Recently there was a conference for activists interested in security issues - obviously something that any activist should be interested in. Notes from the gathering are being compiled along with previous documents into a printed booklet for activists which is expected to be distributed next year.
In the meantime I've been doing a little additional research on solutions specific to securing email communication...
In the meantime I've been doing a little additional research on solutions specific to securing email communication...
Emails and passwords used by activists are vunerable to snooping from both the state and from private investigation. Even seemingly unimportant information gathered from emails can help build a profile on a person and their associates. Personal information might provide your enemies with leverage to turn somebody you know into a grass or make it easier to place an infiltrator in a position of trust.
What most people do not realise is that by default, the vast majority of email and even passwords are sent over the internet in plain text that can be rmonitored by anyone. Sit down at a computer in a library, college or internet cafe and anyone else on that network can easily read the emails you send and receive, not to mention steal your password. There are several ways to avoid this depending on how you access your mail.
Most activists tend to use web based mail these days so we'll start with those.
If you look in the address bar on your web browser you will see that most addresses start with the letters http:// but sometimes you will see https://. The 's' indicates that the connection is using SSL, a secure encrypted link between your browser and the web server. Most browsers also display a locked padlock symbol somewhere to provide a visual confirmation that the connection is secure. When you are viewing webpages over a SSL connection (such as on Indymedia), the data being transfered is no longer in plain text and can not be read by people attempting to monitor you. This protection also applies to information you submit in web forms, such as usernames and passwords when checking webmail.
In other words, the most basic and essential thing to do to secure your email is use SSL connections if you use webmail. For example, if you use riseup webmail you should go to
https://mail.riseup.net rather than http://mail.riseup.net
We should now breifly look at the use of POP and SMTP for those not using webmail. If you don't know what these are, don't worry, they are two of the most common protocols used for downloading and uploading messages using an email client installed on your own computer. Examples of email clients include Outlook, Eudora, Pegasus and Thunderbird. Again, the problem you need to be aware of is that these protocols are by default not secure and all emails and passwords are sent as plain text. You need to configure your account settings within your email client to use a secure authenticated connection such as SSL. It's beyond the scope of this article to explain how but the help function of your client plus the help pages for your email provider will provide specifics.
It's obviously essential to use SSL (or similar) to protect your email password. However, when you send an email it will still travel over the internet in plain text as SSL only protects the connection between your computer and the server. To protect the contents of the email for the entire trip it will need to be encrypted so that only the intended recipient can read it.
You may have heard of PGP ( http://en.wikipedia.org/wiki/Pretty_Good_Privacy), a computer program that encrypts (scrambles) and decrypts (unscrambles) documents and emails. The initials stand for pretty good privacy and like it says, it's pretty good! Some people claim that the worlds most powerful computers could use brute force to break the encryption in a mater of just a few hundred of years while other put the time required at longer than the age of the universe. Of course, computers get faster all the time so either way the time frame might eventually be reduced to within a human lifetime but even so, it's likely that by the time anyone broke the encryption the content would no longer be valuable. ( http://axion.physics.ubc.ca/pgp-attack.html)
I will not go into detail how PGP works as there is plenty of information about it on the web. More important is how to use it. The trouble with PGP has traditionally been that people not to confident using computers have been unable to use it effectively. However, over the years it has become much easier to use as it has been provided with a simply graphical point and click interface and also intergrated into email clients. Once installed and configured correctly, it's now a simple mater of click decrypt or encrypt plus typing your passphrase.
There is the saying that a little knowledge is a dangerous thing and that is certainly true of encyrption technology. PGP uses Public Key Cryptography and it is vunerable to what is known as a man in the middle attack. This vunerability exists only during the exchange of public keys required to initiate exchange of encrypted messages. Again, it is beyond the scope of this article to describe the attack and you can easily look up the information elsewhere. The important thing is that if these keys can not be exchanged in person then it is vital to confirm that the keys have not been substituted on route. This is done by comparing the keys 'fingerprint' by reading them out on the phone etc.
Finally. They say misery likes company and so, ironicaly, does privacy. The more people who routinely encrypt their communications the more secure everyone becomes. If you were the only one using encryption then it might draw attention to you and anyone you communicate with. If you only use encryption for 'dodgy' emails then this might also attract attention. Once you have the software installed and configured it makes sence to use it whenever possible regardless of the contents of the email.
Further reading:
http://en.wikipedia.org/wiki/E-mail_privacy
http://en.wikipedia.org/wiki/Email_Encryption
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
http://www.andrebacard.com/pgp.html
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
Software
http://www.pgpi.org
http://www.gnupg.org/ (also known as gpg, open source version of pgp)
http://www.gpg4win.org/ (gpg installer for windows)
http://macgpg.sourceforge.net/ (Mac OSX port of GnuPG)
What most people do not realise is that by default, the vast majority of email and even passwords are sent over the internet in plain text that can be rmonitored by anyone. Sit down at a computer in a library, college or internet cafe and anyone else on that network can easily read the emails you send and receive, not to mention steal your password. There are several ways to avoid this depending on how you access your mail.
Most activists tend to use web based mail these days so we'll start with those.
If you look in the address bar on your web browser you will see that most addresses start with the letters http:// but sometimes you will see https://. The 's' indicates that the connection is using SSL, a secure encrypted link between your browser and the web server. Most browsers also display a locked padlock symbol somewhere to provide a visual confirmation that the connection is secure. When you are viewing webpages over a SSL connection (such as on Indymedia), the data being transfered is no longer in plain text and can not be read by people attempting to monitor you. This protection also applies to information you submit in web forms, such as usernames and passwords when checking webmail.
In other words, the most basic and essential thing to do to secure your email is use SSL connections if you use webmail. For example, if you use riseup webmail you should go to
https://mail.riseup.net rather than http://mail.riseup.net We should now breifly look at the use of POP and SMTP for those not using webmail. If you don't know what these are, don't worry, they are two of the most common protocols used for downloading and uploading messages using an email client installed on your own computer. Examples of email clients include Outlook, Eudora, Pegasus and Thunderbird. Again, the problem you need to be aware of is that these protocols are by default not secure and all emails and passwords are sent as plain text. You need to configure your account settings within your email client to use a secure authenticated connection such as SSL. It's beyond the scope of this article to explain how but the help function of your client plus the help pages for your email provider will provide specifics.
It's obviously essential to use SSL (or similar) to protect your email password. However, when you send an email it will still travel over the internet in plain text as SSL only protects the connection between your computer and the server. To protect the contents of the email for the entire trip it will need to be encrypted so that only the intended recipient can read it.
You may have heard of PGP (
http://en.wikipedia.org/wiki/Pretty_Good_Privacy), a computer program that encrypts (scrambles) and decrypts (unscrambles) documents and emails. The initials stand for pretty good privacy and like it says, it's pretty good! Some people claim that the worlds most powerful computers could use brute force to break the encryption in a mater of just a few hundred of years while other put the time required at longer than the age of the universe. Of course, computers get faster all the time so either way the time frame might eventually be reduced to within a human lifetime but even so, it's likely that by the time anyone broke the encryption the content would no longer be valuable. ( http://axion.physics.ubc.ca/pgp-attack.html) I will not go into detail how PGP works as there is plenty of information about it on the web. More important is how to use it. The trouble with PGP has traditionally been that people not to confident using computers have been unable to use it effectively. However, over the years it has become much easier to use as it has been provided with a simply graphical point and click interface and also intergrated into email clients. Once installed and configured correctly, it's now a simple mater of click decrypt or encrypt plus typing your passphrase.
There is the saying that a little knowledge is a dangerous thing and that is certainly true of encyrption technology. PGP uses Public Key Cryptography and it is vunerable to what is known as a man in the middle attack. This vunerability exists only during the exchange of public keys required to initiate exchange of encrypted messages. Again, it is beyond the scope of this article to describe the attack and you can easily look up the information elsewhere. The important thing is that if these keys can not be exchanged in person then it is vital to confirm that the keys have not been substituted on route. This is done by comparing the keys 'fingerprint' by reading them out on the phone etc.
Finally. They say misery likes company and so, ironicaly, does privacy. The more people who routinely encrypt their communications the more secure everyone becomes. If you were the only one using encryption then it might draw attention to you and anyone you communicate with. If you only use encryption for 'dodgy' emails then this might also attract attention. Once you have the software installed and configured it makes sence to use it whenever possible regardless of the contents of the email.
Further reading:
http://en.wikipedia.org/wiki/E-mail_privacy http://en.wikipedia.org/wiki/Email_Encryption http://en.wikipedia.org/wiki/Pretty_Good_Privacy http://www.andrebacard.com/pgp.html http://en.wikipedia.org/wiki/GNU_Privacy_Guard Software
http://www.pgpi.org http://www.gnupg.org/ (also known as gpg, open source version of pgp) http://www.gpg4win.org/ (gpg installer for windows) http://macgpg.sourceforge.net/ (Mac OSX port of GnuPG)
Comments
Display the following comment