Silk Road forums
Discussion => Security => Topic started by: flipside on May 27, 2012, 09:57 pm
-
We have been looking into various new ways for newbies to easily use GPG to communicate with us. 'Privacybox.de' is one good option 'if' used correctly, but with no STMP, it's a 'one-way street'. (A GOOD thing, if intended to be used as such).
However, after looking more into Countermail (although at first glance it seems to be a just another possible Hushmail clone) it seems you can have them delete your private key from their server and have it stored on your own computer instead:
http://securitynirvana.blogspot.de/2012/05/countermail-protecting-your-privacy.html
My question is this (for anyone who might have experience using it). After downloading the private key from CM (and having it deleted from their server) does the user then still have to have the GPG software installed and running on their computer after choosing this option?
Or does Countermail simply allow you to use their 'built-in' GPG, allowing the user to then simply keep their private key stored on their computer, and then Countermail points at it does the rest? Kind of like PB does (only slightly different)?
If so, this would be a (possible) good "2-way" option I believe, no? And I "kind of" like their (optional) USB stick option as well, allowing only the one with access to the flash drive to access that specific email account. If it's anything like the technology I think it might be, this kind of 'dongle' protection has been proven pretty effective. (Just try finding a recent "working" torrent of Cubase, fx.).
Additionally, since their servers are based in Sweden, does any have any idea how International Treaty's might apply in this situation vs. Hushmail? Have their been any similar incidents with Countermail? None I can find.
Thanks all! :)
Peace
The Flipside Crew
-
My question is this (for anyone who might have experience using it). After downloading the private key from CM (and having it deleted from their server) does the user then still have to have the GPG software installed and running on their computer after choosing this option? Or does Countermail simply allow you to use their 'built-in' GPG, allowing the user to then simply keep their private key stored on their computer, and then Countermail points at it does the rest? Kind of like PB does (only slightly different)?
I don't know how Countermail does it, but consider that if you use software run by Countermail, at some point in the decryption process you would have to hand your private key over to them. There's no other way their software could decrypt the messages. That doesn't make sense for you from a security standpoint. You might as well leave the key on their servers.
There's a reason why Fastmail won't implement PGP in the web interface[1]. It just isn't safe, and Hushmail is proof of that. The only secure way to use PGP is to keep the private key and software on your own computer.
If Countermail is serious about security, then deleting the private key from their servers would necessitate that you run your own PGP software.
Additionally, since their servers are based in Sweden, does any have any idea how International Treaty's might apply in this situation vs. Hushmail? Have their been any similar incidents with Countermail? None I can find.
The Swedish government is probably less susceptible to outside influences than the Canadian government is susceptible to American influence, if that's what you mean, but considering that PGP isn't that hard to learn, leaving your security in the hands of Countermail (or any third party) means that you're accepting a big risk for a little convenience.
[1] https://fastmail.fm/help/overview_security.html
"Providing secure end-to-end encryption via webmail is impossible. There are basically two options, both flawed."
-
I agree acidrock. And that was my my primary concern from the start.
From my research so far, it seems indeed although you are able to (if you trust them to) delete your assigned private key from their server, and then create your own, CM then (unfortunately) uses Java to access your new private key on your computer/flashdrive, ect. This 'mozdev' leaves A LOT to be desired. But still seems FAR safer than Hush in this respect, and a better option for those new to GPG needing a webmail interface from an offshore GPG email provider.
A very respected and reliable SR member (wishing to remain anonymous) has contacted us privately and mentioned words to this effect:
You can audit the script. And he/she had someone he/she trusts do just that, and they felt it was ok.
https://countermail.com/?p=keyfile
So the script 'can' be peer-reviewed. I'd be curious if others have or would like to do this?
It seems in general CM do not intend to be an Hush-clone, and we "may" consider accepting emails thru them after more research, with perhaps a few workarounds.
Fx, another alternative 'might' be (please correct me if I'm wrong) to generate our own private key(s) which we could give to newbies to use with CM, which they could then simply store on their laptop/flashdrive without having to install GPG software on their computer. With each email being encrypted to unique CM email addresses.
"If" this is possible (or even safe to do) I'd imagine as long as each customers individual emails were transmitted safely to us first our Privacybox, could this maybe just 'might' be a possibility?
It's been a long day. So any thoughts would be appreciated.
Additionally, I found this floating around the internetz regarding Swedish laws and email providers, but have not yet been able to verify it. Sounds promising though.
-------
"Swedish law does not allow government agencies to force email providers to comply. Not even through court order. Telecom-companies (internet, phone and so on) may be forced to comply and spy on their customers but email-providers are not included. The only thing a government agency may do to Countermail is to seize the data of a particular user. But the only thing the agency would have in cleartext are the times/dates and address of undeleted mails sent and received…the email bodies and attachments would all be encrypted even if sent to somebody who does not support PGP-encryption (like Hotmail, Gmail). That is the major difference towards services like Hushmail – and also that Countermail does not log any IP-addresses. Ever. In addition to that, a deleted email is permanently deleted in Countermail whereas in most other services it is retained for a while (for instance in Hushmail it is retained a month and IP’s are logged for 30 months)."
-----------
So yeah...? No? Maybe? Let's just get high instead? ;)
-
Additionally, I feel if it is possible for Privacybox.de to allow anyone to upload a public GPG key and have the Tor-protected message be auto-encrypted, then forwarded (or mixmastered) to any destination one may choose, this 'should' be easy to implement using the PM system here as well, no?
Allowing vendors and buyers alike the option to upload a public key so ALL pm's are GPG encrypted and (optionally) forwarded off-site (and off the SR server entirely) before being decrypted. This would be a nice option. If it works for them...????
Additionally, it would be nice if SR could take it even 'one step further' and implement a system similar to CM (allowing any new user/member to simply generate and store a private key in a text file on their computer/flash drive). This would allow all users (new and old) to basically use the PM system to "auto-encrypt" PM's using GPG "both-ways" (without any private keys being stored on the SR server (which could then again have the option of being forwarded by the recipient/vendor).
Obviously, if Java "were" required to access members private keys, the script could be easily peer-rewied, and I think most of us would trust a similar system implemented by SR vs. pretty much "anyone" else.
But a non-java option or some other way to possibly dual-encrypt private keys (or something along those lines) before being (temporarily) uploaded then immediately deleted even? I have think I have seen something similar as an option with a mixmastering service, but am far from an expert. Would something like this it even be possible?
DPR? Mods? Geeks? Any chance of this happening?
If other websites can offer these options I see absolutely no reason why SR shouldn't be able to implement something similar, essentially turning the existing PM system into an (optional) auto-GPG encrypted messsaging/email forwarding system?
I'm also assuming projects like the German Privacy Foundation aren't receiving anywhere near the massive amounts of commi$$ion that SR is. I "personally" can't think of any reason why either of these options couldn't be implemented, but PLEASE...
Correct me if I am wrong?
If this were "doable", I'm pretty certain it would be the "ultimate" firewall from the feds. If all communications were GPG encrypted, they would NEVER even bother with SR! Seriously! Think about it!
A Tor-hidden server, using GPG to auto-encrypt and forward all messages/shipping details, ect, with NO private keys stored on the server? Leaving the option for vendors to take things a step further and re-mail again from the address they may choose upload to SR as well?
If this kind of of security were implemented it would NOT be worth their time. Period. At least in the foreseeable future. And as long as the servers can stay 'hidden' of course. Something getting harder to do with each passing day. But still...
Am I completely wrong? I don't 'think' so? Correct me if I'm wrong, but other 'well less-funded' sites are offering these services for FREE! So.....
Any thoughts?
Peace
TFC
(You may now feel free to give us more negative karma. Thank you very much for your ridiculousness)
-
From my research so far, it seems indeed although you are able to (if you trust them to) delete your assigned private key from their server, and then create your own, CM then (unfortunately) uses Java to access your new private key on your computer/flashdrive, ect. This 'mozdev' leaves A LOT to be desired. But still seems FAR safer than Hush in this respect
Actually, this is exactly how Hushmail does it. From the Fastmail web site, this is the second "flawed" option.
Use javascript/java to encrypt email on the users browser
In theory because the javascript/java has to run on the user's browser, the user could look at the code to see it's secure, but the reality is that no-one would really ever do that, and there's nothing stopping someone sending a javascript/java program that sends the encrypted email back to the server, as well as the encryption key, so the server can decrypt it.
Famously Hushmail, which allows you to use both of these options, recently admitted that the US government compelled them to turn over the unencrypted emails of a number of users.
You don't want to use any JS/Java from a third party.
A very respected and reliable SR member (wishing to remain anonymous) has contacted us privately and mentioned words to this effect:
You can audit the script. And he/she had someone he/she trusts do just that, and they felt it was ok.
https://countermail.com/?p=keyfile
So the script 'can' be peer-reviewed. I'd be curious if others have or would like to do this?
The problem with this is that you have to audit the code *every time*, because they could modify the code at will. In fact, that's how Hushmail does it. They don't normally send code that steals the passwords to people's keys (stored on Hushmail servers). They only do that when they get a Canadian court order.
It would be easier (and safer) to manage the PGP stuff on your own computer.
Fx, another alternative 'might' be (please correct me if I'm wrong) to generate our own private key(s) which we could give to newbies to use with CM, which they could then simply store on their laptop/flashdrive without having to install GPG software on their computer. With each email being encrypted to unique CM email addresses.
"If" this is possible (or even safe to do) I'd imagine as long as each customers individual emails were transmitted safely to us first our Privacybox, could this maybe just 'might' be a possibility?
I don't follow. You need a program that follows the PGP protocol and knows what to do with the private key.
-
Well acidrock. I completely agree.
Which I guess is why I posted the other post after the one you are quoting. Re: SR implementing these things
"Turn-key GPG" IS s possibility. It's being done and offered for FREE on other sites. And as I mentioned, I think we ALL would trust SR to impelment such a system vs. ANY other "third-party".
"At least" the first option , similar to Privacybox, should be be more than easily implemented. Meaning that, by simply uploading a public key (and an optional email address) to the SR server, EVERY single PM a vendor gets will be "auto-encrypted" using GPG and forwarded wherever they may choose, if they choose. And they 'should' choose.
The second option I agree is 'up in the air'. But I think if it were an optional feature which those that "trust" SR/DPR chose to use, it would only serve to further enhance the security of the entire community.
Or call me crazy. I am. Whateverz... ;)
Peace
-
I've already mentioned adding in Mixmastering.
What I mean by "Turn-key" is allowing any member/vendor to upload their public key and (optional) email allowing every (Tor-protected) PM to be auto-encrypted using GPG before being sent to the intended recipient, either via PM or being forwarded (and mixmastered?) to any (hidden) email one might choose, at least "one-way". Similar to "Privacybox.de". We were forced to remove our contact email entirely for this very reason due to unsolicited, unencrypted emails potentially compromisng customer safety due to programs like NarusInsight, ect.:
https://en.wikipedia.org/wiki/NarusInsight
At least that way every new member has the option to use GPG to encrypt their shipping details, ect to a vendor, even if they don't fully get GPG yet. As a vendor ourselves, we would prefer ALL messages be encrypted using GPG, and that is how we have ALWAYS done business before setting up shop here on the Road.
The security of the SR-PM and ordering system here leaves a lot to be desired, imo.
And in the opinion of more than a few of our customers as well. ;)
Peace
-
PrivacyBox is a service run by the German Privacy Foundation. It allows you to setup a drop-box of sorts, into which people can drop (i.e. paste) messages intended for you. These messages can be encrypted with a PGP public key that you supply. The message is sent through an anonymous remailer, so there is no way for the recipient to know who sent the message, unless the sender explicitly includes some identifying information inside the message.
Minor correction: ;)
GPF's Privacybox service allows you to simply forward your messages if you choose, but the choice to remail/cypherpunk/mixmaster them after that is up to the recipient. Although it does remove all email and IP info from the headers, making the sender anonymous in that regard.
It is their 'other' service, [awxcnx.de]:
Tor-hidden service: http://a5ec6f6zcxtudtch.onion/mm-anon-email.htm
...that allows anyone to send an anonymous, mixmastered email. Although this service is NOT "auto-encrypted" whatsoever, and simply allows anyone to send an anonymous, mixmastered email. So it is VERY important to 'pre-encrypt' your message before sending via this method. Which quite honestly can take DAYS at times to arrive. With this 'easy-to-use', online, service at least. But it does indeed make your messages untraceable.
And are indeed both run by the German Privacy Foundation. And both great services.
Peace :)