Google'es End-to-End - cypherpunks - lists.cpunks.org

newer
Cellphone Operator Reveals Scale...

Google'es End-to-End

older
"a skilled backdoor-writer can...

rysiek

3 Jun 2014 3 Jun '14

9:53 p.m.

Hi there, not sure what to think about this one: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryptio... Technical specs: https://code.google.com/p/end-to-end/ -- Pozdr rysiek

Attachments:

signature.asc (application/pgp-signature — 316 bytes)

Reply

Sign in to reply online Use email software

Show replies by date

tpb-crypto＠laposte.net

3 Jun 3 Jun

10:19 p.m.

Message du 03/06/14 23:57 De : "rysiek"

Hi there,

not sure what to think about this one: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryptio...

Technical specs: https://code.google.com/p/end-to-end/

If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst? That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon. If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali, Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome. lol

Reply

Sign in to reply online Use email software

rysiek

10:24 p.m.

OHAI, Dnia środa, 4 czerwca 2014 00:19:43 piszesz:

...
not sure what to think about this one: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encrypt ion-easier-to.html

Technical specs: https://code.google.com/p/end-to-end/

If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali, Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.

lol

A heck with it, why not -- I'll play the Google's advocate here. So, the extension itself will be FLOSS, as I understand, so the extension itself will be audit-able (inb4 openssl, truecrypt). And as I understand it *will* be installable in Chromium too. Is that an acceptable combination? With such an assumption ("use Chromium, Luke!"), does End-to-End seem to make sense? Or are there other problems we need to look into and be wary of? -- Pozdr rysiek

Reply

Sign in to reply online Use email software

tpb-crypto＠laposte.net

10:42 p.m.

Message du 04/06/14 00:29 De : "rysiek"

OHAI,

Dnia środa, 4 czerwca 2014 00:19:43 piszesz:

...
...
not sure what to think about this one: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encrypt ion-easier-to.html

Technical specs: https://code.google.com/p/end-to-end/

If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali, Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.

lol

A heck with it, why not -- I'll play the Google's advocate here.

So, the extension itself will be FLOSS, as I understand, so the extension itself will be audit-able (inb4 openssl, truecrypt). And as I understand it *will* be installable in Chromium too.

Is that an acceptable combination? With such an assumption ("use Chromium, Luke!"), does End-to-End seem to make sense? Or are there other problems we need to look into and be wary of?

With chromium, End-to-End can start looking respectable. But even then Chromium is cranked by a much smaller team than Firefox and surely suffers from the same problems OpenSSL has faced for most of its existence.

Reply

Sign in to reply online Use email software

James Murphy

11:55 p.m.

On 6/3/2014 18:42, tpb-crypto@laposte.net wrote:

...
Message du 04/06/14 00:29 De : "rysiek"

OHAI,

Dnia środa, 4 czerwca 2014 00:19:43 piszesz:

...
...
not sure what to think about this one: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encrypt ion-easier-to.html

Technical specs: https://code.google.com/p/end-to-end/

If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali, Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.

lol

A heck with it, why not -- I'll play the Google's advocate here.

So, the extension itself will be FLOSS, as I understand, so the extension itself will be audit-able (inb4 openssl, truecrypt). And as I understand it *will* be installable in Chromium too.

Is that an acceptable combination? With such an assumption ("use Chromium, Luke!"), does End-to-End seem to make sense? Or are there other problems we need to look into and be wary of?

With chromium, End-to-End can start looking respectable. But even then Chromium is cranked by a much smaller team than Firefox and surely suffers from the same problems OpenSSL has faced for most of its existence.

I went ahead and tried it out. One click to make a key and it integrates into gmail. It's not going to replace PGP for anyone who already has a key pair, but making end-to-end encryption one-click-easy is a shoe in the door for getting the public to start caring about its own privacy (and hence ours).

Reply

Sign in to reply online Use email software

rysiek

4 Jun 4 Jun

12:08 a.m.

Dnia wtorek, 3 czerwca 2014 19:55:16 James Murphy pisze:

...
...
Message du 04/06/14 00:29 De : "rysiek"

OHAI,

Dnia środa, 4 czerwca 2014 00:19:43 piszesz:

...
...
not sure what to think about this one: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encr ypt ion-easier-to.html

Technical specs: https://code.google.com/p/end-to-end/

If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali, Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.

lol

A heck with it, why not -- I'll play the Google's advocate here.

So, the extension itself will be FLOSS, as I understand, so the extension itself will be audit-able (inb4 openssl, truecrypt). And as I understand it *will* be installable in Chromium too.

Is that an acceptable combination? With such an assumption ("use Chromium, Luke!"), does End-to-End seem to make sense? Or are there other problems we need to look into and be wary of?

With chromium, End-to-End can start looking respectable. But even then Chromium is cranked by a much smaller team than Firefox and surely suffers from the same problems OpenSSL has faced for most of its existence. I went ahead and tried it out. One click to make a key and it integrates into gmail. It's not going to replace PGP for anyone who already has a key pair, but making end-to-end encryption one-click-easy is a shoe in

On 6/3/2014 18:42, tpb-crypto@laposte.net wrote: the door for getting the public to start caring about its own privacy (and hence ours).

Okay, but how does that play with other PGP users? For example, will I be able to verify your signature with my "old" GPG? -- Pozdr rysiek

Reply

Sign in to reply online Use email software

James Murphy

1:06 a.m.

On 6/3/2014 20:08, rysiek wrote:

Dnia wtorek, 3 czerwca 2014 19:55:16 James Murphy pisze:

...
...
...
Message du 04/06/14 00:29 De : "rysiek"

OHAI,

Dnia środa, 4 czerwca 2014 00:19:43 piszesz:

...
...
not sure what to think about this one: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encr ypt ion-easier-to.html

Technical specs: https://code.google.com/p/end-to-end/

If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali, Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.

lol

A heck with it, why not -- I'll play the Google's advocate here.

So, the extension itself will be FLOSS, as I understand, so the extension itself will be audit-able (inb4 openssl, truecrypt). And as I understand it *will* be installable in Chromium too.

Is that an acceptable combination? With such an assumption ("use Chromium, Luke!"), does End-to-End seem to make sense? Or are there other problems we need to look into and be wary of?

With chromium, End-to-End can start looking respectable. But even then Chromium is cranked by a much smaller team than Firefox and surely suffers from the same problems OpenSSL has faced for most of its existence. I went ahead and tried it out. One click to make a key and it integrates into gmail. It's not going to replace PGP for anyone who already has a key pair, but making end-to-end encryption one-click-easy is a shoe in

On 6/3/2014 18:42, tpb-crypto@laposte.net wrote: the door for getting the public to start caring about its own privacy (and hence ours).

Okay, but how does that play with other PGP users? For example, will I be able to verify your signature with my "old" GPG?

It imported my ascii armored RSA public key just fine. Upon testing, it correctly sent a signed and encrypted message to my RSA key's associated email. I was not able to verify the signature though since gpg doesn't support elliptic curve keys (I wonder why not). Presumably (hopefully) gpg will be adding EC support in the future and this will no longer be an issue.

Reply

Sign in to reply online Use email software

The Doctor

2:10 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/03/2014 06:06 PM, James Murphy wrote:

email. I was not able to verify the signature though since gpg doesn't support elliptic curve keys (I wonder why not). Presumably (hopefully) gpg will be adding EC support in the future and this will no longer be an issue.

I did a little looking around, and found the following: http://www.mail-archive.com/gnupg-users@gnupg.org/msg20573.html Supposedly it was merged into the v2 source tree a few years ago: https://code.google.com/p/gnupg-ecc/ It seems that at least some of the development builds incorporate ECC in --expert mode. I just tried it on my standard install (GnuPG v2.0.22 (64-bit)) on a new user, and saw no signs of ECC support. This says that it's in the v2.1.x source tree, which is probably why I don't have it: https://superuser.com/questions/623090/how-can-i-use-gnupg-with-ecdsa-keys What release of GnuPG do you normally use? - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "I'd rather remove the thymus gland from a gerbil." --Alton Brown -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTjn/6AAoJED1np1pUQ8RkLvAQAJLIqcBtnki8SgfJZcLklJNL fj9kg/zdFfM7g8sIol1Vr6l4JCrc4VGcV7tdy1ItFJ0Hg4cGB8a865CLomobCi6M fSQIYIHijF50d0J81o4R4wULtLESjmkE7mnET244s8Go7Jt+cCLJa8S7LzMqiQTf nl0vC4N5HQfQwaKbmuCIcO76X+ADnaCyS3DrrTjQCScpLX0cUmBNi5EsyhBkG+hP 9QTwWOohCrES1KXeZ162gl43grBTakn3D99sLYCkSMeNsAe+k12eBWvokXlOPM2k Rlag5HxvbTZ25EnTsYhLCB18DVTGLt5Kuto0lLlThhYVD5FVjCu76nmZHqo9K9/Q d58aNEYn6ZX4N4IHu0/oqZOQlSEjpfW8+1uNQ8JtE1LobBrVjoMlzPuEYUbixB6E AYjtFHQjHrEpH1nO2viodC7+flXXZMxBon59evaMCB6U3pI2bNNr5YbOYEdcAPGV thlzoQvquPvm82qUFRsqC9de/NP55zApRMynGoGZoeOMD5r3Z7vu3C5MgJ14jQiZ 7W0KV7Mp4Xbp0Z/7j7g3W9BF3a+I+kOAn/vu6L2Sv6ryKfPznDq+y9F4wGnkwO15 5DNpKQuxn54iERSWMDTQnVazplf3zWD7PicMiSwvLW5a9lT1aQQ3LBiQbKyRXV7/ yq+uqBACWNwfTxloniy2 =O+n5 -----END PGP SIGNATURE-----

Reply

Sign in to reply online Use email software

James Murphy

1:57 p.m.

On 6/3/2014 22:10, The Doctor wrote:

On 06/03/2014 06:06 PM, James Murphy wrote:

...
email. I was not able to verify the signature though since gpg doesn't support elliptic curve keys (I wonder why not). Presumably (hopefully) gpg will be adding EC support in the future and this will no longer be an issue.

I did a little looking around, and found the following:

http://www.mail-archive.com/gnupg-users@gnupg.org/msg20573.html

Supposedly it was merged into the v2 source tree a few years ago:

https://code.google.com/p/gnupg-ecc/

It seems that at least some of the development builds incorporate ECC in --expert mode. I just tried it on my standard install (GnuPG v2.0.22 (64-bit)) on a new user, and saw no signs of ECC support. This says that it's in the v2.1.x source tree, which is probably why I don't have it:

https://superuser.com/questions/623090/how-can-i-use-gnupg-with-ecdsa-keys

What release of GnuPG do you normally use?

On this machine I'm using gpg (GnuPG) 2.0.22 (Gpg4win 2.2.1) libgcrypt 1.5.3 I never noticed the two '?'s in the supported algos before. Supported algorithms: Pubkey: RSA, ELG, DSA, ?, ? Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Perhaps they are ECDSA and ECDH. In any case gpg --expert --gen-key doesn't give the option for elliptic curve keys. I guess this is a developer branch only feature for now.

Reply

Sign in to reply online Use email software

The Doctor

5 Jun 5 Jun

1:07 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/04/2014 06:57 AM, James Murphy wrote:

I never noticed the two '?'s in the supported algos before.

An interesting observation.

Supported algorithms: Pubkey: RSA, ELG, DSA, ?, ?

Here's what I have in the same place: Pubkey: RSA, ELG, DSA, ECC, ? A little nosing around reveals this: http://lists.gnupg.org/pipermail/gnupg-devel/2014-January/028147.html So, the two question marks should be 'ECC' and 'ECC'.

Perhaps they are ECDSA and ECDH. In any case gpg --expert --gen-key doesn't give the option for elliptic curve keys. I guess this is a developer branch only feature for now.

Mine does not support it, either, and the existing documentation is that is is a development branch (v2.1.x) only option. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "The little boat flipped over." --The Plague, _Hackers_ -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTj8LuAAoJED1np1pUQ8RkSHsP/Rjnhuwtm83Zamoc2c8VPYD8 58UKOMKBGLkd3s2HevsH0VSi0eA9kXDivxsQVDQzHunpKYGdx1yTlSbl+Unm3uLd YWL6zv1F7ze4zO1hlj9RUozDG8IifR2VWeGxv1JL8s/Qz/GMSd6yJuBtvXQwi3s9 TGdIzB4VHcYwZIXk4KlgJAbntCdGaAroevY6eCC404MsQ4TmVf3fFmGfdWVo2CyL pOlrn/1EF8ZCj2X0vh8iKuq8kEqe9cQSJNBG8ABpPBeqt372fBZ10i4GPFQbw3LX 4ooLaUN7evYMsgu1umJ7XcXPdqviBl5CkiiaVb7M9BZMiqAh8Kg5hNW7fq+FGc0K 1DOSImKlDj6I/FSm2Z5tKY5NXYqr7fdUkJGAOnTpiKY/GQJznz9MRBDaHPNyvDqn uO9d7n495DV+UFDnI0LbxdE/MlDgYirFMzGDy+EzJWr44zNUaK0hr4VzBK++iTgk K57gUMAPCAUCpLBGuKOhqrnD6TeNh4RarH90LzLVOtKxoQsP6Rrg6pg/uzjUh/+m Y74gnu4qmGCMfgS7EJIFboYgR3tGz6Qub4Hx4PmGGf+S3kV+3Tbc0XtwSMNf9Bn0 Bt5aMHpw/+UJT9tvSgXzd5iWL1J27M3oMRmDamk1WyyVSdlqLF3ZohOqcqX+KBa/ lFCOtFoIX1Xe2zkvCFcN =u/Zd -----END PGP SIGNATURE-----

Reply

Sign in to reply online Use email software

Juan

1:22 a.m.

On Wed, 04 Jun 2014 18:07:58 -0700 The Doctor wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

On 06/04/2014 06:57 AM, James Murphy wrote:

...
I never noticed the two '?'s in the supported algos before.

An interesting observation.

...
Supported algorithms: Pubkey: RSA, ELG, DSA, ?, ?

Here's what I have in the same place:

Pubkey: RSA, ELG, DSA, ECC, ?

mine says : RSA, ELG, NSA, DSA, ECC, ?

Reply

Sign in to reply online Use email software

The Doctor

1:46 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/04/2014 06:22 PM, Juan wrote:

mine says : RSA, ELG, NSA, DSA, ECC, ?

Hey! What was that? <turns and looks around...> - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "The little boat flipped over." --The Plague, _Hackers_ -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTj8veAAoJED1np1pUQ8Rk8ZIP/0f5W/4FtIwdhMooNquHnapq +gHNn/K59dLnKpp8ndmEEhrTkuZNU9P4rNd/S6ElPjOVzMK5K7AnIb4O9MkYWdJe XqLtjOa95u4sB5jyOZeWGl9uCY8kZceT6NbPK3d57dW9uNYS2bBljxYiGZDn5jnN 8dZoQr4bG3rsmk7KQBtuqA+acw9ciWktrFlxPqXrUJ8sObaotPIfwWouEwKu+Nd/ WzdOt5gJyZAPsH89eFyUunZU+9Qinx0DM4otaUe6O9vd4TTnh0nlCAmNANul8EIe kquvvh0HS+9U//gdqCHWc0YrSUVebHZ6kQKRLtSnnp3lziG+AFhJbFmJPheQ4+Jx 0DJdGQrS7teSKgxCwZ+UkLfQ5Pyb31ZMVyWfoKyzATLAKGNZie4gnpekG3a5mO9e txMTxKrtxOmRX6QrlVNlL2kOr7wST1xxEZQ1lupIQe61xpHHVJWmL/ezgDQwx4j9 aOxcgrt1s4T1zHT88En2CklxT3Nxvv92DA1FXj8gky17o3gi85A/H8MEM0kCmhSk ysOsxIx+dNfhL6QRh1Y38LnXD+DUwB1y3wAANw13unPKRvu0pRa23Pg529AwC1UX P90K/P2FW1H1/zktL+XPg7y27xjlqUNa8bGNggxyyYhgy6Qaav4B7xwlZzvCZpF9 lrLVRn0CRiamhYUl6Rzb =PiE8 -----END PGP SIGNATURE-----

Reply

Sign in to reply online Use email software

tpb-crypto＠laposte.net

4 Jun 4 Jun

1:01 a.m.

Message du 04/06/14 02:01 De : "James Murphy"

On 6/3/2014 18:42, tpb-crypto@laposte.net wrote:

...
...
Message du 04/06/14 00:29 De : "rysiek"

OHAI,

Dnia środa, 4 czerwca 2014 00:19:43 piszesz:

...
...
not sure what to think about this one: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encrypt ion-easier-to.html

Technical specs: https://code.google.com/p/end-to-end/

If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali, Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.

lol

A heck with it, why not -- I'll play the Google's advocate here.

So, the extension itself will be FLOSS, as I understand, so the extension itself will be audit-able (inb4 openssl, truecrypt). And as I understand it *will* be installable in Chromium too.

Is that an acceptable combination? With such an assumption ("use Chromium, Luke!"), does End-to-End seem to make sense? Or are there other problems we need to look into and be wary of?

With chromium, End-to-End can start looking respectable. But even then Chromium is cranked by a much smaller team than Firefox and surely suffers from the same problems OpenSSL has faced for most of its existence.

I went ahead and tried it out. One click to make a key and it integrates into gmail. It's not going to replace PGP for anyone who already has a key pair, but making end-to-end encryption one-click-easy is a shoe in the door for getting the public to start caring about its own privacy (and hence ours).

I find the combination of gmail and chromium while thinking in privacy a risible solution. But hey, it may help grandma think about protecting herself, ok. False sense of security is the best we can hope at this point. That's sad, man.

Reply

Sign in to reply online Use email software

Travis Biehn

2:43 a.m.

You forgot Quark, bro. http://goto.ucsd.edu/quark/ :( When will verified / managed code OSes be usable? On Tue, Jun 3, 2014 at 6:19 PM, wrote:

...
Message du 03/06/14 23:57 De : "rysiek"

Hi there,

not sure what to think about this one:

http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryptio...

...
Technical specs: https://code.google.com/p/end-to-end/

If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali, Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.

lol

-- Twitter https://twitter.com/tbiehn | LinkedIn http://www.linkedin.com/in/travisbiehn | GitHub http://github.com/tbiehn | TravisBiehn.com http://www.travisbiehn.com | Google Plus https://plus.google.com/+TravisBiehn

Reply

Sign in to reply online Use email software

Alfie John

5 Jun 5 Jun

2:48 a.m.

On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto@laposte.net wrote:

If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

Someone's already submitted a bug report: https://code.google.com/p/end-to-end/issues/detail?id=9 Alfie -- Alfie John alfiej@fastmail.fm

Reply

Sign in to reply online Use email software

Black Fox

2:37 p.m.

On Thu, Jun 5, 2014 at 4:48 AM, Alfie John wrote:

On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto@laposte.net wrote:

...
That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

Someone's already submitted a bug report:

https://code.google.com/p/end-to-end/issues/detail?id=9

Cute, but the threat model of the submitter seem unclear to me, in what is it different here from gpg binaries provided by a linux distribution package ? If even only one person have access to the packaging keys and is of american nationality he can receive a National Security Letter and would have to comply (Rubber hose is obviously working too if they want to risk it). Using quantum insert they don't even need to change the packages for everyone, only you. Updates for any software executing with access to your private data are dangerous. I don't see why this subject is present in the issue tracker of an extension... it's a lot more general issue (Except for the fact that Google bashing is cool today).

Reply

Sign in to reply online Use email software

Eric Mill

6 Jun 6 Jun

12:34 a.m.

On Thu, Jun 5, 2014 at 10:37 AM, Black Fox wrote:

On Thu, Jun 5, 2014 at 4:48 AM, Alfie John wrote:

...
On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto@laposte.net wrote:

...
That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which

the

...
...
US government won't try to trample upon.

Someone's already submitted a bug report:

https://code.google.com/p/end-to-end/issues/detail?id=9

Cute, but the threat model of the submitter seem unclear to me, in what is it different here from gpg binaries provided by a linux distribution package ?

If even only one person have access to the packaging keys and is of american nationality he can receive a National Security Letter and would have to comply (Rubber hose is obviously working too if they want to risk it). Using quantum insert they don't even need to change the packages for everyone, only you.

Updates for any software executing with access to your private data are dangerous.

I don't see why this subject is present in the issue tracker of an extension... it's a lot more general issue (Except for the fact that Google bashing is cool today).

This seems like a good project, that will move PGP usability and standards forward. It's also a big deal for Google to throw its support to the project, since it is in direct tension with the business model Gmail is built on (scanning your emails). The auto-update feature is a big deal that will have to get wrestled with openly as this moves further. Perhaps they'll work out a separate update policy for it, who knows. But it'll also have applications outside of a place in the Chrome Web Store. For example, hopefully much of this work (especially the JS crypto work) will also turn out to be reusable in Firefox. -- konklone.com | @konklone https://twitter.com/konklone

Reply

Sign in to reply online Use email software

tpb-crypto＠laposte.net

5 Jun 5 Jun

10:41 p.m.

Message du 05/06/14 04:54 De : "Alfie John"

On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto@laposte.net wrote:

...
If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

Someone's already submitted a bug report:

https://code.google.com/p/end-to-end/issues/detail?id=9

It is interesting to note how this guy brushed the issue aside while clearly not addressing the concern at all, but make-believing it is addressed:

#5 evn@google.com Yes, we treat this concern very seriously. I closed it because we aren't auto-updating any extensions (there's no CRX we are shipping that could be auto-updated).

Yeah, they aren't auto-updating extensions, but this doesn't concern other extensions, this concerns the core of the browser itself. These reactions plus the way we see this "innovation" pushed in the specialized media already is a sure indicator that the backdoor is in place already to trap the fools. Run this thing and get all your messages stored in the clear, in an obscure datacenter, forever.

Reply

Sign in to reply online Use email software

Eric Mill

6 Jun 6 Jun

12:34 a.m.

This seems like a good project, that will move PGP usability and standards forward. It's also a big deal for Google to throw its support to the project, since it is in direct tension with the business model Gmail is built on (scanning your emails). The auto-update feature is a big deal that will have to get wrestled with openly as this moves further. Perhaps they'll work out a separate update policy for it, who knows. But it'll also have applications outside of a place in the Chrome Web Store. For example, hopefully much of this work (especially the JS crypto work) will also turn out to be reusable in Firefox. On Thu, Jun 5, 2014 at 6:41 PM, wrote:

...
Message du 05/06/14 04:54 De : "Alfie John"

...
If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which

On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto@laposte.net wrote: the

...
US government won't try to trample upon.

Someone's already submitted a bug report:

https://code.google.com/p/end-to-end/issues/detail?id=9

It is interesting to note how this guy brushed the issue aside while clearly not addressing the concern at all, but make-believing it is addressed:

...
#5 evn@google.com Yes, we treat this concern very seriously. I closed it because we aren't auto-updating any extensions (there's no CRX we are shipping that could be auto-updated).

Yeah, they aren't auto-updating extensions, but this doesn't concern other extensions, this concerns the core of the browser itself.

These reactions plus the way we see this "innovation" pushed in the specialized media already is a sure indicator that the backdoor is in place already to trap the fools.

Run this thing and get all your messages stored in the clear, in an obscure datacenter, forever.

-- konklone.com | @konklone https://twitter.com/konklone

Reply

Sign in to reply online Use email software

Fabio Pietrosanti (naif)

5 Jun 5 Jun

4:05 a.m.

Il 6/3/14, 11:53 PM, rysiek ha scritto:

Hi there,

not sure what to think about this one:

http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryptio...

Technical specs: https://code.google.com/p/end-to-end/

It's very bad that they reimplemented a new PGP stack in JS when there is a multi-stakeholder community effort with OpenPGP.js www.openpgpjs.org Look their comments about it: https://news.ycombinator.com/item?id=7843297 "Not a stupid question at all. We actually considered this option, but OpenPGP.js looked pretty bad back then. Security-wise the library wasn't in good shape. One of our cryptographers would "classify [OpenPGP.js] as trash. It has been audited recently, but the result doesn't look very good either" I think that Google should make a turn-back and switch to using OpenPGP.js, that's a modular, secure, widely compatible and performant PGP stack library in javascript, with heavy improvements done in the last 9 months, thanks to multiple developers working on it for different projects. I reported such issue here: https://code.google.com/p/end-to-end/issues/detail?id=3 -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org

Reply

Sign in to reply online Use email software

3758

Age (days ago)

3761

Last active (days ago)

Download

19 comments

10 participants

tags

participants (10)

Alfie John
Black Fox
Eric Mill
Fabio Pietrosanti (naif)
James Murphy
Juan
rysiek
The Doctor
tpb-crypto＠laposte.net
Travis Biehn