On Wed, Jul 06, 2016 at 09:22:52AM -0400, Steve Furlong wrote:
For anything I want to keep secure, I use encryption. I had been relying on encrypted email -- GPG on my end, usually a PGP mail client plugin on the other end. I'm getting away from that because certain email correspondents who are not me seem to have trouble with even the relatively-easy-to-use plugins. eg, one normally technically savvy guy kept sending me signed rather than encrypted messages containing very sensitive material, and another guy could not manage to send me an encrypted message that I could decrypt.
Run your own server, preferably at home. Provide a web frontend. Have those people who you need secure communication with sign up for a fancy new email account, on your server. Only send email to their email account on your server. If it's really really important, block their email account from sending email outside your server - they can still download attachments, but they can't "make an easy mistake" since they have to be intentional. If you provide POP or IMAP access, only allow encrypted access. If your contacts use the web interface, and you -really- want "security" (to the level you are confident in your own server at least), then issue your own Certificate Authority and server Certificate, and meet your contacts in person, manually installing your server certificate into their browser certificate directory! NEVER trust ANY external Certificate Authority for any server or communications that is highly sensitive! Feel el1te!!!
Lately I've been using non-email communications if I want to keep it private.
If it's on a phone or fax, or in front of a Samsung TV, or near any land line phone that's been certified by your national telecommunications authority, or in a public WIFI cafe which is likely bugged, or near any mobile phones that are switched on, or .... etc ... then assume your conversation is property of your national government and most likely the "five eyes" (USA, Australia, New Zealand, UK, Germany).
A variant of a "send a message to this website's administrator" page, transmitted over SSL, is good enough for my purposes. It's not encrypted on my server and the response page is not encrypted on the recipient's computer, but at least it is (or should be) safe from casual snooping along the way.
None of the above is meant to be the definitive answer to private communications or to worries about snooping. So far as I know it works well enough for my expected threats. Suggestions for improvement are welcome.
Use a chat application which provides PFS/ perfect forward secrecy, and allows transfer of files - that's another approach. There are plenty more.