Domain: ciphirebeta.com
Stories and comments across the archive that link to ciphirebeta.com.
Comments · 6
-
The point is transparent key exchange
I think what most threads that ask "why not use GPG/PGP/Enigmail/etc" are not seeing is that the problem the Ciphire people are trying to fix is that of key exchange, not actual encryption/decryption.
Currently, that I know of, no email encryption plugin/system like the ones mentioned here make it completely transparent for users to fetch other people's public keys and use them to encrypt mail. Usually you have to first get someone's public key, either from them or by checking a server (like MIT PGP repository, etc) that does not necessarily do any kind of verification. So I could get a key for "foo@bar.com" even if I don't own that address. Then there can be multiple keys for foo@bar.com and you have to physically check with the recipient for the right fingerprint. And in any case I can only choose to encrypt email that is being sent to people of whom I know I have their correct keys.
The whole point of Ciphire is that it will try to encrypt if possible without the user having to worry about any of that. And yes, they are a centralized CA, but you don't actually have to completly trust them either. Check their technical intro page for a summary of their nifty hash fingerprinting mechanism for verifying certificate integrity.
And as some people have pointed out, you don't have to install a plugin, it works by using TCP hooks (not a server process either). So ideally more and more people (including non-techies) could just install it and forget, and eventually more and more email will start being sent encrypted (as more users register).
The only downside is, it breaks webmail. -
Beware of snakeoilFrom ciphirebeta '... Once the code is stable and we've had independent code audits, we'll publish the source code. We're releasing a security product, and we believe - along with legions of other security aware developers - that transparency is key to trust building
...'This is the bit I dont like. Read the from the master himself, Philip Zimmermann - the one who was under 3 year investigation by US customs. Reading through Phils articles, I came across Beware of Snake Oil. It makes for good reading when evaluating if the product is worth the effort.
My question is if you cant read the source (massive assumption given few know how to write and implement encryption) how do you know if the code is implemented correctly?
-
Re:Careful: not very secure, not very trustworthy
I hope its not homegrown hash;
Well, according to their cryptographic functions page, they are using SHA-256 and Whirlpool-512 hashing. -
Re:Why?
I'm not going to claim any knowledge of cryptography, but their website is claiming quite a few modifications to existing stuff. If they get it to mesh together and avoid the few drawbacks that regular crypto algorithms have, this could be considered a new technology.
That wasn't my major point though. I actually meant more along the lines of "Try what they show before claiming it's bad" . -
This product is NOT open source.
Some lying slimeball is exploiting the
/. crowd to get some free publicity for his shitty commercial product.
So go ahead, tell this guy what you think.
-Fatty -
Re:How is it free or open source?
Read the https://www.ciphirebeta.com/about/facts.html stupid.