Encrypted Messaging Tools for Pretty Good Privacy

In this day and age, with government spying; multi-nationals poised to take over; and hacker spies trying to get your blueprints, it pays to stay safe! Here is a selection of messaging encryption tools. Wickr is the best for ease of use because key management is fully automatic, and it has guarantees of self destructing messages, and perfect forward secrecy style messaging that has new keys for each message sent. For the more old-school types, it's worth looking at PGP which started off as "Pretty Good Privacy" and has always had a good reputation. Later OpenPGP came along, from the world of open source. The trick with PGP is to deliver your key to people somehow. Say in the sig of your email, or in fact, linked from a 3rd party server using a short link.

The hard part with PGP is sending your public keys around the place. If you want to make it easy, log it with the PGP Global Directory. Then you can easily tell people that your public key can be accessed by ref ID is 6F1D0462 (to send an email to my tom@funk.co.nz address on my laptop), without ever having prior contact with me. Handy for whistleblower journo types. Good for signing files and so forth. Or whack it on your website like I did below.

  • Wickr Top Secret Messenger is easiest to use, free, and most secure in many ways
    • Free here https://wickr.com/ for Android, Blackberry, iphone, Mac. PC, Linux
    • Messages self destruct and are sent with new keys everytime
    • Even if keys for one message are “brute forced” this only shows one message
  • S/MIME is likely to become the successor to OpenPGP
  • OpenPGP and GPG named tools allow you to encrypt and sign files and emails
  • Use an https-everywhere browser plugin
    • These will ping the site to check if they have secure version available and switch to it
  • Install Tor Browser 
  • Use a VPN
    • Hides your meta data collection
    • Makes it impossible to see if you are even using Wickr, PGP, Tor etc by eavesdroppers
    • Encrypts your entire internet and tunnels it out to another place on the net

Whats the difference between S/MIME and OpenPGP?

This post from a cryptography called Thomas Pornin puts it very nicely:

Summary: S/MIME and PGP both provide "secure emailing" but use distinct encodings, formats, user tools, and key distribution models.


S/MIME builds over MIME and CMS. MIME is a standard way of putting arbitrary data into emails, with a "type" (an explicit indication of what the data is supposed to mean) and gazillions of encoding rules and other interoperability details. CMS means "Cryptographic Message Syntax": it is a binary format for encrypting and signing data. CMS relies on X.509 certificates for public key distribution. X.509 was designed to support top-down hierarchical PKI: a small number of "root certification authorities" issue (i.e. sign) certificates for many users (or possibly intermediate CA); a user certificate contains his name (in an email context, his email address) and his public key, and is signed by a CA. Someone wanting to send an email to Bob will use Bob's certificate to get his public key (needed to encrypt the email, so that only Bob will be able to read it); verifying the signature on Bob's certificate is a way to make sure that the binding is genuine, i.e. this is really Bob's public key, not someone else's public key.

PGP is actually an implementation of the OpenPGP standard (historically, OpenPGP was defined as a way to standardise what the pre-existing PGP software did, but there now are other implementations, in particular the free opensource GnuPG). OpenPGP defines its own encryption methods (similar in functionality to CMS) and encoding formats, in particular an encoding layer called "ASCII Armor" which allows binary data to travel unscathed in emails (but you can also mix MIME and OpenPGP). For public key distribution, OpenPGP relies on Web of Trust: you can view that as a decentralised PKI where everybody is a potential CA. The security foundation of WoT is redundancy: you can trust a public key because it has been signed by many people (the idea being that if an attacker "cannot fool everybody for a long time").

Theoretically, in an enterprise context, WoT does not work well; the X.509 hierarchical PKI is more appropriate, because it can be made to match the decisional structure of the envisioned companies, whereas WoT relies on employees making their own security policy decisions.

In practice, although most emailing softwares already implement S/MIME (even Outlook Express has implemented S/MIME for about one decade), the certificate enrolment process is complex with interactions with external entities, and requires some manual interventions. OpenPGP support usually requires adding a plugin, but that plugin comes with all that is needed to manage keys. The Web of Trust is not really used: people exchange their public keys and ensure binding over another medium (e.g. spelling out the "key fingerprint" -- a hash value of the key -- over the phone). Then people keep a copy of the public keys of the people they usually exchange emails with (in the PGP "keyring"), which ensures appropriate security and no hassle. When I need to exchange secure emails with customers, I use PGP that way.

OpenPGP is also used, as a signature format, for other non-email tasks, such as digitally signing software packages in some Linux distributions (at least Debian and Ubuntu do that).

Tomachi Corp's Public Key 6F1D0462

Tom Atkinson <tom@funk.co.nz>

You can use this key to encrypt and secure our messages with OpenPGP software on your computer after importing the public key into your local OpenPGP Key-Manager.

Download Tomachi Public Key (6F1D0462)

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - https://gpgtools.org
Comment: Tomachi 13inch Comment

mQINBFa1tf4BEADZ8WRzfRWwvtnJvfhAB140Y95bH5nARXccjEyS3LqjaLOxl+RQ
XPf/kP8hEdMB7OJJaXwSeK5/so8/ikRVWhdzSMSZ6HqppRhakljE5g8sg8uiRP0w
ZvGwvXjJpouw+ULQNM2gdWUD+DdCssD7D3igjuV2mPaNalwDxecg2ASRy6PTgbgI
g7s0GO/WEQ9+5bpv/sjDAIfV7+8dSr4wh+juGWuXOQDEnYSRzO7K1ezuVnwWI+eQ
tTvcZrG425hwvZcjp7hOE1COkRb9S2cmoKrQkBtAcX2rQCPWnAoVQeb3+bvN1AH6
h8VdYJux49ZPLaWmkwa3OqgJOTvLAHlNuiSrMpD23fPWOJbn9MEWZfHFezeUgl1O
NWUC+VdbVYgDuXfawliJRWcywYTewN8PPbDCyfq0o24kw+TwTIl0nCpkBykJ1zPg
UhOfB4K9jQTQwpqv0+phC21cTi85QZgJnjEj5jQpj/Qc47ep9gMtMXcadm4yOZ7r
g1PUr2s/MR9XRX9VwujWg/kUzEYugjE6XbDZtaw+hQlkXXwTMsQ/O/W881qPSSCQ
I8DbQeFXTrskz5RRTJWSRzrZ4uwuibORQ1+1bzoznKlneVPaiws3DAXLLSPvZqGl
Uaxpcrbj459WruW7PU8jKTcRITHcgE/Z1KJxa4FYYHtX/TSC2EffpAc48wARAQAB
tC9Ub20gQXRraW5zb24gKEdQRyBLZXlzIDEzaW5jaCkgPHRvbUBmdW5rLmNvLm56
PokCPQQTAQoAJwUCVrW1/gIbAwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIX
gAAKCRBSqWtBbx0EYmoeEACPNr1+b1Ao687na6BuF9+laDb0PkzXE490/mnS77Lk
e9ucPCH0pjcIiWYCzX+EfnZDnON2WauaJ9BhPQXjPJc0n4tED1YuUIhRsu82c3Zx
Zc4B8fiIyy59NUDFJEhR4b2kZTpO/Y+N3pHjtV/uWrnwYAFKAGWTuVyUGnBBKnSo
6M6Zo3aJs4Dz0xXicO0hJxS83chqDPcntuvXrh6GnHHWrfQdQoZoA1TOBQjPIi1A
/w7tsThY0hwhJzfpKXP9ovfrssywFZChxKTGQxdsDz3Y7x2iZUKuxzcmVpH2yGft
gWPocNIwzzUkKdZRyvMC0J5KyuSlN83GJQm5bCWgsBJ3WKU5eeVtFJcEVxmOzC37
8ZXb6z2sC1/AcA6xnJWuU5g4Dh1blS1vL3NUiTZMljC1kCy4B/F6MncI4e58PV8s
fCDCuToicoM1Lqm+JzWdRY/kUq2VhFOO73o4kwieGDJwubkXCtWpO6Ch0ZErGkPW
O71DHO1oPANvxzVlimYoweQRBodnJxmETKmF/sBbga56rzl4ucjQ464rf+8d5fSB
FEXWbTLFDd/0vUw+8qQTjohMa2miPk63oTV8jgBypSRykceutD03gazlTIKi97jT
K5jByudnuDutWqF69gGOSyu2glKF/khKZXPwX9lzt5GM9wDyrzpWtTo/QnysbM4a
cbkCDQRWtbX+ARAAwoHP7WO6u1GDNbWZrGRQLdhaENF5hyZy3rbP9F+4oVOsv7L/
WySbXEwQJV0jUJJwG9qHl5ZM/h1m7FZWTF+z1fhtSSuX4PY7U2p8ubA3iH+T/fDT
XQ8Gsheksq/xg+quELhw5rSGzD78C93+qjALPdm3fJPyPD9mUcnYUMKoZLxgyWv9
bssa3iDb2YVDCEg2P0ffc+DWnHV2lRAX+etQQbf9KM1VkV6wwCVS8r+RiEvIrMgh
19rR7NMNTi175Tt1T+/nFlU3RRbjnREpHSYAPH00GQDsR/2vKbmbwC8b/k27q4ai
nm7aQZ2sLgZYyeca2bKbLCLA1CL9QgnFs6l1vx3Sm5/YQYHZKvU0uHhZ1Bh0ZVe4
pHU2eaEHd3qZtbtYHVbZIA1TA3h4vFYGt4Lkv5oLWPl0tk/8qkNJ2wx4PX7yQOeM
igg8sabBbQrETLloO6dnuvNEjBTCYzdM50r18G169FHmzVwW1C1ymHOtaXDh+8R9
l70aCX8UhNZpNSbIN0HO+r2f84Igxwh7GWAjKF55zUSr3c130Ruu4ZFj5BmGBZLl
rkBEvuftCWgkTcZNV9xSv27sTBrRw/GkVWQrkx023QBA8MA2yy0dSPALz0r24TUk
JYBWyVNPJBx98wr4vJnJC+tedt3ht3mz6ThtxTM9OOIWW03/PmM0NTIKILcAEQEA
AYkCJQQYAQoADwUCVrW1/gIbDAUJB4YfgAAKCRBSqWtBbx0EYo3rEACAmZ0tXV0Y
SBd/FBZLjcFGYc1mJXpGRkgO22e7EyWMRKNNk4TaZ3X7/TfeGSm5Ts/eajXelvuL
X9dFmk4oS48k6Dafstu2XtuZbISA2Ef9Akeh7SdvKfLqqOuAETKq3i6v+qb0py4c
0PdY5b32GLNuzQ5FMEJiEdfTNuTO0Qg2qIk6cUv0JxljkR7IfzqdIzeRkI50Oand
dBKqitPSfcIrl0tq48F5WyodsKfcOt3RCJLNBKov5f4Pa1MGPpOB6oBHwKAQwdod
tuIpq+4HfoyIVDiYhJ01nftox/DWr/ur7ItPeIOcNWzxOFin9BC3Q8Kh1Fv2sbp1
14TDqkWYyskD1H7r7lgI7s33I2bP2atdkAcbqHrn3oBj0jkldmvijgxAwzqWgXsD
QuSAZghS1nPNAAIgBTDJ5OESiJlHn4lgVAPeBlf7qJZU4snx3fojv3/AWHDOuYoc
mU2+/WrAtWVfDFhRWED7/H3wpchDY4hyHhe5JSW0JP3x20VduR2xJuJqyv9nmjH9
OeunZXmYNxA1rIsumtQYOp9V7zf7oehYfvnToC7HCS1xqsbgGD5BPl/gjKqf96wn
jAPdw9d9nMccCeTqNtlEgrIc1IpVKBrblAQ1aeQQUJp3Jdns2q7Z4cwDn0Wf86D5
ddbfV8fh6Ps+0u9KylTb7hNMVmYFN7xtgA==
=EQ84
-----END PGP PUBLIC KEY BLOCK-----

How Safe Is Your Email? Gmail Transport Encryption by Country

Google has published data from 47,354 domains that it exchanges email with, showing what fraction of the traffic is protected from the view of packet sniffers in transit with TLS encryption. I filtered and crunched the data in Excel into this pivot table to show summaries per top level domain (TLD), broken down by traffic region. It's an interesting snapshot of the state of the internet at this particular juncture in our history. Ecommerce started in 1996 with the first public release by Netscape of SSL v3, yet here we are in 2016 and some emails are still being sent in the clear. This is fast changing though with the revelations of Edward Snowden. Formats available: Excel working file with raw data; png image2 page PDF; google sheets.

 

 

 

Image Version

Email Encryption by Country 2016

Email Encryption by Country 2016

 Attribution CC BY Creative Commons License

The XLSX file, Image, and Google Doc on this page (How Safe Is Your Email? Gmail Transport Encryption by Country) are released free of charge.

This license lets others distribute, remix, tweak, and build upon your work, even commercially, as long as they credit Tomachi Corporation for the original creation.

License Deed | Legal Code