/netplus/ - Networks and Plus

Install the seahorse package, for Debian/Trisquel/Ubuntu/Mint/etc. users

sudo apt-get install seahorse

After filling in your name and email and choosing you key length (you don't have to use 4096 but why not right) the program will appear to do nothing for a while, that's normal it's just working in the background to generate your key, depending on your key length and the processing power of your computer this can take a loooong time, 30m+ even so don't worry, it is working.

Distribute you public key so that people can use it to encrypt messages to you and verify things you sign using you new key. Additionally you may wish to upload you public key to public key server, this allows you to instead distribute the much shorter “fingerprint” or id of your public key and people can then search for your key on the public key server and verify the full key returned against the fingerprint you gave them.

Import someone else's public key so that you can verify their signed messages and send them encrypted messages.

Verify a message from someone who's key you have imported.

Sign a message so that other people can verify that you are the one who wrote it

Encrypt a message using someone's public key so that only that person can decrypt it

Encrypt a message for someone and sign it with your key so that they can verify it came from your

Encrypt and decrypt files from with nautilus

I'd recommend against the use of PGP.

First of all, metadata and DPI:

>https://gist.github.com/grugq/03167bed45e774551155

>Unfortunately, even PGP encrypted email leaves comms metadata exposed, this includes: […]

>http://secushare.org/PGP

>Thanks to its easily detectable OpenPGP Message Format it is an easy exercise for any manufacturer of Deep Packet Inspection

>using the –hidden-recipient flag you can tell PGP to, at least, hide who you are talking to. Hardly anyone does that

Subject is never encrypted.

>https://gist.github.com/grugq/03167bed45e774551155

>For example, "Subject: Your cocaine has shipped!" is a total email security failure.

* No Forward Secrecy.

>https://en.wikipedia.org/wiki/Forward_secrecy

* In the worst case scenario, all your mail can be decrypted and anyone can fake your identity and you can't deny emails encrypted with the same key are yours.

>https://twitter.com/thegrugq/status/618106748147101696

>That PGP key. Fortunately it is protected by a pass phrase. Less fortunately, it is protected by Pozzi’s pass phrase

Anyone can revoke your key too.

>https://pgp.mit.edu/pks/lookup?op=vindex&search=0x775964D270C2F02F

↓

*Mistakes are forever

Your mistake is stored forever on a keyserver, unless Hitler comes from hell riding a dinosaur and destroys the MIT (and any other keyserver)

Only PGP Global directory provides a remedy

>https://en.wikipedia.org/wiki/Key_server_%28cryptographic%29#Problems_with_keyservers

>accumulation of old fossil public keys that never go away, a form of "keyserver plaque". Another problem is that anyone can upload a bogus public key to the keyserver, bearing the name of a person who in fact does not own that key. The keyserver had no way to check to see if the key was legitimate.

>To solve these problems, PGP Corp developed a new generation of key server, called the PGP Global Directory. This keyserver sent an email confirmation request to the putative key owner, asking that person to confirm that the key in question is theirs. If they confirm it, the PGP Global Directory accepts the key. This can be renewed periodically, still anyone can download a public key from the PGP Global Directory and upload it to pgp.mit.edu or any other keyserver, thus defying any control of the owner on his/her own keys.

The "Web of trust" concept is bogus.

>https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html

>Why the Web of Trust Sucks

>>217

>Pond

>>>Pond is forward secure, asynchronous messaging for the discerning. Pond messages are asynchronous, but are not a record; they expire automatically a week after they are received.

May I suggest to give a look at onionmail

Clearnet site: onionmail.info

Hidden site: louhlbgyupgktsw7.onion

It's free software and you can download it from their site. It's a federation of servers. Like XMPP, each one can talk to each other, and the whole subnet can talk to other Tor or clearnet email providers.

Note that the site hosts just a list of public hidden node, that are running the real servers

>https://archive.is/http://www.hacker10.com/internet-anonymity/onionmail-an-anonymous-mail-server-running-on-tor/

May I underline something in "Rulez" page you can look at browsing one of the actual servers i.e.

>http://wc2eyfmw7wrwomf4.onion/rulez.html

or

>http://ndo2plzaruzxk6sb.onion/rulez.html

or

>http://ridotnp5m5lp22gw.onion/rulez.html

and so on, pick one

>

>[2.0] Sending emails

>

>(1) Mail messages are saved only in the recipient's server and encrypted

>with multiple asymmetric keys.

>

>Communicating with the server

>

>To communicate with the server it's sufficient to send a message to

>server@<xyz>.onion (Where <xyz> is identical to your address after "@").

(then there's a list of IRC-alike commands to create your own spam list and so on)

>[5.0] Create your OnionMail address

>

>1) Get your public PGP key and copy the ASCII armor.

>2) Send a message to the server (server@address.onion) with subject:

> NEWUSER username

> Where username is your user name and the address part before "@".

> Paste the public key into the body of the message.

>[9.0] User configuration.

>

>To read and configure the parameters of your account, send a message to the

>server with subject the word "SETTINGS".

but what sounds very close to Pond and seems interesting to me is

>(3) Messages, either read or not, are deleted automatically from the

>server after a few days of their reception.

Also, in the article cited above

>OnionMail server saves messages and it automatically erases them after reading or if they have not been picked up by the user in a period of days, using the wipe command (Linux) to make forensic recovery impossible.

So, as far as I've understood, it's a Pond-ish service that forces users to issue their intra-service PGP keys (in order to store your mail asymmetrically encrypted and regardless of the fact that you're using OpenPGP in your mails) and it deletes periodically scrubs your mail folders.

>An OnionMail email inbox is encrypted with RSA/AES asymmetric encryption keys and user passwords, data is then hashed and scattered around multiple OnionMail servers in the network, if a server is seized no meaningful information or metadata can be obtained. Another security feature is the ability to remotely nuke a server’s digital certificate, this is useful if an administrator loses physical access to the server, OnionMail checks the legitimacy of digital certificates in the network and servers not using a valid one will be disconnected.

Is this perfection? Why I don't see this service advertised everywhere?