or/home/index.php.html
> 
> You can also opt for the PGP alternative. It is a more robust suite of
> tools, but proprietary so you have to buy them from Symantec. It can
> work on many email clients, and only on Windows or OSX. It has some
> enterprise type key management features if deploying in a whole
> office/department/etc.
> 
> See more here: http://www.symantec.com/business/desktop-email
> 
> Once upon a time there was a quest to build a Firefox plugin
> (FireGPG:http://getfiregpg.org/) that would operate similarly to
> Enigmail for using Gmail on the web, but it has been discontinued. Until
> someone picks that up, or more likely unless Google decides to support
> and develop it, that is a non-option.

Moxie owned FireGPG really nicely:
http://www.securityfocus.com/archive/1/497547

It seems prudent to avoid it.

> 
> For web-based Gmail, your best bet is to type your message offline,
> encrypt and copy and paste. PGP has some nice GUI tools for that. GPG
> would leave you on the command line to perform the encryption.

This is of course a total pain but that's the trade-off. If you don't
trust Google for privacy, confidentiality, and integrity - at least with
GPG you'll be able to have some idea when those things violated.

> I will leave it to another time to discuss security authorities and key
> creation. Following the basic instructions is secure enough for most...
> 

I suggest using 2048 (or up) RSA keys - one subkey for signing, one
subkey for encryption.

> That at least can get you started, I hope. I will await Jacob's reply,
> wherein he points out the numerous things I misunderstood and/or didn't
> know. ;-)
> 

You've got it. It's why I like working with you - you've really got it.

All the best,
Jacob



More information about the liberationtech mailing list