Slashdot Mirror
Ask Slashdot: Cryptography in Mail software?
Bartmoss asksL:
"Obviously, nobody will use encryption if two problems
occure: (a) your friends won't be able to read your mail
because they don't have crypto, and (b) your software
doesn't have crypto. I'm wondering - are there good HOWTO's
and info sites on how to plug encryption into leading mail
software for UNIX, Mac and Windows? What Windows-Software
supports PGP, and which can have PGP support added? Does
anybody have information on clients people could use for
crypted mails?"
Everyone in the GNU/linux world
should be talking about GPG instead of PGP
GPG aka GnuPG aka GNU Privacy Guard
fully openPGP compatible
http://www.d.shuttle.de/isil/gnupg/
http://www.gnupg.org
there is even a wrapper for compatibility with
pgp 2.6
http://www.nessie.de/mroth/pgpgpg/
For those using Emacs for email, Mailcrypt
is an excellent tool for integrating PGP
support. Also, the original author, Pat LoPresti,
is a nice guy.
Develop your own provably secure encryption algorithm, and then whenever you want to send email to a friend, encrypt it 3 or 4 times over with different keys, zip it using InfoZip but change the extension to ".tgz" or ".tar.gz" (very important!), then uuencode it and encrypt the result. Now split the file up into a thousand chunks and intersperse them in an MPEG animation as spurious frames. Take note of which frames have the real data in them and split the numbers up into groups of 4 (this will be important later on). Now place the MPEG on a zip disk, mislabel it as "holiday pictures" (sneaky!) and place in a regular postal envelope. Finally, hire out a Brink's truck and 4 guards to drive the package to the intended recipient. Make each of the 4 guards memorize one group of the MPEG frames without telling them what it is.
VOILA! One secure email!
If you use Pine, there is a package called PGP4Pine which you can find at
freshmeat. It lets you use PGP seamlessly in Pine. I haven't personally had time to set it up but a bunch of my friends use it and recomend it.
Bah. Cryptography in Mail is a joke. It's something to play with, but really isn't all that useful in the real world. Let's face it, unless you're really dealing with really sensitive matters, the hassle involed with encryption isn't worth it, and all it really does is call attention to yourself. Think about it. If I was a goverment agent in charge of snooping through email don't you think that I would have a scanner similar to a virus detector looking for encrypted messages? The scanner may not be able to decrypt the messages, but it could flag and save the headers (including the adresses of the computers sending and receiving the encrypted mail) to a file so they could be investigated later by human field agents.
I really think you encryption supporters are really operating under a false sense of security. If the goverment really wants to get you, they will. End of story.
For MUA integration, see Mail User Agent Survey
You don't even need to delve into the source. Here is a sample muttrc which will redefine all the key bindings to their pine equivalents.
Insofar as unix is concerned, you simply cannot beat mutt ( http://www.mutt.org/) for a pgp-aware mailer.
If you're currently using either pine or elm, you're doing yourself a serious disservice not looking at mutt. It's easier, more flexible, and more powerful than any of the alternatives.
PGP support is top-notch and native, for both v2 and v5 pgp. Highly recommended.
Around here, my friend with windows use Outlook and
PGP, and I use exmh and GnuPG, and they interoperate
great!
-Nick
Have a look at the international PGP home page. Good links here to the standard PGP packages for most platforms. Freshmeat is a good source for Linux specific things.
That's exactly the reason why we all should use encryption for _all_ of our messages.
if someone is green to pgp than by far the easiest and most foolproof way to get them up and running is via pgp's native mail client plugins for outlook, outlook express, and eudora.
my suggestion is eudora light 3.0.6, at www.eudora.com. intutitive interface (remember netscape mail three ugly panes from hell? phooey.) and simple.
then stop by www.pgpi.com to pick up your preferred pgp version. 6.0.2 freeware works fine for people in the us. you'll want 6.0.2i (the international version) if you want backward compatibility, though. the great 'client selection wizard' will get most people through.
once you get these two programs up and running exchanging encrypted e-mails is a snap. just click 'encrypt/decrypt' (or sign, or whatever) right in eudora.
good luck. i've always believed that as more and more people use pgp, the 'digital worth' of each pgp-encrypted message increases. please help as many people as possible to download, use, and support pgp. it helps us all.
www.pgpi.com
www.pgp.net
wwwkeys.pgp.net
What?? having 2 or more 160bit keyID/fingerprint?
0 0
160 bits means approx
14600000000000000000000000000000000000000000000
possible.
Another barrier to encryption is the use of virus sweepers; some sysadmins are now paranoid about mail viruses, and process all the mail through some filter that gives them a warm fuzzy feeling (and probably little else).
.. as a result, we've just been asked to remove both encrypters and decrypters from our systems.
These systems can't work with encrypted mail (obviously)
Makes you wonder whether the antiencryption spooks are behind the mail viruses, doesn't it ?
Netscape doesn't support PGP encryption. There's been a lot of discussion over at the mozilla crypto newsgroup on the hows and whys. Basically, AOL/Netscape's interpretation of the stupid US cryptography export regulations prevents them from even exposing their API for cryptographic processing. Some folks at NAI volunteered to help out, which elicited some favorable noises on the part of Mozilla, but no visible action. They may be working on it behind the scenes however.
Netscape Messenger owns a huge share of the Internet email client market. The lack of PGP support is a substantial impediment to the widespread adoption of PGP as a standard for Windows email. I'm not too fond of NAI, but I'd like to see this particular product succeed, since it's in such widespread use on Unix."Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
I agree that everybody should use encryption all the time. The best analogy I've heard is to snail mail:
Encryption is an envelope. I notice that almost all snail mail is sent in envelopes instead of postcards.
I suspect that if most users inherently understood this analogy and the technology underneath, the desire for encryption would be much more widespread.