[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor-compatible secure email systems

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Tor-compatible secure email systems
From: Jacob Appelbaum <jacob@xxxxxxxxxxxxx>
Date: Thu, 12 Oct 2006 18:19:56 -0700
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Thu, 12 Oct 2006 21:21:02 -0400
In-reply-to: <4ef5fec60610121800l5713a848q8f881b5f811f36a6@mail.gmail.com>
References: <1158061483.11637.270719949@webmail.messagingengine.com> <4506A613.10003@owca.info> <60523.75.7.46.219.1158066823.squirrel@mail.memcpy.com> <450796A6.5000807@owca.info> <49270.75.7.46.219.1158149578.squirrel@mail.memcpy.com> <45087C19.5070306@ml1.net> <1158699826.23141.271333277@webmail.messagingengine.com> <451081B4.30104@gmail.com> <4510FF3D.4080109@ml1.net> <1160700347.494.273221408@webmail.messagingengine.com> <4ef5fec60610121800l5713a848q8f881b5f811f36a6@mail.gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.7 (Macintosh/20060909)

coderman wrote:
> On 10/12/06, Total Privacy <nosnoops@xxxxxxxxxxx> wrote:
>> ...
>> Using PGP or similar to make an encrypted file (txt or word or
>> something).
>> Then attach it to an ordinary webmail upload function, to send it over to
>> the recipient that alreday are informed of my public key (and who´s key I
>> have). All this whitout any need for Thunderbird or anything in computer.
> 
> something like freenigma?
> http://www.freenigma.com/
> 
> you have to trust them with your keys, but at least provides some
> protection for the scenario you describe.
> 

Why would you trust the freenigma people with your secret keys?

This article by Ben Laurie sorta sums it up nicely:
"Oh dear. So freenigma can decrypt my mails (and anyone else they care
to give the session key to). What’s more, it looks like they have your
private key, too, so they can impersonate you.

They don’t say how you decrypt, but I presume the story will be
described with the same disingenuousness: no, you don’t send your
encrypted mail to the server, just send us the encrypted session key and
we’ll decrypt that for you. How comforting. Not."

http://www.links.org/?p=130 (google cache:
http://72.14.253.104/search?q=cache:33Eoh50ZCQ8J:www.links.org/%3Fp%3D130+http://www.links.org/%3Fp%3D130&hl=en&gl=us&ct=clnk&cd=1&client=safari
)

It would be ideal to use something like this when it's available:
http://www.shmoo.com/soc/gpgreasemonkey.html

Regards,
Jacob

References:
- Re: Tor-compatible secure email systems
  - From: Total Privacy
- Re: Tor-compatible secure email systems
  - From: coderman

Prev by Author: Fwd: end-to-end encryption? SSL? GnuPG?
Next by Author: "Practical onion hacking: finding the real address of Tor clients"
Previous by thread: Re: Tor-compatible secure email systems
Next by thread: Re: Tor-compatible secure email systems
Index(es):
- Author
- Thread