[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Confidant Mail

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Confidant Mail
From: Mike Ingle <mike@xxxxxxxxxxxxxxxxx>
Date: Tue, 03 Feb 2015 11:33:24 -0800
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 03 Feb 2015 14:33:36 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 2.0.0.22 (Windows/20090605)

On 2/3/2015 10:31 AM, Kevin wrote:

On 2/3/2015 12:33 PM, krishna e bera wrote:

On 15-02-02 09:57 PM, Mike Ingle wrote:

http://www.confidantmail.org
Mike Ingle <mike@xxxxxxxxxxxxxxxxx>
d2b89e6f95e72e26e0c917d02d1847dfecfcd0c2

I am curious why someone delivering security and privacy software does
not have HTTPS on their webserver.  Also what is that string after your
email address for?

That string looks like a key

That string is indeed a key. The format is Name <email> keyid

and you can search for either the name or the keyid to find someone'skey. If you search for the keyidyou know you have the right key. If you search for the name, you have toverify the keyid somehow.

I don't have HTTPS because there is nothing secret on the site, andbecause I don't place much trust in it.The keyid in the announce posting has signed the code signing key, andthe code signing key has signed

all the binaries, so you can validate the code integrity.

On 2/3/2015 9:26 AM, Steve Weis wrote:

Why are the Confident Mail PGP key, binaries, and signatures are allserved over http?
Skimming over the code, it lacks any documentation or tests. I seeblocks of commented-out code scattered through the files. I also see alot of potentially unsafe input being concatenated together and usedthroughout the code.
I recommend that you warn people not to use this software for anythingreal yet. It needs a lot of work.

The commented-out code is mostly debug output and some test drivers.There was another separate test driverwhich is not part of the release. I left that in for now in case I needto test something; it will be removed eventually.The code has been tested quite a bit on Windows and Linux, including Torand I2P.

The program is written in Python, which is an interpreted language withcounted strings, so concatenatingstrings is not a dangerous operation. There are functions to validatethe blocks using regular expressions.

There is also an option to open untrusted messages text-only.

The security is done using GPG, not in the Python code. The client alsodoes not accept incoming connections.It's already being used to exchange large files and works fine. Yes itis beta software, but it is already more

secure than most conventional email.

MacOS binary package is close to working.

Mike Ingle <mike@xxxxxxxxxxxxxxxxx>d2b89e6f95e72e26e0c917d02d1847dfecfcd0c2



--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Confidant Mail
  - From: Zenaan Harkness

Prev by Author: [tor-talk] New Tor-based private mail system: Confidant Mail
Next by Author: Re: [tor-talk] "Confidant Mail"
Previous by thread: [tor-talk] Checksum Post
Next by thread: Re: [tor-talk] Confidant Mail
Index(es):
- Author
- Thread