Archive

Archive for the ‘Privacy’ Category

Trusting Trusted CAs

2013-10-09 Leave a comment

Like it or not, the basis of trust for much of the Internet is based on Certificate Authorities (CA).  Companies like Verisign, GoDaddy, and GeoTrust are in the trust business.  They will sell you cryptographic proof of your Internet assets (namely your domain name) that others can use to verify that when they visit your website that they are actually visiting your website and not some lookalike website.  This is important as you don’t want to give your login credentials to your bank account to a lookalike web page that really isn’t your bank.

The trouble is, how do you know the CAs are doing their due diligence and not just issuing certificates to people who just claim to own a particular domain name?  Well, I’m not sure we do know, as users.  Mozilla, like other web browsers, has a policy for including CAs in their browser product but a quick look at the list of CAs that are already in Firefox shows that we as users probably can’t go behind and verify them all.

If I were a conspiracy theorist I would be looking real hard at what the Electronic Freedom Foundation (EFF) recently released about the NSA spying program.  According to their research (and that of the Guardian and others) the NSA is actively performing man-in-the-middle attacks (MITM) to get malware into computers.  This malware allows the NSA (and anyone else capable of accessing these infected computers) to circumvent protections put in place to keep information passed over the Internet secure.  To do these MITM attacks one would need to provide users with a valid SSL certificate if they happen to be visiting a site that is supposed to be secured.  The only way of doing this is to either obtain the SSL certificates from the real sites or to create their own and have them trusted by a trusted CA.  With that in mind, I wonder which option is more probable?

It’s good to note that these types of attacks are not solely done by the NSA.  Gaining access to computers is a very profitable business and one that people other than governments can do.  It’s important to protect yourself against these attacks and be smart when surfing the Internet.  The end of the EFF story contains information on how to protect your computer (and yourself) and is a good read for everyone.

SFGate: If You Send To Gmail, You Have ‘No Legitimate Expectation Of Privacy’

2013-08-15 Leave a comment

SFGate: If You Send To Gmail, You Have ‘No Legitimate Expectation Of Privacy’

Not that this is really news but if you hand your message to a third-party for delivery you have no expectation of privacy.  Agree with it or not that’s the way it is inside the United States.  This is why it is important for people to use end-to-end encryption (like GnuPG) to protect the contents of messages being sent through any email provider.  The same goes for using any instant messenger service, SMS, or telephone that uses a third-party provider.

This isn’t anything new, really.  Ever since the telegraph was invented people have encrypted messages before handing them to a third-party for delivery.  The Engima machine was actually developed as a business tool that was later used by the German military during World War II.  Businesses needed to protect their communications during transit across a third-party.  Today there isn’t a person sending your message to a distant point but rather a computer system that can not only efficiently and accurately send your message across distant lands but can also make a copy of that message and share it with whomever they wish.

While it has become easier for companies to share your messages with governments and third parties it has also become easier to protect your messages with encryption.  The question now is how to make this technology easier for people to use and, perhaps more importantly, make people care about securing their messages.  This last part is probably most important.

We’ve been kicking the ball down the field for a while.  When Google implemented TLS encryption for its Gmail service people raved about the security measure.  Sure, what they did was important as it prevented anyone watching the network traffic between the user and Google from seeing what was happening.  But that left Google having open access to the contents of the messages being sent.  This is the case for all email providers that use TLS encryption to secure the communications between users and their servers.  Now is the time to fill that gap.  How to do that easily is still up for debate.

The Police State: History repeats itself.

2013-08-01 Leave a comment

If you’ve done any reading of 20th century European history then this story will seem familiar.  Back then there were places where you had to be careful about what you said to whom.  It could really be anything you said to any number of people including close friends, family members, and business associates.  Conversations, even out of context comments, could be used against you for any reason.  Trumped up charges or a violation of some old, obscure law could get you detained by the police or worse.

Here in the United States we had our constitution and, more importantly, the Bill of Rights to protect people from an over-reaching government.   We didn’t see first-hand what many Europeans did.  We felt protected based on a few words written down on paper.  We became complacent.

An article was shared with me earlier today.  The Guardian retells the story of police coming to someone’s home and interrogating the resident based on their Google searches and what they have viewed on the Internet.

Some might say “but after <fill in the event here> we have to do something so it won’t happen again”.  Sure, there are things that need to happen to help prevent such future activities but “doing something” isn’t a real solution.

Fear drives power and if there is power up for grabs then the scariest thing wins.  Detonate a bomb and you get fear.  Unfortunately talking about detonating a bomb usually generates more fear.  Many people will give up nearly everything just to have someone tell them that they are safe.  Right now privacy is what’s taking most of the hits and it’s easy to understand why.  It’s easy to control people, make a lot of money, and generally be able to “terrorize” anyone you don’t like when you have the keys to their thoughts.  Having access to people’s thoughts is even easier today than it was fifty years ago.  Today people talk via email, IM, and other digital means that generally go through a few centralized servers.  Get to the servers and you’ve got access to the thoughts and feelings of millions of people.  You now have leverage over almost anyone you wish.

Unless we want history to repeat itself we need to stand up to these types of actions.  It is not okay to go sifting through my Internet searches.  It is not okay to read my email.  It is not okay to come to my home and interrogate me and my family.  It’s time for this to stop.

Categories: Privacy

Tor and HTTPS

2013-07-17 Leave a comment

Tor and HTTPS

An excellent description of how Tor and HTTPS can help protect your online privacy and secure your web communications.

Lawmakers of both parties voice doubts about NSA surveillance programs

2013-07-17 2 comments

Lawmakers of both parties voice doubts about NSA surveillance programs

I’m happy to read the Washington Post story discussing the House committee’s hearing on the NSA’s domestic spying programs.  It’s encouraging that both parties aren’t happy with the programs and that “…there are not enough votes in the House now to renew Section 215 [of the Patriot Act] when the law is revisited.”

Of course the wrong arguments were being made by Stewart Baker, the former NSA general council.  Using fear mongering techniques, Baker talked about the failures of the NSA prior to September 11th (which was an investigation failure and not an intelligence failure) and how the “hyped and distorted press reports orchestrated by Edward Snowden” was out to harm the intelligence agencies.  Baker should have been addressing the civil liberties that are being put at risk and the risks to the First and Fourth Amendments.

Needless to say, I’ll be following these hearings closely.

Categories: Privacy, Security Tags: ,

Privacy articles to read

2013-07-09 1 comment
Categories: Privacy

Secure GnuPG configuration

2013-07-09 3 comments

Someone recently asked what my GPG.conf file looks like since he hadn’t updated his in… years.  Okay, let’s take a look and I’ll try to explain what each setting is and why I feel it is important.  I’m not guaranteeing this as being complete and I welcome input from others.

keyserver-options auto-key-retrieve

This says that if a program needs a public key but it’s not in my keyring that it should automatically reach out to the keyserver (see below) and download it.

use-agent

This says to use the GPG agent. I cannot remember, right now, why this was a good idea. Perhaps it isn’t?

auto-key-locate cert pka ldap hkps://hkps.pool.sks-keyservers.net
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/etc/ssl/certs/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url
keyserver-options auto-key-retrieve

Almost the fun stuff there.  This is just setting up the keyserver that I wish to use (note the use of hkps instead of hkp).

default-preference-list AES AES192 AES256 TWOFISH SHA1 SHA224 SHA256 SHA384 SHA512 Uncompressed ZIP ZLIB BZIP2
personal-cipher-preferences AES256 TWOFISH AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
personal-compress-preferences BZIP2 ZLIB ZIP

Okay, the fun stuff. These are all the algorithms that I wish to use. If you setup your GPG key to advertise these then it will make it easier for others to use the most secure algorithms since they will already know what you can do. The first line just lists all the preferences. The second, third, and fourth lines actually provide the preferences in order of them being used. If you’ll note my preferred cipher is AES with a 256-bit key and my preferred hash (digest) is SHA with a 512-bit key.  There are other options available and a quick

gpg --help

should provide what options are available to you. For instance, my current installation says that its supported algorithms are:

Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I’ve omitted 3DES, MD5, and SHA1 from my preferences due to their weaknesses but I could still use them according to my GnuPG software.

Again, this wasn’t meant to be a strict “thou must do this to be secure” but rather a “this is what I’m doing” sort of thing. I’d appreciate feedback!

Inadvertant data leakage from GnuPG

2013-07-01 10 comments

I was recently introduced to a privacy issue when refreshing your OpenPGP keys using GnuPG.  When refreshing your public key ring using a public key server GnuPG will generally use the OpenPGP HTTP Key Protocol (HKP) to synchronize keys.  The problem is that when you do refresh your keys using HKP everyone that you maintain in your public key ring is sent across the Internet unencrypted.  This can allow anyone monitoring your network traffic to receive a complete list of contacts in which you may hope to use OpenPGP.

The fix is quite simple: in your gpg.conf file make sure that your keyserver entries include hkps:// instead of hkp://.  This will force GnuPG to wrap HKP in SSL to keep the key exchange private.

Happy encrypting!

Categories: Encryption, GnuPG, OpenPGP, Privacy Tags: , , , , ,

The Guardian: I’d pay more for tech products with greater privacy from surveillance

2013-06-26 2 comments

The Guardian: I’d pay more for tech products with greater privacy from surveillance

I thought this was a fantastic article.  It skims over the fact that if you aren’t paying for a service then you are probably the product being sold.  Google, Facebook, and many other companies make billions of dollars off of data about every one of its users.  It’s wrong to sell our privacy and it’s one of the reasons I’m not on Facebook, that I no longer use Google’s tools and apps, and why I look everyday for more open source solutions that don’t lock me in to their service.

Categories: Privacy Tags: ,

Privacy Upgrade: Encrypted Internet browsing

2013-03-14 Leave a comment

Many websites have both the traditional, unencrypted HTTP and the SSL or TLS-encrypted HTTPS addresses available to access their content.  Wikipedia is one good example of this functionality.  You can easily view Wikipedia using traditional HTTP protocol but if you wanted or needed a little more privacy the HTTPS address is available as well.  Unfortunately it is sometimes hard to know if a website has the encrypted feature or not unless you try.  And you might be in a hurry and forget to use the HTTPS version and then you’ve potentially sent sensitive information about yourself out onto the Internet unexpectedly.

There is an easier way, however, to use HTTPS whenever possible.  The Electronic Freedom Foundation (EFF) has released a plug-in for Firefox and Chrome that knows of almost all of the commonly used websites that are available over HTTPS and will dynamically redirect your web browser to use that encrypted channel without you having to remember.  The plug-in, known as HTTPS Everywhere, will convert any web address from HTTP to HTTPS whenever it knows that HTTPS is available.

Why is it important to encrypt your traffic whenever possible?  Well, simply you never know who might be listening to your connection.  If you are living in a country dominated by an oppressive government then your liberty or even your life might dictate that you need to obtain your information via encrypted means.  Other people might be more concerned with their private browsing getting into the hands of a corporation to be sold to the highest bidder to get more information on you into their files.  Others are just concerned with their privacy in general.  Whatever the reason it’s a good idea to use encryption whenever possible.

It should be noted that HTTPS Everywhere doesn’t automatically encrypt all websites and users should still verify that the lock is showing in the browser address bar and that the certificate matches the site in which they are visiting.  That said, using encryption makes your Internet browsing safer and this tool makes it easier.

Categories: Privacy Tags: ,
Follow

Get every new post delivered to your Inbox.

Join 202 other followers