Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ciphire, A Transparent, Easy PGP Alternative

Posted by timothy on from the not-just-translucent dept.

mixter writes "Hi. I'd like to point your attention to Ciphire, a fully free and soon-to-be-audited-OpenSource 'Global PKI' project I've been working on for the last three years. As the first three or four thousand geeks started using Ciphire and seem happy, with some tech articles written, I guess the /. community might find this interesting, too. Ciphire hopes to have solved the problems that prevented PGP from a broader deployment, with even higher security standards - as already confirmed by crypto experts Housley & Ferguson. More useful information, e.g. in Wired or in the Nerd^H^H^H^Hexperts FAQ."

29 of 345 comments (clear)

  1. GPG? by Anonymous Coward · · Score: 5, Insightful

    What's wrong with the GNU Privacy Guard?

    1. Re:GPG? by digitalchinky · · Score: 4, Insightful

      Absoulutely nothing. Ciphire might be 'the good guys' but how can you tell? Sure, they are 'going' to release their code, but what's in it right now?

    2. Re:GPG? by Jsprat23 · · Score: 3, Informative

      "Getting GPG to work on windows requires Cygwin, which is a pain in the ass. If it doesn't work *transparently* on Windows, there'll never be a critical mass of people using it."

      This is patently untrue. I downloaded the windows binaries from gnupg.org and followed the directions on enigmail.mozdev.org and had my dad encrypting email in about 15 mins. No cygwin required.

      The biggest problem we encountered was his windows clock wasn't sync'd to a time server, and I had to wait to import his key because it had been created in "the future".

  2. yeah right... by lordkuri · · Score: 4, Insightful

    Ciphire hopes to have solved the problems that prevented PGP from a broader deployment

    so how exactly are you getting it installed and turned on by default in Outlook and Outlook Express?

    tell me I'm wrong if you want, but that's the only way you'll get Jane and Joe 6pack to use it.

    1. Re:yeah right... by dq5+studios · · Score: 5, Funny
      so how exactly are you getting it installed and turned on by default in Outlook and Outlook Express?


      A new e-mail worm?
    2. Re:yeah right... by anaradad · · Score: 3, Interesting

      Of course it matters. Outlook is the "approved" mail client at my work and throughout the business and educational world. If this program isn't installed by the Exchange admin or desktop support, it won't be used. Even if I wanted to use it at work, I couldn't.

    3. Re:yeah right... by WebCrapper · · Score: 4, Informative

      Its actually pretty simple. I figured it out just reading the "automatically" but I'll break it down for you. Directly from their website:

      "The Ciphire Mail client resides on the user's computer between the email client and the email server, intercepting, encrypting, decrypting, signing, and authenticating email communication. During normal operation, all operations are performed in the background, making it very easy to use even for non-technical users."

      I shouldn't have to explain it any further than that here on Slashdot. Thats in the first paragraph of the Technical Explanation of how it works. Later on it lists:

      "The Ciphire Mail client consists of three parts: the core client, a graphical configuration interface, and mail connector modules (redirector). Supported email protocols include SMTP, POP3, and IMAP4. The STARTTLS and direct SSL/TLS variants of these protocols are supported as well."

      For anyone that didn't get the gist - it basically redirects your mail to its own "server process" sitting on your computer then sends it out to the normal SMTP server. This is using the same technology that the current Mail virus scanners use (Think Symantec), not new technology, just used in a different way.

      On the reverse end, the "server" checks the mail and hands it to the email client making everything secure in between.

      Pretty simple way of getting Jane and Jon Doe with OE to use it if you ask me. Granted, it needs to be installed by Admin on proper machines, but that shouldn't be too much of an issue for any company that would like to secure their email - especially if you explain and show your network admins that email is USUALLY a plain text security nightmare.

  3. Why not just use enigmail with Thunderbird? by FyRE666 · · Score: 3, Insightful

    The main problem this project will encounter will be gaining momentum. PGP already has a huge userbase and infrastructure. It's not that difficult to use for anyone technically minded, and you can already buy "idiot proof" versions to plug into Outlook (I believe). For anyone using Thunderbird, the enigmail plugin offers PGP for free, which works great.

    Maybe I'm missing something?

    --
    Code, Hardware, stuff like that.
    1. Re:Why not just use enigmail with Thunderbird? by NoMoreNicksLeft · · Score: 4, Insightful

      I agree, but I wish enigmail would be included in thunderbird by default. The thunderbird/firefox philosophy is to include only the essentials, right? Anything else should be a plugin/extension. Well, for email, I would think that pgp is an essential, and they need to consider it such.

  4. Useless... by gst · · Score: 5, Insightful

    And what are the advantages? We already have the OpenPGP standard which is implemented by GnuPG and PGP. People who prefer free software are able to use GnuPG which is licensed under the GPL. If someone prefers commercial software he can use PGP - it even comes with a nice GUI if you use it on Windows. So let's look at your product: Non-free, No-source code, not standards complient, binaries only available for a limit number of platforms. So - in your posting you say "OpenSource" - on the webpage you write that you may publish the source in the future, but that it will only be free for non-commercial users. This is NOT OpenSource - see http://www.opensource.org/docs/definition.php for the definition what OpenSource means. Anyway, are there ANY advantages why I should even bother do download your product? Ah - don't mind - I just noticed that there aren't any LinuxPPC binaries, so I can't use it.

    1. Re:Useless... by TedCheshireAcad · · Score: 3, Insightful

      PGP is a known secure cryptosystem. Fact of the matter, there is no need for new cryptosystems. We already have PGP, RSA, and Rijndael. All are known secure to the limits of computability. What work really needs to be done is protocol analysis.

    2. Re:Useless... by gst · · Score: 3, Insightful

      RFC 2440 and RFC 3156 looks pretty much like an IETF standard to me. See http://www.ietf.org/html.charters/openpgp-charter. html for further information.

      As for the GNUPG point. As user I really don't care how the source code looks as long as it works. Further GNUPG seems more or less secure to me - there weren't that many security advisories yet.

      And if you don't want it you can use PGP - there's a freeware version of it too.

      So WHAT are the advantages of Ciphire?

    3. Re:Useless... by khrtt · · Score: 4, Insightful

      1. There is no such thing as a "known secure cryptosystem". "Thought to be secure" is not the same thing, as people have proven many times over.

      2. PGP is not a cryptosystem - it's an application program. "Cryptosystem" means algorithm. It's the same thing as "cipher", essentially.

    4. Re:Useless... by justins · · Score: 3, Informative
      First off, tell me. Which standards does PGP [or SSH and SSL for that matter] follow?

      http://www.ietf.org/rfc/rfc2440.txt
      --
      Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT. - bogaboga
    5. Re:Useless... by justins · · Score: 4, Insightful
      Oh, so as I understand it RFC2440 was written and THEN PGP v1 was written?

      Thanks for history v2.0

      Huh? You asked a question, I answered it.

      I certainly don't think RFC2440 is any less valid or useful for having been created after a successful implementation was created. That's how standards ought to be created. Standards created before the implementations, or in conjunction, are more likely to suck.

      The comparison with PGP and GPG is illustrative of why this new toy will not be leading to any new standards. No open source, no peer review, no new needs being addressed, no new ground being broken. Who gives a shit?
      --
      Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT. - bogaboga
    6. Re:Useless... by mark*workfire · · Score: 5, Insightful

      PGP is a known secure cryptosystem. Fact of the matter, there is no need for new cryptosystems.

      Well, I guess all that needs to be invented has been invented. We already have an operating system majority (Windows). There's already a major chip vendor (Intel). Antec makes the best cases, so lets just tell all the others to stop.

      Maybe, just maybe, a little mind opening is needed here? Perhaps there's something about (Cipher) that can be used in PGP, or vice versa. Slashdot is full of 'competition is a good thing' type quotes, and I'd say it applies here.

  5. not really excited by l3v1 · · Score: 3, Insightful

    I mean, get lost, telling us this is better than GPG won't make us run and start use this stuff. Easier to use for joesixpacks ? You mean taking GPG-key-control out of their hands and doing it in the background with some mail application ? No thanks. I know GPG, I trust GPG, I use it with many OSes and with many different applications, very easily, for both signing and encrypting. As many thousand of other people do. So you'd better think some really better arguments there, than in those linked articles.

    --
    I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
  6. How is it free or open source? by art6217 · · Score: 5, Informative

    From their pages: "Ciphire Mail will always be free for private users, non-profit organizations, educational institutions, and the press".

  7. I'll stick to GPG and SSH protocols, thank you. by Spicerun · · Score: 5, Interesting

    Gee, why I'm not enthralled with Ciphire protocols:

    1) Another 'works perfectly program with WinXp, WinXX, etc.' that claims it will also support Linux/xBSD with no catches....where have I heard that one before?

    2) Another Certificates laden protocol in the footsteps of SSL. (ie - you can have security if you pay us the megabucks for that 3 month term Certificate, but ignore those Certificates easily faked, etc.) I wish SSL would die instead of being a Certificate money making machine.

    3) Another program that promises it will do everything SSH already does without the certificates....just buy a certificate to make Ciphire work.

  8. Not OpenPGP Compliant and no Good reason by Equinox11 · · Score: 5, Insightful

    I think this product would of been great if they would of made it OpenPGP compliant, and have a method of signing your keys for a particular email address(verify email address, send a web link, click on link and you're done) If they would of implemented all the automatic sender email matching, automatic decryption, automatic signing, etc. with the current(OpenPGP) standards it would be great.. You would already have a compatible userbase & everything. But as of now I have to support two standards S/MIME and OpenPGP when communicating with people.. Why would I want to recommend to a less technical friend a 3rd one? I'll just set them up with Thunderbird/Mozilla and Enigmail(http://enigmail.mozdev.org) If you havent looked at enigmail check it out.. I'm very impressed with it, and it works fine under windos too.

  9. Re:Methodology for open sourcing it by Daniel+Ellard · · Score: 3, Insightful
    This is a common problem for protocol-oriented tools of this type, at least if I correctly guess what they're thinking...

    Such tools are useful iff their interface is rigidly defined. If it starts diverging into a dozen things that look similar but aren't entirely compatible, nobody will use any of them. If, on the other hand, the system is reasonably good at the start, the probability of major forks is reduced. So sometimes it's useful to keep such projects "closed" until it's stable and complete.

    At least, I have heard such arguments made in the past. The other alternative is that the code is such an embarassing mess that they don't want anyone to see it -- I've heard that argument made as well (heck, I've got code I plan to release someday myself, as soon as I get around to adequately commenting it...).

    --
    Disclaimer: I work for a company, but I don't speak for them.
  10. Re:a better question by DrSkwid · · Score: 4, Insightful

    ever heard the expression "secure by default"

    encrypted email stands out from unencrypted email

    Iif the bulk of email was encrypted then it is harder to determined that which is encrypted for a reason and that which isn't. This adds value to the use of encryption.

    I don't really need to ssh between servers on my LAN or run my vnc sessions though an ssh tunnel or use scp when I could use Samba but I do, partly because it means I am using best practices so when I am in a situation where it is desirable I am familiar with the operation and am familar with the tools I will need and not be sat there saying "bugger, I forgot to select 'use secure connection'".

    I don't really need to lock my car every time I walk 10 yards from it to the cashpoint but I do because it is best practice.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  11. Transparent? Easy? by Kickasso · · Score: 3, Insightful

    Fuggedaboutit. There's a central server with an account for each user. There's a new GUI mail client (!) There's no compatibility with existing formats like S-MIME or PGP/GPG. Thanks, but no thanks.

  12. -----BEGIN PGP MESSAGE----- by Anne_Nonymous · · Score: 3, Funny

    -----BEGIN PGP MESSAGE-----
    Version: PGPfreeware for non-commercial use

    qANQR1DBwk4D5F2YKoTmerkQC/0Tl5MChitPajOOAZQRLXqp BY RByr6Gf01kVLY2
    kB0kz4N9lx8Wh2LLMVaAtBmB+WcFbvTG1/ U1/lCK6icJn0ZPBi S8VzfG1Ia+lmhx
    O+QcYB5xKwrQwAUNx7xkh/jQ2bQ5K/wDpd YVz7EHgwxuSp5gWF GIBlErO+Qx+KR9
    svMDLPIDhn2g/4crV3Ny4Zqcd6NiuBtTpR lVr5SxrHIU7PdvCf LEdqEV2SThvHHm
    WpFuVl4Mt5L2KEYlZWWPoD8TbP1e4S40il HN45+56NUjC9bJGO 2SNuVYMxzo44fd
    V6TZRjEKyoVnp7+R2DEPR1U2ylTHtIB87N Nx8wVglD4A98K+Wv wrbvHscbdvS2Sb
    DaxqDxsAAjFy9KKgLx+M/3ylOCnXRRlE5t 8zfbIZbUusjqlfjM WEpnh4xrV4l4K9
    7ZRCbcukRSMuPqXqyKkbtakrY1ZMOC9gzQ nvZndgNSp70h6hpb L24sMfvVPUZfF9
    YphC/ufrr9yrOGiqz9FHbDoe8JAMAKRKby /GTYmfQcCCYrp1G2 SS1XWVjk5cbWsX
    aj1Py2c3Uv5rT3qRIta+8terQPBMplIqKc Rh3LMr+lAyPPRAvT RKkw8FT+msDVhL
    Nd5pwJL5HEjAVE5GeU9dxPZhZp8X9I4o3W 4C9Zh1AGqeYMOU2Q mTN/yffpoqFHi+
    VLC+ocxj4lIzFPVH1ag7MRe+OMay25A7bI 5n7RvKRGCauUoEmo zn6o8xpFdDxDl7
    7lXc5zTuhNGYtlhnFR7Cy/PRs+af4Q97v7 Smvvv6GmlBX9qsnY RFwLNt7bI8PdTe
    oBms31MZdLEu9ryUOQGzNwnz8VAe8uWYR8 rt2wN59J8lLnKzaI ZdW3mOc+TjmTrf
    zEQLmRFppwb7ALFkFY6dkrbyKi0kMCEg3T EDBNLiUARhBzJu/S ssWERg5tZHJ9NL
    1Tr0efYiD0hJ7OAwOcruelss6a7Qtsagc2 ihlyXgwj4mFuY53Z DHL5xAnRNKMxmo
    Mzf1P8wluS+FkWXQZLCcv5grFLw9xskm+9 yh/r629B9VuYW7Wr RDVaP7rdyNP7F5
    JfG97nO97bo+cpyxsrg=
    =hcA2
    ----- END PGP MESSAGE-----

  13. free as in "free beer"? by g2ek · · Score: 5, Informative

    2. LICENSE GRANT

    (a) Subject to all of the terms and conditions set forth in this Agreement, Licensor grants to Licensee a non-exclusive, personal, non-transferable, non-sublicensable right, during the term of this Agreement, to use the Software, and the Services solely for Licensee's own Personal Use and in accordance with the applicable documentation and instructions made available by Licensor.

    (b) In no event shall Licensee distribute, display, or otherwise make available to any third party, the Software (including any copy, portion, extract, or derivative thereof).

    (c) Licensee shall not, and shall not assist, enable or otherwise permit or allow any third party to, (i) alter, adapt, modify, translate, create derivative works of, (ii) except to the extent expressly permitted by mandatory applicable law notwithstanding an agreement to the contrary, decompile, disassemble or otherwise reverse engineer or attempt to derive the source code of, or any technical data, know-how, trade secrets, processes, techniques, specifications, protocols, Key and data-formats, methods, algorithms, interfaces, ideas, solutions, structures or other information embedded or used in, (iii) rent, lend, loan, lease, sell, distribute or sublicense, or (iv) remove, alter or obscure any proprietary or restrictive notices affixed to or contained in, the Software or any copy, portion, extract or derivative thereof. In addition, Licensee shall not provide, disclose or otherwise make available the Software or any copy, portion, extract or derivative thereof, or permit use of any of the foregoing by or for the benefit of any third party (including, without limitation, on a hosting, service-bureau, time-sharing or subscription service basis).

    (d) The Software is licensed as a single product package and Licensee shall not, and shall not assist, enable or otherwise permit or allow any third party to, separate the Software, or use any component parts thereof other than as part of the Software as and in the form provided by Licensor.

    (e) Licensee shall not use the Software other than in connection with the Key-Data and the Services provided by Licensor under this Agreement.

    https://www.ciphirebeta.com/about/eula.html

  14. Re:a better question by Aeiri · · Score: 3, Funny

    Exactly. I don't have to lock my screen every time I move 3 feet to go to the bathroom and the only people in the house are incompetent and have never even heard of Linux before, with doors that are locked and bolted and 3 inch windows, and on top of that, use this alias to start X:

    alias x="startx -- -nolisten tcp &;disown;clear;logout";

    So that they can't CTRL+ALT+F1 or CTRL+ALT+Backspace into a logged in tty.

    It's just... wait.. now that I think of it that is a little overkill...

  15. Centralized directories are bad ! by louarnkoz · · Score: 5, Insightful
    If you look at the little pictues "how it works" on the ciphire site, it appears that before sending a mail to Bob, Alice retrieves Bob's certificate from the ciphire central server. Really? And that is private e-mail? They must be kidding!

    What do you think will happen if someone, say in the name of the war on drugs, wants to interfere? Presto, they can convince the central server to yank Bob's key from the directory and replace it by one of their choosing. Some privacy!

  16. I'm also worried about.... by TVC15 · · Score: 5, Insightful

    8. PRIVACY Licensee hereby expressly agrees and acknowledges that Licensor may collect, store, disclose to third parties and otherwise use and process (collectively "Process") Personal Data in connection with the Services, this Agreement and Licensee's use of the Software, and Licensee hereby authorizes Licensor (including its officers, directors, employees and agents and its suppliers and licensors) to Process Personal Data to the extent reasonably required or useful in connection with the provision of the Services and/or the execution of this Agreement, and in compliance with Licensor's current privacy policy as shown on Licensor's website (www.ciphire.com).

    whats that about?

  17. Re:Careful: not very secure, not very trustworthy by A+Naughty+Moose · · Score: 3, Informative
    I hope its not homegrown hash;

    Well, according to their cryptographic functions page, they are using SHA-256 and Whirlpool-512 hashing.