Yes, I agree with you, but what I was saying is that if you have enough resources you can often get around encryption and also it doesn't mean that we should make eavesdroppers work easier by not encrypting.
Actually the hes right, if you have 50 billion dollars to spend there are other methods to eavesdrop you, like installing microphones and cameras in your place.
But encryption makes it much more expensive for government to eavesdrop on all it's citizens and vice-versa not using encryption in all of your communications makes it very easy for powerful entities (corporations, governments etc.) to monitor you.
When I tell people that webmail is insecure by design (with the exception when you're using it for your own domain name) they usually are surprised by it.
Not yet, I think it should get through few new versions, look how it will behave in real life, fix possible fundamental problems if found and then submit to IETF.
Actually for these purposes it will be best to switch to a system which is simple and where encryption can not be switched off, this way once you've installed that system to your friend you tell them that they can contact you only through that system and so there are chances that they will start using that system to communicate with other people.
Actually standard encryption is very difficult to use for most not IT people.
I've tried to solve it in ResoMail, it only requires you to install the soft (ResoMail client) and to know your e-mail address and activation key, it's like an one time password which allow your public key to be automatically signed by domain owner key. Everything is done under the hood, client automatically sends public key to the server, server sends it to domain owner, domain owner daemon automatically signs it and sends it back to server and server sends it back to client.
Now it's in beta stage, you can request a free domain name install the server and play with it.
And I think it's easy to combat this Truecrypt vulnerability (and I think it's not only the Truecrypt vulnerable) by wiping the memory before shutdown.
Actually encryption is not only about encryption, but also about authentication and if all files in OS would have been signed, there would have been a lot less corrupted files.
I think that for static pages it's possible to implement something like page signing, so that it will be possible to download those pages without encryption and still be sure that pages are authentic. For example if you're downloading a page from site A, but it's signed with signature of site B then it's a problem.
I want to point out that in Russia books already are napsterized, they have a lot of pirate libraries most popular is http://lib.rus.ec/ (which is often DDosed, by copyright owners) also there is official e-book store http://litres.ru/ which sells almost all new science fiction and fantasy books for a reasonable price (most of the time less than paper book)
Slashdot Mirror
What about a p2p software, which will be free and run on your computer?
Yes, I agree with you, but what I was saying is that if you have enough resources you can often get around encryption and also it doesn't mean that we should make eavesdroppers work easier by not encrypting.
Actually the hes right, if you have 50 billion dollars to spend there are other methods to eavesdrop you, like installing microphones and cameras in your place.
But encryption makes it much more expensive for government to eavesdrop on all it's citizens and vice-versa not using encryption in all of your communications makes it very easy for powerful entities (corporations, governments etc.) to monitor you.
When I tell people that webmail is insecure by design (with the exception when you're using it for your own domain name) they usually are surprised by it.
Not yet, I think it should get through few new versions, look how it will behave in real life, fix possible fundamental problems if found and then submit to IETF.
Switch to an alternative system, don't use e-mail - it's outdated :-)
Actually for these purposes it will be best to switch to a system which is simple and where encryption can not be switched off, this way once you've installed that system to your friend you tell them that they can contact you only through that system and so there are chances that they will start using that system to communicate with other people.
Actually standard encryption is very difficult to use for most not IT people.
I've tried to solve it in ResoMail, it only requires you to install the soft (ResoMail client) and to know your e-mail address and activation key, it's like an one time password which allow your public key to be automatically signed by domain owner key. Everything is done under the hood, client automatically sends public key to the server, server sends it to domain owner, domain owner daemon automatically signs it and sends it back to server and server sends it back to client.
Now it's in beta stage, you can request a free domain name install the server and play with it.
You can start by using a system where encryption is by default and cannot be turned off. I know at least one such system :-)
I've developed an alternative to e-mail which is secure by design. You can check it at http://resomail.com/
Article says it's based on Eclipse and that you can still have your standard Eclipse with it.
How? Game consoles don't have private keys.
And I think it's easy to combat this Truecrypt vulnerability (and I think it's not only the Truecrypt vulnerable) by wiping the memory before shutdown.
By the way, ResoMail allows you secure hosting, which will prevent your keys being compromised if server is compromised.
Actually encryption is not only about encryption, but also about authentication and if all files in OS would have been signed, there would have been a lot less corrupted files.
ResoMail has automated key exchange, it's lot better than currently existing products and is completely transparent to end user.
I think that for static pages it's possible to implement something like page signing, so that it will be possible to download those pages without encryption and still be sure that pages are authentic. For example if you're downloading a page from site A, but it's signed with signature of site B then it's a problem.
I think there should be used a technical solution to not allow somebody to use someone else's e-mail address.
What advise you'll give to ResoMail?
Do you read a lot of Russian books, or there are sources of English books in fb2 format?
Current e-mail is a joke, ResoMail in short time will replace current e-mail :)
I think SSL has a too complicated installation procedure on most platforms.
I want to point out that in Russia books already are napsterized, they have a lot of pirate libraries most popular is http://lib.rus.ec/ (which is often DDosed, by copyright owners) also there is official e-book store http://litres.ru/ which sells almost all new science fiction and fantasy books for a reasonable price (most of the time less than paper book)
Why do you think that only government can do it?
For most people night charging will be acceptable.