Two Years After Snowden Leaks, Encryption Tools Are Gaining Users

Patrick O'Neill writes: It's not just DuckDuckGo — since the first Snowden articles were published in June 2013, the global public has increasingly adopted privacy tools that use technology like strong encryption to protect themselves from eavesdroppers as they surf the Web and use their phones. The Tor network has doubled in size, Tails has tripled in users, PGP has double the daily adoption rate, Off The Record messaging is more popular than ever before, and SecureDrop is used in some of the world's top newsrooms.

TrueCrypt

....and not a word about TrueCrypt? is there any commonly used alternative or people just don't care?

Re:Really?

Encryption causes heart disease and high cholesterol.

Re:Secure Skype Replacement?

[Hadlock]

In theory you could run a mumble server on a private VPS. When I did it I used a VPS of the most minimal specs I could purchase at the time (1cpu, 1GB ram, linux) for about $7/month. I ran a mumble server for a community of about 3000 users for a couple of years and we would have 200 concurrent users with no latency issues. Voice and chat go over TLS. Mumble does not offer video chat however.

Re:Secure Skype Replacement?

Telegraph is already being targeted by LE, some users in UK and AU using it for terrorism related purposes had their messages found. It was probably just poor opsec but Telegraph has had some serious problems before and that was with them using very industry standard methodology when it comes to encryption, they also have an over reliance on Qt from what I've seen in their code. I recommend Tox and it's associated clients, the clients are rubbish UI-wise (Unless you like CLI/ncurses with Toxic) but tox-core and it's crypto library, NaCI appear to be solid. Keep in mind that the encryption used is not as mature as most industry standards. It basically relies on NaCI crypto_box which is curve25519xsalsa20poly1305, Tox uses Opus for audio and VP8 for video, fixed bitrates. Video is basically unusable due to bitrates but audio manages to work OK but probably not for geographical areas you would want such high security. Tox's main problem is usability, not just in clients but the protocol too. There is no true multi-device support, no persistent groups, no "offline messaging" (some might call that a feature though) and these are artefacts of the protocol design.

"PGP has double the adoption rate...."

Sadly, it could have 10 times the adoption rate, and to an excellent approximation, it would still be true that nobody uses it.

Slashdot's privacy tools are terrible

[turp182]

I don't want to live in a world where terrible user experience is an effective weapon to keep information private!

Re:Secure Skype Replacement?

[SuricouRaven]

I use OTR or Retroshare for text-only IM and messaging, but neither does voice - it's been a 'coming soon' feature on Retroshare for a very long time.

DNS Record public encryption key

[ealbers]

I don't know why we don't change the DNS records to include a public key for every record.
Then every site would be able to add a public key for everyone to communicate with it.
Just add it to the existing zone record response

Re:DNS Record public encryption key

Because that would create an obvious way to poison the DNS records so that a site would become unreachable. something very easy for a government to do. It would make everything in China and Russia immediately lower to their knees. It would eventually happen in other places but would just take longer.

Re:DNS Record public encryption key

[WuphonsReach]

That requires DNSSEC and DANE to be effective. There's momentum for both, but neither will hit mainstream until Google's Chrome forces it.

Ultimately, I expect a mix of pinned-certificates, DNSSEC/DANE, and cloud-based reputation for certificates (is everyone else seeing the same certificate?).

Key management is hard -- really hard. It's the weak link of modern encryption.

Re: Secure Skype Replacement?

Look, I'll put it in very simple and very straightforward terms: there is no secure communications anymore if you intend "secure from the government". There is none, and there will be none. Because the moment someone develops it, they get a visit from law enforcement who will tell them in no uncertain terms to keep a backdoor open for them or else... No elses, really. You have to comply. And you will. So get over it, there is and there will never be anything secure from the government.

I see nothing

[houghi]

I believe that something serious is being done as soon as I start seeing gpg signatures in emails. To me that is the first step. Not so much the encoding and that nobody can read it, but that I am sure that the mail from my bank is from my bank.

Because not only will that show me that they are doing something about it. It will show me that they are serious. It will also show others and will make other people start using it.

That way I can send an email from my address, sign it and it will be offcial. There are obviously several ways of doing this.

Government Obstructionism

[Greyfox]

We're, what, abut four decades on now and you can't even get a mail client with the tools integrated out of the box. The laws on the books effectively prevent it. Until that changes, the'll be no progress made on that front. Maybe in this climate, a few candidates running on a pro-privacy platform would be viable, but I doubt it'd get enough traction to make a difference.

While we're on the subject though, what the fuck is up with mail client interfaces getting worse and worse? The UNIX text-based clients provide far better interfaces than any graphical client I've ever used, and they're currently falling into disrepair. Hell, I don't think anyone's actually touched the VM code in about half a decade, and it has the best threading and thread-handling options I've ever seen in any mail client. Kill-by-thread from any message in the thread makes keeping those useless IT notifications from the company a snap. It also had pretty decent integration with GPG, even if you did have to add it in yourself. Paired with the MIT remembrance agent, it did a great job of reminding you what you did to fix a problem six months ago when the exact same problem cropped up. I've never seen functionality like that in any other mail client.

Re: Secure Skype Replacement?

That argument only works if you are a "person of interest". For 99.9999% of people, the point is to avoid mass surveillance, not targeted surveillance. Yes, if the government targets YOU, you are fucked. But that is not the threat model that applies to almost everyone, and it remains highly useful to frustrated the mass surveillance state.

Re:The vast majority still don't care

[dcollins117]

Because no one else would need to use weapons-grade encryption.

True, I don't need to use encryption everywhere, but I do just because I can. It amuses me that if anyone wants to snoop on my communications that they see the digital equivalent of an upraised middle finger, and not my plaintext.

I also enjoy the fantasy of someone spending an inordinate amount of resources to decrypt my emails only to discover that all I'm doing is sending LOLcat photos to my friends.

Re:Veracrypt

[MyFirstNameIsPaul]

Schneier has some interesting points in this blog post.

Re: Secure Skype Replacement?

[Steve+B]

That's the whole point of making good communication security as close to universal as possible.

For beginners...

[robot5x]

I'd like to send a link to my friends introducing them to some encryption tools that they can readily use, and maybe some good write up on why its important - any tips? thanks.

Re:Secure Skype Replacement?

[TheRealLifeboy]

Tox & Venom

Re:Secure Skype Replacement?

[fibbooo]

Am I missing something, or are you all meaning `Telegram' when writing `Telegraph'? (I understand they use some self-created cryptography (security-wise not the best idea).)

NaCl is also used by Threema (my messenger of choice), btw.