Hacker News new | ask | show | jobs
by mike-cardwell 4947 days ago
Nobody knows who runs the Tor Mail service. This is good because nobody can order them to give up information about you. However, it's also bad because you've no idea if it's being run by responsible people, a government agency, wikileaks, or just a few nosy kids. You should still definitely use PGP encryption if you're using it.
2 comments
glomph 4947 days ago
Shouldn't you always be using pgp anyway? Its not like you should trust someone like hushmail either.
link
SageRaven 4947 days ago
Speaking of, has a replacement for firepgp (an awesome Firefox pgp plugin from some years ago) ever cropped up? It was so idiot-proof it was beautiful, and had the project not closed down, I probably would have rallied friends and family to use it.
link
Torgo 4947 days ago
The problem is that it was not reasonably secure. As I understand the complaint, you can't integrate PGP into an extensible, skinnable interface securely. There's not firefox or OS support for making that kind of thing doable. You'd want to have some sort of OS and app support for being able to encrypt a message in a widget on a GUI layer above the browser and then transferring it in, so that PGP and Firefox never come into direct contact. Qubes OS has a rough mechanism for keeping different security-level apps separated, and identified via a colored window border. I wonder if something similar to this is the correct solution.
link
zokier 4946 days ago
I don't think that the problem was that Firefox or the OS weren't secure enough. Afaik the problem was that FireGPG worked inline with the original page, and thus a hostile JS on the page could intercept the plaintext.

I think something like the "It's all text!"[1] addon with GPG enabled editor should be reasonably secure.

[1] https://addons.mozilla.org/en-US/firefox/addon/its-all-text/

link
aidenn0 4947 days ago
It's may be more secure than accidentally messing up because you were cut/pasting into a text box. A 0-day on firefox could extract your key which is bad. So could a keylogger + ftp that was installed via a 0-day on firefox if you were using an external application.
link
ninetax 4947 days ago
Actually this was just released!

http://www.mailvelope.com/

link
pearkes 4947 days ago
Related - Does anyone know of a good tutorial out there for setting up PGP?
link
chimeracoder 4946 days ago
What mail client are you using?

If you're using Thunderbird or mutt, it's really easy and there are several tutorials out there that will be helpful.

If you're using webmail (particularly Gmail), it's easy to do badly, and I'm not aware of a way to do it properly (short of manually encrypting everthing and copy/pasting it).

Setting up the keys, though, is really easy on Linux: http://www.enigmail.net/documentation/gpgsetup.php#generate

link