TechSoup.org The place for nonprofits, charities, and libraries

How do you secure your communications?

How do you secure your communications?

  • Has anyone ever used encryption (be it PGP or some other type)? If so, what was your experience? If not, what security measures do you have in place to secure your communications (email or instant messages)?

    If you want to learn more about security, TechSoup's new article, Four Tools for Private Communication, offers some easy (and more advanced) tips, tricks, and tools.
  • Since email was not designed from the beginning for security, it isn't really a "seamless" process to integrate encryption onto it. I have not recommended PGP, S/MIME, or any other types of encryption for email for "non-techie" users, since it's very cumbersome to set up and use. I use GPG myself on rare occasion, though I also have used the free email certificates from IpsCA and Thawte:

    IpsCA: http://certs.ipsca.com/Products/SMIME.asp

    Thawte: http://www.thawte.com/secure-email/personal-email-certificates/index.html
  • Hushmail is a PGP-based webmail system, but as mirrorshades points out, email was not exactly designed to be secure. PGP, and its opensource offshoots, are rather secure, having been used successfully to plan the WTP protest in Seattle in 1999. Encryption is typically too balky for most users though.

    Karl
  • Try PGP 8. The process for installing and getting it set up is very easy for a beginner. I've walked many newbies to encryption through the process using PGP 8 (and previous versions, as well, except for v7), and no one really has an issue with installing 8 or getting it running, especially if they are running Outlook, Outlook Express, Eudora, or The Bat.

    Yes, I know PGP 9 is the "current" version. I have the on the laptop, use it for a few features, but do not like it for a variety of reasons.

    For security of email, you cannot beat PGP 8, especially if you have it set up to force you to sign each email before it is sent. Yes, it requires an additional step that takes a few seconds (my passphrase is over 30 characters and takes about four seconds to accurately type it in), but you KNOW the email has been digitally-signed and stamped. If the recipient changes anything in that email, forwards it to someone else, trying to say you said what the other person changed the email to read, guess what? You have absolute proof of what you sent, especially if you keep a copy of the message, or, better yet, send yourself a CC (or be sneaky, like me, and send yourself a BCC).

    With digital certificates, the problem comes in that once printed, there's no way to verify the message. If printed in its entirety, with the PGP hash at the bottom of the message, you can literally type the message into a plain text editor, matching up the line breaks, and verify the authenticity of the hash. If so much as one space or one character is changed or deleted, the PGP verification will show it is a BAD signature, that the message has been altered. You cannot do that with a digital certificate.

    I use PGP to sign each and every email I send, and to specific people, every email I send to them is encrypted.

    Using the keys we use, based on a lot of scientific theory, as well as current (and estimated development of new computer processors) the current estimate to crack a message I sign with one of my keys is well over 100 years from today. Sure, in 20 years it may be down to about 30 years.

    No matter what, you cannot outwit science with argument. A lot of people say, "If the NSA really wants to, it can crack the file." Well, not true. That's been shown, publicly, many times, and the government said that 9/11 happened because the NSA, FBI, and others could not crack PGP encryption. That's great testimony for a product!

    Can they do it now? No.

    To crack it, you first have to have several key things. Using brute force to crack the encryption -- using all the computing power the NSA has, pushing it all at one file, the NSA may crack a file in 20 years or so. I will be an old man in 20 years (or so). Heck, I will be able to pull a Ronnie Reagan and say, "I can't remember."

    How much is going to be of value in 20 years? That depends on what you have stored in the encrypted file.

    For PGP, there is a free (for personal use), and a more-equipped version. For most people, the free one will work. If you are using it in a business environment, download the trial version (get PGP 8, which is still available for download and purchase), try it out for 30 days, sign up for the PGP-users list at www.cryptorights.org/lists/pgp-users/, and begin using it like a pro very quickly.

    Dave
    Dave J. (Scoop0901) Awake In America, Inc. ----- My opinions are just that: mine. They do not represent those of my dog, my cat, my coffee (or the mug), or any organization. For $20/50 words, I will write opinions you can claim as yours. Payable in Plutonian Tsungima only.
  • I use Thunderbird, GPG, and Enigmail to secure my email. It all integrates together quite nicely. There is a nice how-to here: http://bitsecurity.org/gpg_mail.html
  • I definitely concur with mirrorshades - integrating the disparate pieces of an inherently insecure email system is not for the faint of heart. My experience as a system administrator, privacy advocate, [former] user of PGP, and as application developer who needed to *easily* sign and secure my email, in addition to access and manage hundreds of passwords from multiple locations and platforms, led me to create and adopt the VaultletSuite for my daily use.

    SHAMELESS SELF PROMOTION REMOVED, SEE POSTING BELOW

    Cheers!

    Rick
  • Hi Rick.

    While we appreciate your offering of free products for non-profits, we do ask that vendors avoid self-promotion in the forums (even if it is on-topic for the thread).

    You are welcome to provide your company's information to the TechFinder project via this link: http://www.techsoup.org/techfinder/techsoup/index.cfm

    Thanks for understanding.

    - Your friendly neighborhood moderator
  • I could have used an assumed identity to post my comment about the VaultletSuite (above), but did not, because I never was much for astro turfing. Instead, I was up front about who I am and what my relationship is with the software.

    I have followed the moderator's advice and have provided my company's information to the TechFinder project using the URL provided, and have removed the [bulk of the] shameless self promotion.

    I hope that following your advice enables VaultletSoft to support your good work with our good work, and for free!

    Cheers,

    Rick

    --
    R. P. Ruiz
    President, VaultletSoft Inc.
    My blog & bio: https://www.vaultletsoft.com/privacy/blog/?page_id=2

  • Hi Rick --

    Thanks for your follow-up. It is very much appreciated!
  • I'm neither a security expert nor a privacy advocate, but I've lived with one long enough to familiar with some of the issues associated with attempting to get encryption into mainstream use.

    I wanted for years to make PGP work, but I ended up calling upon my live-in help desk so often that I (I mean "we") decided that it simply wasn't worth the hassle. I was excited when I heard about Hushmail and how easy it was to use, but ended up not using it due to the way they manage(d) private keys and fact that it was an Applet; it just didn't feel like a "real" application.

    Finally, after many moons of not doing anything I'm now using VaultletMail. While the VaultletSuite has a couple of other nifty utilities, I end up spending almost all of my time w/ the VaultletMail client.

    Here are a few things I really like about it:

    1) It allows me to make one simple, yet important system configuration decision based upon which I prioritize more: control or simplicity. If you're into managing your own private keys, for example, then you choose the "Control" option. If you just want it to work w/o any "where's your encrypted private key?" kind of hassle, then you choose the "Simplicity" option and it takes care of that for you.

    2) I can go almost anywhere and access my VaultletMail since I carry my encrypted archives w/ me on my flash drive. This is important because I *have* to use Windows at work, while I prefer to use OS X at home; it's nice to be able to use the same program no matter where I am.

    3) The version I use is free. It's good enough that I don't need to pay for their "bonus functionality" service, which appears to be more oriented towards business users.

    4) Installing the VaultletSuite and creating an account is a piece of cake, even for somebody like me, your typical, mild-mannered computer user.

    Igone
  • I looked at Vaultlet, igone and r.p.ruiz, and sadly, it seems Vaultlet is comparing itself to PGP in earlier versions, such as PGP v.5 or v.6.

    I will not offer any comment on PGP v.7, as not even PGP's original developer, Phil Zimmerman, would make a statement of PGP v.7 -- saying it was free of backdoors or gateways for NSA, CIA, or other alphabet soup agencies to sneak in an monitor a user's actions. In fact, Phil left NAI, Inc., which owned the rights to PGP during the PGP v.7 days.

    Since PGP v.8, though, the process for installing, using, and kicking PGP has become much simpler. In fact, PGP v.9 has been made so easy to "install and forget about it" that all the people I encouraged to try it, people who were looking for a solution, were surprised how simple it is.

    To install it, the process is much like any other program. Click the icon, select your installation directory, and choose your email client(s). You let PGP know if you have existing keys or if you are a new user. If you're a new user, it pops up a screen to create a new key, then automatically uploads the key to keyservers.

    After a restart, PGP v.9 automatically monitors specific ports on your computer, checking for incoming and outgoing email. It scans and monitors for signatures in email and documents, then verifies the signings on the documents or email automatically, and adds a message if the signature is valid or not.

    Most everyone who uses PGP v.9 stays with it. There are very few people -- and I've talked with more than 400 people about it now about just this specific version -- and only a handful have notnot opted to keep it and/or use it. Then again, these people are not using any other product now, either. They "don't really see the need" for encryption, validation, and other features in PGP.

    I've played wit5h Vaultlet on one machine and a laptop. It didn't do anything that PGP and the Enigmail and GPG combination can't do. In fact, there are things that it cannot do that PGP and the Enigmail and GPG combination can do.

    First, to use it, you must allow Java to run. "Requires Java Runtime v1.4.2++" -- from https://www.vaultletsoft.com/products/index.html

    Only uses 2048-bit RSA public key. RSA is old. Yes, it hasn't been cracked, and yes, a 2048-bit key is strong, but I prefer the newer Diffie/Hellman, but I also like stronger keys. By default, until a year or so ago, the "default" size for any key in any encryption tool, such as PGP, GPG, etc., was 1024. That's fine, but why stay with something everyone else uses?

    In today's society, it should be the norm, but sadly, it isn't. Yet.

    If you're looking at encryption, you should look for strength. As I said, RSA is good, solid, and hasn't been cracked. But DH/DSA is newer, stronger, and RSA is referred to as "legacy," just like Windows98 and Windows2000 are referred to as "legacy" operating systems.

    For my keys, the weakest key that I use is 2048, but that's my "default" public key I use for signing all my "standard" email. When it comes to sensitive documents, or anything where I am discussing something or negotiating terms, I sign with a key that is not stored in a keyserver, with very limited permissions, and has very strong restrictions.

    Vaultlet's site also gave me concern when I first read it when it launched, and still does, to this day.

    If you visit the site at https://www.vaultletsoft.com/, you will see a menu at the top. One item in that menu is "About Us" and leads you to a new page, which should give information about the company, such as where it's based, specific details about the corporation, and who is behind the company. Instead, it is a Question and Answer page, featuring a re-phrased quote from Phil Zimmerman ("Who said that every message must be a postcard?"). There's nothing on that page that would convince me this is a sound product, backed by people who are serious about encryption, involved with a corporation of reputable standing.

    Using Java raised my red flags. I don't allow anything Java-based to run without permission. Paranoid? Not really. But let's say that I've only had one virus hit any computer I've ever used in over 25 years of using computers. That happened in a work environment, back in the early 90s, on a machine that was used by three people. Someone brought in a floppy from home and the employer was too cheap to install anti-virus software. But allowing anything java to run, freely, unchecked, also presents far too many possible malicious issues. For more information, although from a less-than-clearly written source, check out Java Security Basics. So, in essence, someone running a site, telling me to use this Java-based encryption suite, and that I must trust them with potentially confidential or worse, very sensitive and/or personal or corporate information, but provides absolutely no information about who they are, at a very minimum, is a major red flag for me.

    Next, the site pushes "vanishing" email. Sure, that sounds "cute," and yes, a couple of similar sites use this same concept, but what's the use, especially in business? If you're Martha Stewart, sure, you may have wanted to use this before your investor gave you some close-to-the-chest info, but other than that, you do not want vanishing email. Well, maybe you do. Take a look at Apple and the "restating" of options. Vanishing email where questionable ethics come into play may be cool. In a professional, ethical environment, especially in a non-profit environment where transparency should be the rule, this is not the answer. In fact, it's the antithesis of what one should ever consider.

    If you're a terrorist, this is exactly what you want. After Osama bin Laden sends you the message, he gets the confirmation receipt you read the message. You message magically vanishes after you read it, per his option to have that happen when he created the message, and there's no proof of anything. Yep, this sounds exactly like what ethical business people want to use in their offices for the conduct of business.

    To carry encrypted files, passwords, or "encrypted drives," even ones where you decide the size, such as five megs or two gigs -- is all possible in PGP, as well. As I said, in PGP v8 and PGP v9 (the current version), this is all very simple, and has been since PGP 8. In fact, PGP 6.5 and the various hacks of it, including PGP6.5.8(ckt) had terrific implementations and was feature-rich. In terms of usability, many people new to encryption could learn to use it with very little practice. Sure, you may have had to read just a little to understand a few terms and concepts, but past that, it was fairly straightforward. That's when the graphical user interface (GUI) was strongly becoming integrated into the product.

    In today's PGP, though, everything is drag-and-drag when you must use the GUI. Most things, as I said, are done like anything else in Windows (and I believe Mac, but since I don't have one, I can't say authoritatively, but rely on what I hear), it's a simple right-click and you're done.

    Disclaimer: Aside from being a long-time user of PGP, and a publicly-known PGP user for about five years or so, I have no ties or affiliations with PGP. I also receive no funding, compensation, or gratuities from PGP or any other company involved in security and/or encryption. I firmly believe in the principles that private information should remain private, and am willing to help anyone clearly understand the issues, pro and con, of security, encryption, and such.
    Dave J. (Scoop0901) Awake In America, Inc. ----- My opinions are just that: mine. They do not represent those of my dog, my cat, my coffee (or the mug), or any organization. For $20/50 words, I will write opinions you can claim as yours. Payable in Plutonian Tsungima only.
  • Greetings Dave J, et al:

    Pardon the length of this reply, but Dave covers so much ground that a proper response is in order.

    I can see from the length of your response and the content of your first 6 paragraphs that you really like PGP. If it works for you and the people that you evangelize it to, that's fine. Good on everybody!

    As to what the VaultletSuite does or doesn't do, there's no point in whipping out our... product feature comparison charts and starting a discussion along the lines of "my favorite tool is better than yours because it's _____, and yours is not". Such approaches are doomed to become flame wars which tend to generate more heat than light. Life's too short for that.

    If the VaultletSuite doesn't do what you need, or think it should do, that's fine, then don't use it: that's what diversity in competition is all about, allowing everybody to find what best suites their needs.

    Concerning the requirement of Java 1.4.2, research shows that approximately 88% of computer users already have this or better installed on their computers. For those that don't, that's not too onerous a requirement to use the VaultletSuite for free, especially considering that Java's available for free too, to everybody. To take your argument about the problems with requiring Java a bit further: any and all software has minimum requirements. The fictitious "WidgetWarehouse" package requires "libFoo" (v293.59) on Linux, msfc.dll (v3.59.38a.31) on Windows, and "resource/WubbaWubba7" on OS X. So what?

    On the other hand, to say that the VaultletSuite doesn't do anything novel or desirable appears to be prejudiced by your commitment to PGP. Either you need to take a closer look at the VaultletSuite, or I need to document its features better. Perhaps the reality of your misperception lies somewhere between these two extremes...

    I can, however, say unequivocally that the VaultletSuite does a number of things that other security solutions, such as PGP/GPG, Engimail, Hushmail, and Ciphire don't do, otherwise, I wouldn't have spent so much time, on my dime, developing it.

    Here's a quick and thoroughly non-exhaustive list of some of the innovative functionality that the VaultletSuite offers its users:

    1) VaultletMail DropBox: *anybody* in the world can send you a point-to-point encrypted message to your VaultletMail account, without they themselves having to do anything other than click once to compose, and one click to send.

    2) VaultletMail SpecialDelivery allows any VaultletMail account holder to send encrypted, and possibly ephemeral (expiring) communications to anyone in the world at their plaintext, insecure email account. What's more, the recipients these SpecialDelivery messages may respond to their sender in an equally secure manner. Disclaimer: while VaultletMail SpecialDelivery is still a beta service, it's definitely worth taking a look at, and it works today.

    3) The VaultletSuite offers an sociological solution to something that is fundamental to bridging the gap between security enthusiasts, such as yourself, and their circle of family, friends and colleagues who either don't or can't share their ardor for the minutia involved in security analysis: the VaultletSuite system allows each user to make an informed decision as to what they value more: control or simplicity. This can also be paraphrased amongst security professionals as the choice between convenience and security. These concepts tend to occupy opposite ends of the solutions spectrum. What's so profound about this choice? Now two worlds distinctly different worlds can simply and securely communicate using the same system. This one decision effects where a user's keys are stored, the kind of prompts and choices that the system presents its users, among other more subtle system configuration options.

    4) The VaultletSuite requires zero knowledge of cryptography in order to install, upgrade or use on a daily basis. There are no integration issues to deal with at all either, due to the fact that it's a complete end-to-end solution. This was a design decision I made in order to reduce the friction, or hesitancy, inherent in adopting new software into non-technophile's lifestyles.

    Concerning your comments about key strengths and encryption algorithms used, you should know that in designing this system I have followed the recommendations, principles and best practices laid out by "Ferguson's and Schneier's" Practical Cryptography, in addition to NIST's recommendations for FIPS 140-2 compliance and certification.

    While you criticize the VS algorithm choices and state that you would like to have stronger keys, your desire to have them isn't backed up by any kind of empirical evidence that trumps the expertise I cited above. So while you may want to use stronger keys, the VS isn't going to provide them to its users until there is consensus within the cryptography and security community to do so. In fact, it's important to point out, that modern crypto is strong enough that most people who want your information won't bother trying to break the encryption scheme because it's not worth their time. Instead they'll take some kind of "physical or mental persuasion device" and apply it to the owner of the encrypted information (which is the weakest link in the chain). So your comment of about "ultra large keys" is basically moot.

    Your comment about a lack of information presented in our "About Us" is well taken. In fact, I've just updated the website, providing more information about myself, my professional qualifications and affiliations, in addition to numerous ways to find and contact me. Thank you for pointing that out. Here's the updated page.

    You comments about Java are misleading, and don't address the real issue at hand: whose code you should trust to run on your computer? The VaultletSuite is an application, just like any other binary that you choose to download, install, and run on your computer. Java applications run with exactly the same rights (to do good or evil) as any other program that you choose to install or that come installed on your computer, no more, no less. Further, they're cryptographically signed by me with a certificate issued by Thawte. The binary's cryptographic signatures are also verified at run time by the Java Web Start environment, further ensuring the integrity of the files I publish. What's more, the integrity of the installation binaries is also verifiable, as I publish cryptographic hashes each file's contents.

    If we remove the the distraction provided by your use of the word "Java", we can now deal with the larger underlying issue of trust: how do we decide whom to trust with our valuable information? Personally, when dealing with issues of security, I prefer to know that the code is auditable, in addition to knowing the provenance of the pieces/parts it contains. The sourcecode for the high level crypto wrapper code I wrote for the the Bouncy Castle lightweight crypto API is available via the GPL, and the Bouncy Castle crypto API is Open Source too. So, no worries there. Additionally, skeptics and security professionals may review the sourcecode to the VaultletSuite client. Our sourcecode license is modeled after PGP's license, so there should be no worries there either.

    Your criticisms about "vanishing" mail appear to mimic the "if you've got nothing to hide, then why do you worry about somebody invading your privacy?" arguments that anti-crypto and/or anti-privacy provocateurs use on a regular basis. Are you asserting that a permanent record of everything we ever say via email should be kept for posterity? I should hope not. Look, I'll be honest with you here: I decided to add this feature in the to version 0.7.0 of the VaultletSuite on a lark, because I was fed up with so much "Cover Your _ss" (CYA) email that I was seeing in corporate and governmental emails. I was tired of people going to great lengths in the emails to not have an opinion about anything, lest it come back to haunt them later.

    So I thought, "wouldn't it be nice to be able to encourage frank and honest discussions by allowing the sender of the message to put propagation and time limits on their opinions?" Now here's the funny part: people who see this in action get it immediately. And these people aren't terrorists, inside traders or option dating flaunters. They're just your average cubical Joes who likes to be able to speak off the record occasionally. There are a number of other scenarios in which the VaultletSuite's HalfLife and ScopeControlled messages would serve a useful purpose, but I'll leave that as an exercise for the reader. That's an exercise above and beyond having to slog through Dave's and my posts ;-)

    Now, having said that, I do take umbrage with your assertion that "If you're a terrorist, this is exactly what you want. " Without responding in kind (which I'll admit is my extremely human impulse) I'll simply state that this kind of argumentation is counter productive. If you don't like the VaultletSuite or the functionality, for whatever reason, that's your prerogative. But please don't demonize something you don't fully understand. No one here is served by that kind of language or reasoning.

    To summarize my philosophy on problems (in general), their multiple possible solutions, and the providers of those solutions: for people with similar, yet not exactly the same, problems, let them choose which ever tool suits them best. And let the solution providers cherish not their chosen tools, rather let them be proud of their capacity to create and wield the tools necessary to provide their solutions.

    Peace,

    Rick
  • I have to apologize for being slow to reply. I've been busy on several projects which required a lot of attention, and well, a reply simply had to wait.

    { del }
    Delete? [font color='red']Y[/font] / [font color='red']N[/font]

    I deleted the message I had composed, as looking over my reply, which was addressing each point you raised was actually turning into a testosterone match, and I will not get involved in such nonsense.

    You raise the point that you developed the product, that it was on your "dime," and that you have faith in it. That is the summary of it all. If you said anything other than that, it wouldn't be your product.

    Past that, I have nothing to add except what I have stated above, all of which I stand by without alteration.
    Dave J. (Scoop0901) Awake In America, Inc. ----- My opinions are just that: mine. They do not represent those of my dog, my cat, my coffee (or the mug), or any organization. For $20/50 words, I will write opinions you can claim as yours. Payable in Plutonian Tsungima only.
  • Greetings all!

    This is a response to what appears to be a cross posted comment that appears on another page. I gather from Scoop0901's posts above that the author is rather fond of PGP. Good on him (and you too) if that's your tool of choice.

    The VaultletSuite, now called VaultletSuite 2 Go, continues to evolve and improve. It's now is a completely portable app that you can install on your USB drive and use anywhere (Windows, OS X, Linux, etc).

    Instead of asking you the reader to slog through a mini-flame war about the pros and cons of PGP and the VaultletSuite 2 Go, I think that the simplest thing you can do is install it in less than a minute and give a try to see if it works for you. If you're an individual or an NGO it's free to use, no strings attached. You could even give PGP a try and see for yourself which of the two best meets your needs.

    Wishing everyone peace and prosperity,

    Rick

    --

    R. P. Ruiz
    President, VaultletSoft Inc.
    Your bytes are your business, our business is keeping it that way.

    Send me a secure VaultletMail message anytime, anywhere: https://production.vaultletsoft.com/dropbox?to=r.p.ruiz