Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypt and Sign Gmail messages with FireGPG

Posted by ryuzaki0 on from the can-you-spot-the-secret-message-in-this-dept-line dept.

Linux.com (Same owners as Slashdot) has a story up about FireGPG and says "Gmail may be an excellent Web-based email application, but there is no easy way to use it with privacy tools like GnuPG. The FireGPG extension for Firefox is designed to solve this problem. It integrates nicely into Gmail's interface and allows you...
Encrypt and sign Gmail messages with FireGPG

19 of 206 comments (clear)

  1. Re:And for the chat by stinerman · · Score: 4, Insightful

    Note that OTR is "better". From the OTR site:

    How is this different from the gaim-encryption plugin?
            The gaim-encryption plugin provides encryption and authentication, but not deniability or perfect forward secrecy. If an attacker or a virus gets access to your machine, all of your past gaim-encryption conversations are retroactively compromised. Further, since all of the messages are digitally signed, there is difficult-to-deny proof that you said what you did: not what we want for a supposedly private conversation!

  2. Re:Nerds with something to hide by fluch · · Score: 5, Insightful

    It is just that I don't want anybody to intrude my privacy. Do you close the envelope of a regular snail-mail letter? If so, do YOU have something to hide??

  3. Point & Click Encryption? by RubberChainsaw · · Score: 3, Insightful

    This extension seems very cool, and I plan to try it out when I get home. When I first read the summary I thought to myself, "A firefox extension and gmail, how much simpler could it get!" But, unfortunately this is not point & click encryption. It requires an additional external program (GnuPG) to function. Even this small, relatively trivial step is too much for beginning to average computer users. Encrypted email is great and all, but I can only send it to other people with encryption-enabled email clients.

    Where is the it-just-works email encrytion for dummies?

    --
    I welcome our new 99% overlords.
    1. Re:Point & Click Encryption? by Kadin2048 · · Score: 4, Insightful

      Where is the it-just-works email encrytion for dummies?

      AFAICT, it doesn't exist. At least not outside of corporate environments. There are lots of companies that have their encryption set up so that it's transparent to non-technical employees, but it's a lot of work for the people who actually make it run. Lotus Notes, for instance, will do public-key cryptography, using company-wide keyservers -- although it's a proprietary algorithm, or was last time I checked. Once you have the infrastructure in place, the users don't have to think much about it, besides clicking 'encrypt and sign' on the emails they want secured.

      I've also heard that within Apple, they use Apple Mail with S/MIME to great effect ... but if you're just a regular user, getting that feature working is a real PITA. (Though admittedly, most of the trouble is because of the certificate authorities.)

      I think the problem with the free encryption tools is that they're still very much a 'hacker's product,' being designed by fairly advanced users, for other advanced users -- or at least, for users who don't have a problem installing extra software in order to communicate securely. This, IMO, is a mistake; in order for an encryption system to be useful, it has to be widely used. And that means getting it into the hands of people who might not even think, in advance, that they want it. There are lots of people who aren't going to go out and download/install encryption software, but if the feature was there, and working, all the time, they'd probably find themselves clicking the 'Encrypt' button quite a bit.

      There's no real reason why encryption can't be built in. It's just that it tends to get viewed as a peripheral, rather than core, feature, in everything except some corporate packages. However, I think that if it was incorporated more widely, it would quickly become a core feature; but getting over that 'chicken and egg' hump is hard.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    2. Re:Point & Click Encryption? by AeroIllini · · Score: 2, Insightful

      It's not just that not all commonly used products include encryption, it's that there's no standard infrastructure for key exchange.

      In a standard GPG encryption scheme, each user creates a private key and a public key. Anyone who wishes to send them a message must request their public key in order to do the encryption, and then the private key is used to do the decryption. (Sometimes to save computation time the message is actually encrypted with a symmetrical key, and then the key--which is shorter than the message--is encrypted with the public key. But that's mainly an implementation detail, and the need for key exchange still stands.)

      However, if I'm reading my mail in Thunderbird on a personal SMTP server hosted on my own DSL connection, and I want to send an encrypted email to you at your GMail address, I first need to request your public key for encryption. As it stands, there is no standard method for my server, when I click the "encrypt" button, to submit a request to Google's server and then receive in response a public key for encryption. Currently only integrated solutions, such as Microsoft Exchange or Lotus, where all the email is being routed through a single server that can hand out keys, can have this approach.

      It would require either a call-and-response system, where Server A could send a specially formatted email to Server B which would then send another specially formated email back to Server A containing the public key, or a registry lookup system, where each user would register their public key with a public keyserver which would act like a DNS, translating email addresses into public keys for systems that request them. Both types of systems have the requirement that everyone you send email to be able to use the same system. If I'm sending an email from my home SMTP server to your GMail account, either my SMTP server has to be able to communicate with GMail in a meaningful way, or both servers (mine and GMail's) need to be set up to talk to the same system of keyservers. I imagine a workable system would include both, just like TCP/IP and DNS.

      Only when such a system is used by the majority of email systems will encryption ever be universally available.

      --
      For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
  4. Re:Nerds with something to hide by kevin_conaway · · Score: 2, Insightful

    Do you close the envelope of a regular snail-mail letter? If so, do YOU have something to hide??

    I'm more concerned about the letter (or worse, a check) falling out.

  5. Re:Nerds with something to hide by toleraen · · Score: 5, Insightful

    I generally close the envelope of snail mail so the mail doesn't fall out.

    I use security envelopes to obscure the contents of my mail. You probably would want to use that as an analogy instead.

  6. Re:I wouldn't think google would like this by CreatureComfort · · Score: 4, Insightful


    So... you are saying that the NSA has the ability and desire to break every ElGamel 2048-bit length encrypted message it captures with Echelon? I've seen too much of government from the inside to think that any agency operates as well as the NSA FUD would have us believe. Especially when you realize it is far easier and cheaper to make your enemies believe you have super powers than it is to actually develop those super powers, completely in-house with no outside knowledge or help.

    --
    "Unheard of means only it's undreamed of yet,
    Impossible means not yet done." ~~ Julia Ecklar
  7. Re:Nerds with something to hide by Anonymous Coward · · Score: 5, Insightful

    So if you "always" sign your messages, then you can tell off anyone you want as long as you don't sign it. Brilliant!

  8. Re:Say 'no' to gaim-encryption, use OTR by 99BottlesOfBeerInMyF · · Score: 2, Insightful

    Particularly since having two mutually-incompatible encryption packages is a pretty crummy state of affairs; it just means that the few users who do use encryption, are going to be fragmented between incompatible systems.

    This is what standards are for. We need a standard for IM encryption, possibly as part of a larger encryption framework. I have no problem advocating a standard, which I think is a lot better idea than advocating a given program/library.

    If only some of the other IM clients would start building it in by default, rather than making it an optional addon, I think it would quickly gain traction as a de facto standard.

    OTR is licensed as GPL/LGPL. As such, I'm not sure a lot of major software makers will be all that keen about implementing it. Take a look at iChat or Yahoo Messenger. They're not going to open source their application just to add an encryption format that is still pretty rare and where there is not a lot of demand. This is one of those rare instances where a BSD licensed implementation would be a whole lot more likely to solidify the de-facto standard. Realistically, I doubt that the major players are going to go open source for their clients, and as such I doubt there will be adoption of OTR unless it is submitted as a real, well documented standard and/or a BSD reference implementation is made available. We're a lot more likely to see Microsoft or AOL take over this space with a proprietary encryption scheme, which will be reverse engineered and pseudo-supported on other platforms/clients simply because people will need to communicate with the majority.

  9. Useless if GMail accessed only via POP3 by macraig · · Score: 2, Insightful

    FireGPG is great, I suppose, but doesn't help those of us who only use GMail via POP3/SMTP, both to avoid advertising and have mail archives under our own direct control.

    In fact, FireGPG actually benefits Google and its advertising goals, since it only functions via Firefox and Google's ad-infested Web interface.

  10. Re:The Fascination with Encryption by canajin56 · · Score: 3, Insightful

    Here is why you don't do that: Because why wouldn't a terrorist leave corroborating evidence lying around proving it was all just a test to psych the government out, so they can be let go? While they are interviewing your "third parties" you are being beaten half to death, electrocuted, water boarded, and raped. IF, and its a huge, colossally massive if, they ever EVER believe you that you were just kidding about bombing NY with a dirty bomb, they will testify that you cannot be released since after your brutal torture you probably are now a terrorist even through you weren't before. Plus you can't exactly be let go since the torture techniques are classified information and you might leak them. Just like Jose Padilla. First he HAD a dirty bomb, then he was building one, then he was thinking about it, then he knew somebody who was thinking about it, then nothing...but they have ruled he can NEVER face trial, and can NEVER be released. Their reasoning is their "interrogation techniques" have irreversibly damaged him mentally, so he's too unstable to stand trial. But these "interrogation techniques" are highly classified matters of national security, so he can never ever be allowed to talk to anybody in case he tells them what they did to him (especially not a lawyer). And that would be you. Now remember, he _WAS_ a citizen, and there was no evidence against him. Still tortured and given a life sentence without the possibility of a trial. What fucking chance do you think you have if there IS evidence against you? Well you might have white skin so you just may have some kind of chance.

    --
    ASCII stupid question, get a stupid ANSI
  11. Re:Nerds with something to hide by Critical+Facilities · · Score: 2, Insightful

    Methinks thou dost protest too much. In other words, you may want to calm down a bit, you're sounding a little anxious (or jealous?).

  12. Re:Nerds with something to hide by ndogg · · Score: 2, Insightful

    http://xkcd.com/c177.html

    As always, XKCD is so relevent, it's not even funny, except it is, and so are chair dancing on the heads of penguins.

    --
    // file: mice.h
    #include "frickin_lasers.h"
  13. Re:The Fascination with Encryption by MyOtherUIDis3digits · · Score: 5, Insightful

    Man, I miss the days when a post like that would have made me laugh and I would have called you a loon...

    --
    Ignore anything I said above, I actually agree with everything you believe - mod accordingly.
  14. Re:Nerds with something to hide by semiotec · · Score: 2, Insightful

    then just write the address and add the stamp on the letter/cheque itself, don't bother with the envelope. You can saves trees at the same time!

  15. Re:And for the chat by cayenne8 · · Score: 3, Insightful
    "Well in traditional crypto/signature schemes, having a provable relation between a specific message and specific sender is a desired attribute. While there are certainly situations where you would like to verify the identity of the person to which you are chatting (wife/girlfriend/boss/etc), it appears that is not one of the wanted 'features' of this encryption protocol. Forward and backward secrecy would certainly be something most would consider useful, however."

    Well, you want to make sure it IS from the person you think it is, but, that doesn't mean you have to know who the person IS in real life.

    It would be cool if these email plugins would help make it easy to register and use the nym servers. This way you could set up an email address on each end. PGP sigs can be used, but, there is plausible denyability as to who really is at each end of the email.

    Of course if you're really worried about tracability, then set up a nym account to send out on, but, on return messages...just have it post encrypted to one of many USENET groups. You then really have a disconnect 'cause there's no good way to monitor around the world who gets what messages of USENET.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  16. Silly Rabbit by Propaganda13 · · Score: 2, Insightful

    They use programs to determine who is using high level encryption. Afterwards, they plant a keylogger with burst transmitter in your keyboard. By doing it that way, they don't have to spend anytime decrypting. You can any program or level of encryption you want and it won't do any good since you are compromised at a lower level.

  17. Re:The Fascination with Encryption by alexo · · Score: 2, Insightful

    Source?