In this day and age, with government spying; multi-nationals poised to take over; and hacker spies trying to get your blueprints, it pays to stay safe! Here is a selection of messaging encryption tools. Wickr is the best for ease of use because key management is fully automatic, and it has guarantees of self destructing messages, and perfect forward secrecy style messaging that has new keys for each message sent. For the more old-school types, it's worth looking at PGP which started off as "Pretty Good Privacy" and has always had a good reputation. Later OpenPGP came along, from the world of open source. The trick with PGP is to deliver your key to people somehow. Say in the sig of your email, or in fact, linked from a 3rd party server using a short link.
The hard part with PGP is sending your public keys around the place. If you want to make it easy, log it with the PGP Global Directory. Then you can easily tell people that your public key can be accessed by ref ID is 6F1D0462 (to send an email to my [email protected] address on my laptop), without ever having prior contact with me. Handy for whistleblower journo types. Good for signing files and so forth. Or whack it on your website like I did below.
- Wickr Top Secret Messenger is easiest to use, free, and most secure in many ways
- Free here https://wickr.com/ for Android, Blackberry, iphone, Mac. PC, Linux
- Messages self destruct and are sent with new keys everytime
- Even if keys for one message are “brute forced” this only shows one message
- S/MIME is likely to become the successor to OpenPGP
- Support for this in built into the operating system of Blackberry http://support.blackberry.com/kb/articleDetail?ArticleNumber=000025677
- OpenPGP and GPG named tools allow you to encrypt and sign files and emails
- For Mac OS https://gpgtools.org/ is an OpenPGP Suite of tools for use with Thunderbird
- For Windows https://www.gpg4win.org/
- Gmail has tools like Mailvelope to make it easy https://www.mailvelope.com/
- For Android OpenKeychain: Easy PGP https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain
- For iOS iPGMail on App Store https://itunes.apple.com/app/ipgmail/id430780873?mt=8
- For Blackberry OS try this paid apps:
- http://securemobile.me/pricing/ Looks nice
- https://appworld.blackberry.com/webstore/content/47148895/?lang=en It's on Blackberry Appworld $3.59
- http://www.atomichelix.com/bbpgp/index.html Looks outdated
- Use an https-everywhere browser plugin
- These will ping the site to check if they have secure version available and switch to it
- Install Tor Browser
- Let’s you browse the web anonymously without a VPN
- Access hidden sites
- Use a VPN
- Hides your meta data collection
- Makes it impossible to see if you are even using Wickr, PGP, Tor etc by eavesdroppers
- Encrypts your entire internet and tunnels it out to another place on the net
Whats the difference between S/MIME and OpenPGP?
This post from a cryptography called Thomas Pornin puts it very nicely:
Summary: S/MIME and PGP both provide "secure emailing" but use distinct encodings, formats, user tools, and key distribution models.
S/MIME builds over MIME and CMS. MIME is a standard way of putting arbitrary data into emails, with a "type" (an explicit indication of what the data is supposed to mean) and gazillions of encoding rules and other interoperability details. CMS means "Cryptographic Message Syntax": it is a binary format for encrypting and signing data. CMS relies on X.509 certificates for public key distribution. X.509 was designed to support top-down hierarchical PKI: a small number of "root certification authorities" issue (i.e. sign) certificates for many users (or possibly intermediate CA); a user certificate contains his name (in an email context, his email address) and his public key, and is signed by a CA. Someone wanting to send an email to Bob will use Bob's certificate to get his public key (needed to encrypt the email, so that only Bob will be able to read it); verifying the signature on Bob's certificate is a way to make sure that the binding is genuine, i.e. this is really Bob's public key, not someone else's public key.
PGP is actually an implementation of the OpenPGP standard (historically, OpenPGP was defined as a way to standardise what the pre-existing PGP software did, but there now are other implementations, in particular the free opensource GnuPG). OpenPGP defines its own encryption methods (similar in functionality to CMS) and encoding formats, in particular an encoding layer called "ASCII Armor" which allows binary data to travel unscathed in emails (but you can also mix MIME and OpenPGP). For public key distribution, OpenPGP relies on Web of Trust: you can view that as a decentralised PKI where everybody is a potential CA. The security foundation of WoT is redundancy: you can trust a public key because it has been signed by many people (the idea being that if an attacker "cannot fool everybody for a long time").
Theoretically, in an enterprise context, WoT does not work well; the X.509 hierarchical PKI is more appropriate, because it can be made to match the decisional structure of the envisioned companies, whereas WoT relies on employees making their own security policy decisions.
In practice, although most emailing softwares already implement S/MIME (even Outlook Express has implemented S/MIME for about one decade), the certificate enrolment process is complex with interactions with external entities, and requires some manual interventions. OpenPGP support usually requires adding a plugin, but that plugin comes with all that is needed to manage keys. The Web of Trust is not really used: people exchange their public keys and ensure binding over another medium (e.g. spelling out the "key fingerprint" -- a hash value of the key -- over the phone). Then people keep a copy of the public keys of the people they usually exchange emails with (in the PGP "keyring"), which ensures appropriate security and no hassle. When I need to exchange secure emails with customers, I use PGP that way.
OpenPGP is also used, as a signature format, for other non-email tasks, such as digitally signing software packages in some Linux distributions (at least Debian and Ubuntu do that).
Tom Atkinson <[email protected]>
You can use this key to encrypt and secure our messages with OpenPGP software on your computer after importing the public key into your local OpenPGP Key-Manager.
Download Tomachi Public Key (6F1D0462)
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - https://gpgtools.org
Comment: Tomachi 13inch Comment
-----END PGP PUBLIC KEY BLOCK-----