Encrypted Messaging Tools for Pretty Good Privacy

In this day and age, with government spying; multi-nationals poised to take over; and hacker spies trying to get your blueprints, it pays to stay safe! Here is a selection of messaging encryption tools. Wickr is the best for ease of use because key management is fully automatic, and it has guarantees of self destructing messages, and perfect forward secrecy style messaging that has new keys for each message sent. For the more old-school types, it's worth looking at PGP which started off as "Pretty Good Privacy" and has always had a good reputation. Later OpenPGP came along, from the world of open source. The trick with PGP is to deliver your key to people somehow. Say in the sig of your email, or in fact, linked from a 3rd party server using a short link.

The hard part with PGP is sending your public keys around the place. If you want to make it easy, log it with the PGP Global Directory. Then you can easily tell people that your public key can be accessed by ref ID is 6F1D0462 (to send an email to my tom@funk.co.nz address on my laptop), without ever having prior contact with me. Handy for whistleblower journo types. Good for signing files and so forth. Or whack it on your website like I did below.

  • Wickr Top Secret Messenger is easiest to use, free, and most secure in many ways
    • Free here https://wickr.com/ for Android, Blackberry, iphone, Mac. PC, Linux
    • Messages self destruct and are sent with new keys everytime
    • Even if keys for one message are “brute forced” this only shows one message
  • S/MIME is likely to become the successor to OpenPGP
  • OpenPGP and GPG named tools allow you to encrypt and sign files and emails
  • Use an https-everywhere browser plugin
    • These will ping the site to check if they have secure version available and switch to it
  • Install Tor Browser 
  • Use a VPN
    • Hides your meta data collection
    • Makes it impossible to see if you are even using Wickr, PGP, Tor etc by eavesdroppers
    • Encrypts your entire internet and tunnels it out to another place on the net

Whats the difference between S/MIME and OpenPGP?

This post from a cryptography called Thomas Pornin puts it very nicely:

Summary: S/MIME and PGP both provide "secure emailing" but use distinct encodings, formats, user tools, and key distribution models.

S/MIME builds over MIME and CMS. MIME is a standard way of putting arbitrary data into emails, with a "type" (an explicit indication of what the data is supposed to mean) and gazillions of encoding rules and other interoperability details. CMS means "Cryptographic Message Syntax": it is a binary format for encrypting and signing data. CMS relies on X.509 certificates for public key distribution. X.509 was designed to support top-down hierarchical PKI: a small number of "root certification authorities" issue (i.e. sign) certificates for many users (or possibly intermediate CA); a user certificate contains his name (in an email context, his email address) and his public key, and is signed by a CA. Someone wanting to send an email to Bob will use Bob's certificate to get his public key (needed to encrypt the email, so that only Bob will be able to read it); verifying the signature on Bob's certificate is a way to make sure that the binding is genuine, i.e. this is really Bob's public key, not someone else's public key.

PGP is actually an implementation of the OpenPGP standard (historically, OpenPGP was defined as a way to standardise what the pre-existing PGP software did, but there now are other implementations, in particular the free opensource GnuPG). OpenPGP defines its own encryption methods (similar in functionality to CMS) and encoding formats, in particular an encoding layer called "ASCII Armor" which allows binary data to travel unscathed in emails (but you can also mix MIME and OpenPGP). For public key distribution, OpenPGP relies on Web of Trust: you can view that as a decentralised PKI where everybody is a potential CA. The security foundation of WoT is redundancy: you can trust a public key because it has been signed by many people (the idea being that if an attacker "cannot fool everybody for a long time").

Theoretically, in an enterprise context, WoT does not work well; the X.509 hierarchical PKI is more appropriate, because it can be made to match the decisional structure of the envisioned companies, whereas WoT relies on employees making their own security policy decisions.

In practice, although most emailing softwares already implement S/MIME (even Outlook Express has implemented S/MIME for about one decade), the certificate enrolment process is complex with interactions with external entities, and requires some manual interventions. OpenPGP support usually requires adding a plugin, but that plugin comes with all that is needed to manage keys. The Web of Trust is not really used: people exchange their public keys and ensure binding over another medium (e.g. spelling out the "key fingerprint" -- a hash value of the key -- over the phone). Then people keep a copy of the public keys of the people they usually exchange emails with (in the PGP "keyring"), which ensures appropriate security and no hassle. When I need to exchange secure emails with customers, I use PGP that way.

OpenPGP is also used, as a signature format, for other non-email tasks, such as digitally signing software packages in some Linux distributions (at least Debian and Ubuntu do that).

Tomachi Corp's Public Key 6F1D0462

Tom Atkinson <tom@funk.co.nz>

You can use this key to encrypt and secure our messages with OpenPGP software on your computer after importing the public key into your local OpenPGP Key-Manager.

Download Tomachi Public Key (6F1D0462)

Comment: GPGTools - https://gpgtools.org
Comment: Tomachi 13inch Comment


How Safe Is Your Email? Gmail Transport Encryption by Country

Google has published data from 47,354 domains that it exchanges email with, showing what fraction of the traffic is protected from the view of packet sniffers in transit with TLS encryption. I filtered and crunched the data in Excel into this pivot table to show summaries per top level domain (TLD), broken down by traffic region. It's an interesting snapshot of the state of the internet at this particular juncture in our history. Ecommerce started in 1996 with the first public release by Netscape of SSL v3, yet here we are in 2016 and some emails are still being sent in the clear. This is fast changing though with the revelations of Edward Snowden. Formats available: Excel working file with raw data; png image2 page PDF; google sheets.




Image Version

Email Encryption by Country 2016

Email Encryption by Country 2016

 Attribution CC BY Creative Commons License

The XLSX file, Image, and Google Doc on this page (How Safe Is Your Email? Gmail Transport Encryption by Country) are released free of charge.

This license lets others distribute, remix, tweak, and build upon your work, even commercially, as long as they credit Tomachi Corporation for the original creation.

License Deed | Legal Code