gmail usage

Zenaan Harkness zen at freedbms.net
Wed Jul 6 06:50:16 PDT 2016 

On Wed, Jul 06, 2016 at 09:22:52AM -0400, Steve Furlong wrote:
> For anything I want to keep secure, I use encryption. I had been relying on
> encrypted email -- GPG on my end, usually a PGP mail client plugin on the
> other end. I'm getting away from that because certain email correspondents
> who are not me seem to have trouble with even the relatively-easy-to-use
> plugins. eg, one normally technically savvy guy kept sending me signed
> rather than encrypted messages containing very sensitive material, and
> another guy could not manage to send me an encrypted message that I could
> decrypt.

Run your own server, preferably at home. Provide a web frontend. Have
those people who you need secure communication with sign up for a fancy
new email account, on your server.

Only send email to their email account on your server.

If it's really really important, block their email account from sending
email outside your server - they can still download attachments, but
they can't "make an easy mistake" since they have to be intentional.

If you provide POP or IMAP access, only allow encrypted access.

If your contacts use the web interface, and you -really- want "security"
(to the level you are confident in your own server at least), then issue
your own Certificate Authority and server Certificate, and meet your
contacts in person, manually installing your server certificate into
their browser certificate directory!

NEVER trust ANY external Certificate Authority for any server or
communications that is highly sensitive!

Feel el1te!!!


> Lately I've been using non-email communications if I want to keep it
> private.

If it's on a phone or fax, or in front of a Samsung TV, or near any land
line phone that's been certified by your national telecommunications
authority, or in a public WIFI cafe which is likely bugged, or near any
mobile phones that are switched on, or .... etc ... then assume your
conversation is property of your national government and most likely the
"five eyes" (USA, Australia, New Zealand, UK, Germany).


> A variant of a "send a message to this website's administrator"
> page, transmitted over SSL, is good enough for my purposes. It's not
> encrypted on my server and the response page is not encrypted on the
> recipient's computer, but at least it is (or should be) safe from casual
> snooping along the way.
> 
> None of the above is meant to be the definitive answer to private
> communications or to worries about snooping. So far as I know it works well
> enough for my expected threats. Suggestions for improvement are welcome.

Use a chat application which provides PFS/ perfect forward secrecy, and
allows transfer of files - that's another approach. There are plenty
more.

More information about the cypherpunks mailing list