Crypto Projects that Might not Suck
Hat tip to Steve Weis twitter account @sweis https://github.com/sweis/crypto-might-not-suck/blob/master/README.md End User Tool Summary This is a quick summary of tools that are generally recommended for end users. See the Encryption Works guide for more information. GPG: Email encryption TextSecure: Encrypted SMS Messaging RedPhone: Encrypted voice calls OTR: Encrypted instant messaging Tor: Protect from network surveillance
On Thu, Apr 09, 2015 at 11:59:29PM -0700, Seth wrote:
TextSecure: Encrypted SMS Messaging RedPhone: Encrypted voice calls
i dispute phones can handle any crypto in the interest of it's physical operator. those devices are not yours, having keys on someone elses device is the category "sucks". also consider the extreme malleability of the underlying "platform" better described as bugdoor-by-design. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
TextSecure no longer supports SMS and the data channel requires installing bundles from Google, an NSA asset. Use SMSSecure, an SMS-only fork of TextSecure, also on FDroid store now whereas TextSecure was pulled from FDroid by the devs to maintain their Google-only distribution system. On 10 April 2015 07:59:29 GMT+01:00, Seth <list@sysfu.com> wrote:
Hat tip to Steve Weis twitter account @sweis
https://github.com/sweis/crypto-might-not-suck/blob/master/README.md
End User Tool Summary
This is a quick summary of tools that are generally recommended for end
users. See the Encryption Works guide for more information.
GPG: Email encryption TextSecure: Encrypted SMS Messaging RedPhone: Encrypted voice calls OTR: Encrypted instant messaging Tor: Protect from network surveillance
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Dnia piątek, 10 kwietnia 2015 10:17:44 Cathal pisze:
Use SMSSecure, an SMS-only fork of TextSecure, also on FDroid store now whereas TextSecure was pulled from FDroid by the devs to maintain their Google-only distribution system.
Didn't know about SMSSecure, thanks! -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
On 04/10/2015 03:59 AM, Seth wrote:
https://github.com/sweis/crypto-might-not-suck/blob/master/README.md
*** When EFF launched the Secure Messaging Scoreboard, lynX and I were a bit pissed that they even mentioned proprietary solutions, so we made an alternate list: http://libreplanet.org/wiki/GNU/consensus/Secure_Messaging_Scoreboard == hk -- _ _ We are free to share code and we code to share freedom (_X_)yne Foundation, Free Culture Foundry * https://www.dyne.org/donate/
On Fri, Apr 10, 2015 at 10:44:02AM -0300, hellekin wrote:
http://libreplanet.org/wiki/GNU/consensus/Secure_Messaging_Scoreboard
i'm not sure the "mostly working" category is well researched, grarpamp, what you say about goldbug in there? :) also other items in there seem dubious. some less. ;) -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
On Fri, Apr 10, 2015 at 10:13 AM, stef <s@ctrlc.hu> wrote:
On Fri, Apr 10, 2015 at 10:44:02AM -0300, hellekin wrote:
http://libreplanet.org/wiki/GNU/consensus/Secure_Messaging_Scoreboard
grarpamp, what you say about goldbug in there? :)
Serious reservations about goldbug ethics, thus goldbug itself. Do own research, start search: cypherpunks goldbug
On 4/11/15, grarpamp <grarpamp@gmail.com> wrote:
On Fri, Apr 10, 2015 at 10:13 AM, stef <s@ctrlc.hu> wrote:
On Fri, Apr 10, 2015 at 10:44:02AM -0300, hellekin wrote:
http://libreplanet.org/wiki/GNU/consensus/Secure_Messaging_Scoreboard
grarpamp, what you say about goldbug in there? :)
Serious reservations about goldbug ethics, thus goldbug itself. Do own research, start search: cypherpunks goldbug
Now that's an understatement :) grarpamp, you did such good work exposing that bullshit, a link to the last thread is definitely in order: https://www.mail-archive.com/cypherpunks@cpunks.org/msg05277.html My favourite new term from that thread is rysiek's "bullshit bingo". Ordinarily I'd have serious concerns about anyone who slaps together a list without any checking, but this appears to be an FSF wiki page. So I've been an FSF member for years, and can log in at FSF proper, but cannot log in on the wiki page. I've emailed FSF to find out what's going on here... they definitely need a column for "important links" and some other disclaimer(s) like "this page is updated by volunteers, FSF takes NO responsibility for the veracity, validity or verily any verifying verbatim about any virulent item below"; or something. Cheers Zenaan
On 04/10/2015 04:41 PM, grarpamp wrote:
On Fri, Apr 10, 2015 at 10:13 AM, stef <s@ctrlc.hu> wrote:
On Fri, Apr 10, 2015 at 10:44:02AM -0300, hellekin wrote:
http://libreplanet.org/wiki/GNU/consensus/Secure_Messaging_Scoreboard
grarpamp, what you say about goldbug in there? :)
Serious reservations about goldbug ethics, thus goldbug itself. Do own research, start search: cypherpunks goldbug
I updated the page to reflect your position. http://libreplanet.org/wiki/GNU/consensus/Secure_Messaging_Scoreboard#Demote... As Zenaan suggested it, let me add that LibrePlanet is a public wiki and thus does not reflect the opinions of the FSF but rather of the people editing it. That can be you :) Thank you for the review. == hk -- _ _ We are free to share code and we code to share freedom (_X_)yne Foundation, Free Culture Foundry * https://www.dyne.org/donate/
How does one go about getting on this list? I think Confidant Mail qualifies. It uses GPG end to end, and encrypts the metadata in transit. On 4/10/2015 6:44 AM, hellekin wrote:
On 04/10/2015 03:59 AM, Seth wrote:
https://github.com/sweis/crypto-might-not-suck/blob/master/README.md
*** When EFF launched the Secure Messaging Scoreboard, lynX and I were a bit pissed that they even mentioned proprietary solutions, so we made an alternate list:
http://libreplanet.org/wiki/GNU/consensus/Secure_Messaging_Scoreboard
== hk
Metadata includes who speaks to who, which can only be hidden by obfuscation in a mixnet, public-message-boards that recipients pull randomly or fully from, or similar ways of removing means of connecting endpoints. On 10 April 2015 20:08:04 GMT+01:00, Mike Ingle <mike@confidantmail.org> wrote:
How does one go about getting on this list? I think Confidant Mail qualifies. It uses GPG end to end, and encrypts the metadata in transit.
On 4/10/2015 6:44 AM, hellekin wrote:
On 04/10/2015 03:59 AM, Seth wrote:
https://github.com/sweis/crypto-might-not-suck/blob/master/README.md
*** When EFF launched the Secure Messaging Scoreboard, lynX and I were a bit pissed that they even mentioned proprietary solutions, so we made an alternate list:
http://libreplanet.org/wiki/GNU/consensus/Secure_Messaging_Scoreboard
== hk
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
My software goes through Tor hidden services (or exit node if necessary) and sets up a TLS session inside that. The From address of the mail only exists inside the encrypted envelope, which only the recipient can open. If someone had a global view of the Tor nodes, they might be able to track a particular message via timing, but going through Tor prevents mass surveillance by a passive observer. Mike On 4/10/2015 12:28 PM, Cathal (Phone) wrote:
Metadata includes who speaks to who, which can only be hidden by obfuscation in a mixnet, public-message-boards that recipients pull randomly or fully from, or similar ways of removing means of connecting endpoints.
On 10 April 2015 20:08:04 GMT+01:00, Mike Ingle <mike@confidantmail.org> wrote:
How does one go about getting on this list? I think Confidant Mail qualifies. It uses GPG end to end, and encrypts the metadata in transit.
On 4/10/2015 6:44 AM, hellekin wrote:
On 04/10/2015 03:59 AM, Seth wrote:
https://github.com/sweis/crypto-might-not-suck/blob/master/README.md
*** When EFF launched the Secure Messaging Scoreboard, lynX and I were a bit pissed that they even mentioned proprietary solutions, so we made an alternate list: http://libreplanet.org/wiki/GNU/consensus/Secure_Messaging_Scoreboard == hk
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Ah apologies, I thought you meant it only obfuscated "internal" metadata, ie headers. On 10 April 2015 21:43:51 GMT+01:00, Mike Ingle <mike@confidantmail.org> wrote:
My software goes through Tor hidden services (or exit node if necessary) and sets up a TLS session inside that. The From address of the mail only exists inside the encrypted envelope,
which only the recipient can open. If someone had a global view of the Tor nodes, they might be able to track a particular message via timing, but going through Tor prevents mass surveillance by a passive observer.
Mike
Metadata includes who speaks to who, which can only be hidden by obfuscation in a mixnet, public-message-boards that recipients pull randomly or fully from, or similar ways of removing means of connecting endpoints.
On 10 April 2015 20:08:04 GMT+01:00, Mike Ingle <mike@confidantmail.org> wrote:
How does one go about getting on this list? I think Confidant Mail qualifies. It uses GPG end to end, and encrypts the metadata in
On 4/10/2015 12:28 PM, Cathal (Phone) wrote: transit.
On 4/10/2015 6:44 AM, hellekin wrote:
On 04/10/2015 03:59 AM, Seth wrote:
https://github.com/sweis/crypto-might-not-suck/blob/master/README.md
*** When EFF launched the Secure Messaging Scoreboard, lynX and I were a bit pissed that they even mentioned proprietary solutions, so we made an alternate list:
http://libreplanet.org/wiki/GNU/consensus/Secure_Messaging_Scoreboard
== hk
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Dnia piątek, 10 kwietnia 2015 12:08:04 Mike Ingle pisze:
How does one go about getting on this list? I think Confidant Mail qualifies. It uses GPG end to end, and encrypts the metadata in transit.
Also, Tox seems in order, too. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
On Sat, Apr 11, 2015 at 03:31:17AM +0200, rysiek wrote:
Dnia piątek, 10 kwietnia 2015 12:08:04 Mike Ingle pisze:
How does one go about getting on this list? I think Confidant Mail qualifies. It uses GPG end to end, and encrypts the metadata in transit.
Also, Tox seems in order, too.
are these claims verified? -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
Dnia sobota, 11 kwietnia 2015 11:39:42 piszesz:
Also, Tox seems in order, too.
are these claims verified?
By briefly looking at the code and not finding any obvious WTFs. Sadly, that's a lot more than most crypto snakeoil stuff can offer these days... Obviously it would be great to have a proper audit of Tox's code, and to have the protocol properly defined, but as far as seven rules of snakoil are concerned: - it is free software - doesn't run in the browser - the user generates and exclusively owns the private encryption key - does not use marketing-terminology like "cyber", "military-grade" While the threat model isn't explicitly defined, I think it is pretty clear -- threat being eavesdropping on communication *in transit*; it does not provide anonymity, nor does it promise to do so. It implements forward secrecy, and by default does not save conversation logs. Now: - there are experimental versions for Android and Jolla (and possibly other smartphones); but hey, there are GnuPG and OTR clients for those platforms too; - one might say that it neglects general sad state of host security pretty much in the same way as OTR or GnuPG do. So, for a list of crypto projects that *MIGHT* not suck, I think it's worth a look and/or mention. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
participants (8)
-
Cathal (Phone)
-
grarpamp
-
hellekin
-
Mike Ingle
-
rysiek
-
Seth
-
stef
-
Zenaan Harkness