Encrypt and Sign Gmail messages with FireGPG

Linux.com (Same owners as Slashdot) has a story up about FireGPG and says "Gmail may be an excellent Web-based email application, but there is no easy way to use it with privacy tools like GnuPG. The FireGPG extension for Firefox is designed to solve this problem. It integrates nicely into Gmail's interface and allows you...
Encrypt and sign Gmail messages with FireGPG

The Fascination with Encryption

[Ian McBeth (862517)]

For me, I just like to use it, to make people think I am doing something.
Keeps the snoops on their toes.

Re:The Fascination with Encryption

[Bromskloss (750445)]

For me, I just like to use it, to make people think I am doing something. Keeps the snoops on their toes.

I keep them on their toes by acting completely normal, having them looking for steganography.

Re:The Fascination with Encryption

[Bromskloss (750445)]

Well, have you found the hidden message in the parent post yet?

Re:The Fascination with Encryption

[u8i9o0 (1057154)]

I keep them on their toes by acting completely normal, having them looking for steganography.

Well, have you found the hidden message in the parent post yet?

Sorry, there is no hidden message.
1. You noted that you use encryption when acting normal.
2. However, you were posting on /. which has been established (quite conclusively) as abnormal behavior.
3. Since you were not "acting completely normal", it is obvious that you were not employing any encryption scheme.
4. :)
5. Profit!

Re:

[clem (5683)]

How about a hint -- does it have anything to do with that strange illegible text in your sig?

Re:

[UbuntuDupe (970646)]

Actually, I heard that one old prank was to send postcards back and forth between major cities with simple, but cryptic sounding statements. For example:

"The birds rise at sundown. Where are the minnows?"
"All is well, north of the river."

Supposedly, the government would see them and get suspicious, thinking they were coded messages.

I've also wondered: why doesn't someone test whether the government is reading emails? For example, have some guys plot an imaginary terrorist attack via unencrypted email and

Re:The Fascination with Encryption

[canajin56 (660655)]

Here is why you don't do that: Because why wouldn't a terrorist leave corroborating evidence lying around proving it was all just a test to psych the government out, so they can be let go? While they are interviewing your "third parties" you are being beaten half to death, electrocuted, water boarded, and raped. IF, and its a huge, colossally massive if, they ever EVER believe you that you were just kidding about bombing NY with a dirty bomb, they will testify that you cannot be released since after your brutal torture you probably are now a terrorist even through you weren't before. Plus you can't exactly be let go since the torture techniques are classified information and you might leak them. Just like Jose Padilla. First he HAD a dirty bomb, then he was building one, then he was thinking about it, then he knew somebody who was thinking about it, then nothing...but they have ruled he can NEVER face trial, and can NEVER be released. Their reasoning is their "interrogation techniques" have irreversibly damaged him mentally, so he's too unstable to stand trial. But these "interrogation techniques" are highly classified matters of national security, so he can never ever be allowed to talk to anybody in case he tells them what they did to him (especially not a lawyer). And that would be you. Now remember, he _WAS_ a citizen, and there was no evidence against him. Still tortured and given a life sentence without the possibility of a trial. What fucking chance do you think you have if there IS evidence against you? Well you might have white skin so you just may have some kind of chance.

Re:The Fascination with Encryption

[MyOtherUIDis3digits (926429)]

Man, I miss the days when a post like that would have made me laugh and I would have called you a loon...

Re:The Fascination with Encryption

[jimstapleton (999106)]

I only use one-time use pads when sending my emails. It keeps them busy and unable to decrypt the emails!

Re:The Fascination with Encryption

[Warg! The Orcs!! (957405)]

My wife uses one-time pads but I wouldn't send them in the mail.

And for the chat

[DrYak (748999)]

And if want PGP encryption for chat (Gmail's associated GTalk or any other protocol like MSN, etc.) there is Pidgin [slashdot.org] (formely Gaim) with plugins :

• Etiher Pidgin Encrypt [sourceforge.net] (formely Gaim Encryption)
• Or OTR [cypherpunks.ca]

Re:And for the chat

[stinerman (812158)]

Note that OTR is "better". From the OTR site:

How is this different from the gaim-encryption plugin?
        The gaim-encryption plugin provides encryption and authentication, but not deniability or perfect forward secrecy. If an attacker or a virus gets access to your machine, all of your past gaim-encryption conversations are retroactively compromised. Further, since all of the messages are digitally signed, there is difficult-to-deny proof that you said what you did: not what we want for a supposedly private conversation!

Re:

[Kjella (173770)]

No. You're thinking of `downloading` - one of the main things any source-forge style system is supposed to make difficult. Under NO circumstances should you offer a link which you click once to receive and executable. You MUST have to register with your email address and agree to terms and conditions and then try and find the executable - not the source, resource files, the forum etc - but the program you just signed up for the sole reason of downloading.

Well, that qualifies for a -1, troll since I've never

Re:And for the chat

[cayenne8 (626475)]

"Well in traditional crypto/signature schemes, having a provable relation between a specific message and specific sender is a desired attribute. While there are certainly situations where you would like to verify the identity of the person to which you are chatting (wife/girlfriend/boss/etc), it appears that is not one of the wanted 'features' of this encryption protocol. Forward and backward secrecy would certainly be something most would consider useful, however."

Well, you want to make sure it IS from the person you think it is, but, that doesn't mean you have to know who the person IS in real life.

It would be cool if these email plugins would help make it easy to register and use the nym [iusmentis.com] servers. This way you could set up an email address on each end. PGP sigs can be used, but, there is plausible denyability as to who really is at each end of the email.

Of course if you're really worried about tracability, then set up a nym account to send out on, but, on return messages...just have it post encrypted to one of many USENET groups. You then really have a disconnect 'cause there's no good way to monitor around the world who gets what messages of USENET.

Say 'no' to gaim-encryption, use OTR

[Kadin2048 (468275)]

OTR is miles better than the gaim-encryption/pidgin-encrypt. Honestly, I don't understand why they won't just kill it and move to OTR for good; it's a fundamentally better security model for something transient like instant messages.

Particularly since having two mutually-incompatible encryption packages is a pretty crummy state of affairs; it just means that the few users who do use encryption, are going to be fragmented between incompatible systems.

OTR probably has the greatest market penetration of any IM-encryption system, outside of corporate clients (Sametime, I think, uses encryption by default, although I don't think it's end-to-end, only client-server, because there they want the ability to intercept on the server), because it's built into the fairly popular OS X Adium [adiumx.com] client. So there's already quite a few users out there who have software that supports it. If only some of the other IM clients would start building it in by default, rather than making it an optional addon, I think it would quickly gain traction as a de facto standard. (And that would be a good thing, since it's a good system and open source.)

Re:

[99BottlesOfBeerInMyF (813746)]

Particularly since having two mutually-incompatible encryption packages is a pretty crummy state of affairs; it just means that the few users who do use encryption, are going to be fragmented between incompatible systems.

This is what standards are for. We need a standard for IM encryption, possibly as part of a larger encryption framework. I have no problem advocating a standard, which I think is a lot better idea than advocating a given program/library.

If only some of the other IM clients would start building it in by default, rather than making it an optional addon, I think it would quickly gain traction as a de facto standard.

OTR is licensed as GPL/LGPL. As such, I'm not sure a lot of major software makers will be all that keen about implementing it. Take a look at iChat or Yahoo Messenger. They're not going to open source their application just to add an encryption format that is still pret

I wouldn't think google would like this

[kentmartin (244833)]

I thought their business model worked on the idea that they could datamine all your email and (among other things) offer you targeted email based on the content therein... this'll screw with that idea...

"BUY jjhHDJEy6786ERLKLXhdfeprERIOUPewoenOIhgshgrgeyrew now for a low price on Ebay.co.uk"

Re:I wouldn't think google would like this

[morgan_greywolf (835522)]

Nah, they'll just start sending 'Soldier of Fortune Magazine'-type ads at you.

Re:

[blueZhift (652272)]

Interesting question, because datamining email to target ads is exactly what Google said they wanted to do when gmail got started. Since encrypted mail would make this impossible, I wonder if they'll take actions to stop the use of encryption tools with gmail. On the other hand, as it stands, unless they offer such tools themselves, I don't see most users encrypting their gmail anytime soon. So the losses may be acceptable to Google.

Re:I wouldn't think google would like this

[morgan_greywolf (835522)]

Gmail supports retrieval of mail via POP3 for free. So there's nothing to stop someone from using GPG and similar support already included in or available for a wide variety of e-mail clients such as Outlook, Thunderbird, Evolution, Eudora, etc.

Re:I wouldn't think google would like this

[CreatureComfort (741652)]

So... you are saying that the NSA has the ability and desire to break every ElGamel 2048-bit length encrypted message it captures with Echelon? I've seen too much of government from the inside to think that any agency operates as well as the NSA FUD would have us believe. Especially when you realize it is far easier and cheaper to make your enemies believe you have super powers than it is to actually develop those super powers, completely in-house with no outside knowledge or help.

Altered for slashdot

[LiquidCoooled (634315)]

-----BEGIN PGP MESSAGE-----
Version: GNUPG v0.4.0 (GNU/Linux)
Comment: Wonderful
ewurnfi3u834j9few4jf9oewfqvi7y&H*&HAwr8hw78er7hfw8 f7hh4839h47f7e
wf8943f89jw3r8j9fesajaejro5gvl;rhyklyfp[ult0h43jg8 394g84953jgf84
fnw98efj89324rtuerjgeiorgtjerilgtjireogniregunreng erniguiregt980
werj
-----END PGP MESSAGE-----

I have nothing more to add

Re:Altered for slashdot

[kypper (446750)]

You want me to do what with hot grits?

Does not this break GMAIL's business model?

[mi (197448)]

I thought, their ability to automatically parse the messages — so as to show users the relevant advertisements, was the reason, I am getting an unlimited mailbox with nice interface for free.

If all/most of my messages are encrypted, how will they know, what to peddle to me? Can't do much on Subjects alone... Or can they?

Re:Does not this break GMAIL's business model?

[$RANDOMLUSER (804576)]

If all/most of my messages are encrypted, how will they know, what to peddle to me?

Aluminum foil. Survival equipment. Wellbutrin.

Point & Click Encryption?

[RubberChainsaw (669667)]

This extension seems very cool, and I plan to try it out when I get home. When I first read the summary I thought to myself, "A firefox extension and gmail, how much simpler could it get!" But, unfortunately this is not point & click encryption. It requires an additional external program (GnuPG) to function. Even this small, relatively trivial step is too much for beginning to average computer users. Encrypted email is great and all, but I can only send it to other people with encryption-enabled email clients.

Where is the it-just-works email encrytion for dummies?

Re:

[LiquidCoooled (634315)]

When I want to totally encrypt an email I just plug in my DVORAK keyboard, put on a blindfold and type as usual.

Re:Point & Click Encryption?

[Kadin2048 (468275)]

Where is the it-just-works email encrytion for dummies?

AFAICT, it doesn't exist. At least not outside of corporate environments. There are lots of companies that have their encryption set up so that it's transparent to non-technical employees, but it's a lot of work for the people who actually make it run. Lotus Notes, for instance, will do public-key cryptography, using company-wide keyservers -- although it's a proprietary algorithm, or was last time I checked. Once you have the infrastructure in place, the users don't have to think much about it, besides clicking 'encrypt and sign' on the emails they want secured.

I've also heard that within Apple, they use Apple Mail with S/MIME to great effect ... but if you're just a regular user, getting that feature working is a real PITA. (Though admittedly, most of the trouble is because of the certificate authorities.)

I think the problem with the free encryption tools is that they're still very much a 'hacker's product,' being designed by fairly advanced users, for other advanced users -- or at least, for users who don't have a problem installing extra software in order to communicate securely. This, IMO, is a mistake; in order for an encryption system to be useful, it has to be widely used. And that means getting it into the hands of people who might not even think, in advance, that they want it. There are lots of people who aren't going to go out and download/install encryption software, but if the feature was there, and working, all the time, they'd probably find themselves clicking the 'Encrypt' button quite a bit.

There's no real reason why encryption can't be built in. It's just that it tends to get viewed as a peripheral, rather than core, feature, in everything except some corporate packages. However, I think that if it was incorporated more widely, it would quickly become a core feature; but getting over that 'chicken and egg' hump is hard.

GMail S/MIME plugin for firefox

[emj (15659)]

I've been using the S/MIME plugin for Firefox [jones.name]. and it's great. I'm not sure I like the way you have to apply for a certificate from Thawte, but it works and it's very painless.

This is not painless and easy, and IMHO S/MIME is alot nicer implemented than PGP signatures.

Re:

[Kadin2048 (468275)]

This is not painless and easy, and IMHO S/MIME is alot nicer implemented than PGP signatures.

S/MIME is oftentimes more slickly implemented, because it tends to get more use on the corporate side, but I think that it's unsuited for wide use because of its reliance on centralized certificate authorities. The whole certificate-based infrastructure isn't anything that most people want to have to deal with.

For 90% of all communications, what people want is an email (or IM, or whatever) version of PGPfone -- they

Only Gmail?

[Rob T Firefly (844560)]

While the site says only Gmail is supported, could this be made to work with other web apps? It'd be neat to have something like this for webmail on my own domains, forum-based messages, and so on.

Works with any textarea, by the way

[croddy (659025)]

This works with any textarea, by the way, not just GMail. Not sure why the summary doesn't mention that.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This works with any textarea, by the way, not just GMail. Not sure why the summary doesn't mention that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org/

iD8DBQFGZDU/WCKEX KsCq6IRAvAtAJ96BAdus/rVCXS+NxlEbMsDdNxTCgCfe+da
T yi/KWbgNLQUq/qssCj2YR4=
=Y2mA
-----END PGP SIGNATURE-----

Won't AJAX textboxes kill this?

[biftek (145375)]

I haven't used gmail that much, but I was under the impression that it saved drafts of what's in the composition textbox at intervals.

That data would be all cleartext wouldn't it? Seems a tad risky to me.

Re:

[X0563511 (793323)]

No, you can't reverse engineer it like that. PGP uses "trapdoor" functions that are mathematically infeasible to work in reverse. It's possible, but it will take several thousand years.

PGP/GPG - inherent legal problem?

[Cheesey (70139)]

I understand that in some countries, you are legally compelled to provide the keys to access files encrypted with PGP, GPG, etc. if the authorities demand access. If you refuse to produce a working key, or claim to be unable to do so, a judge is able to assume that you are deliberately hiding something.

Firstly, I wondered if anyone could confirm this? I have heard that it is the case for Britain at least, although I don't see how it can possibly be legally compatible with the presumption of innocence.

Secondly, I wanted to suggest that perhaps this is a reason not to use PGP, because PGP encrypted information can always be decrypted using the recipient's key - even many years after the message was originally sent. So law enforcement officers will be able to get old PGP-encrypted documents from your email account (probably even if you delete them, thanks to backup tapes). They'll then be able to force you to decrypt them, and if you don't, they can assume you are witholding the key because the files are full of terrorist plans or whatever.

I suggest that people should only use cryptosystems where the session keys are destroyed immediately after use, such as SSH and (possibly) some secure instant messaging services. Even if law enforcement officers use a wiretap to record everything sent by you over an SSH connection, and then seize your computers, they still can't recover the plaintext because the session keys have already been deleted. It's impossible for you, the suspect, to produce the keys, which should help your legal defense. Here's a way to chat securely by SSH [vanemery.com].. if you need to transfer files, you can use SFTP.

Re:Nerds with something to hide

[morgan_greywolf (835522)]

I don't understand this fascination with encryption. Why do people use it. Is it because you're hiding something illegal? It's kiddie porn isn't it? Be honest!

Nope. It's secret terrorist plots to overthrow the tyrannical American Government!

Oh, wait! I wasn't supposed to say that, was I?

Re:Nerds with something to hide

[daeg (828071)]

Clever. Hiding your kiddie porn encoded in anarchist rants! I'm onto you, buddy!

Re:Nerds with something to hide

[fluch (126140)]

It is just that I don't want anybody to intrude my privacy. Do you close the envelope of a regular snail-mail letter? If so, do YOU have something to hide??

Re:

[kevin_conaway (585204)]

Do you close the envelope of a regular snail-mail letter? If so, do YOU have something to hide??

I'm more concerned about the letter (or worse, a check) falling out.

Re:Nerds with something to hide

[toleraen (831634)]

I generally close the envelope of snail mail so the mail doesn't fall out.

I use security envelopes to obscure the contents of my mail. You probably would want to use that as an analogy instead.

Re:Nerds with something to hide

[ChrisMounce (1096567)]

Anonymous Coward is hoping to make a fortune on Patent #53892647956403765437856348756438756487563, "Method for tucking the flap inside the envelope".

Re:Nerds with something to hide

[joe_cot (1011355)]

I don't actually use it for encryption; I use it for verification.

Besides encryption, GPG also allows you to sign messages, ensuring that the message is indeed from you, and hasn't been modified after you've signed it. In the Ubuntu Community, this is important for a) verifying messages from developers are real, b) verifying that uploaded packages were created by trusted developers, c) verifying signatures (such as signing the code of conduct).

While FireGPG is useful, it's not so useful for signing messages; gmail auto-wordwraps messages after you send them, and FireGPG doesn't take that into account. Therefore, unless you wordwrap it yourself, gmail's going to add line breaks, and your signature will be invalid. When I need to sign messages, I either word wrap myself so that gmail doesn't, or send it through Thunderbird using Enigmail.

Re:

[XrayCharlie (932453)]

I use FireGPG along with It's All Text! [mozilla.org] plugin, which I can edit a textfield with an external editor such as Vim. Vim handles wordwrap for me. The only problem I have is that Gmail automatically makes links for URLs or email addresses, which breaks the signature.

Re:Nerds with something to hide

[SCHecklerX (229973)]

You are forgetting about authentication. Email is trivial to spoof. If you *always* sign your messages, then when some asshat, say, decides to send an explicitly detailed nastygram to your boss from 'you', it is easy to prove otherwise...

Or maybe from your secret lover, etc. You get the picture.

Re:Nerds with something to hide

[by Anonymous Coward]

So if you "always" sign your messages, then you can tell off anyone you want as long as you don't sign it. Brilliant!

Re:Nerds with something to hide

[iago-vL (760581)]

Or maybe from your secret lover, etc. You get the picture.

It's that Cathy, isn't it? She's always trying to break up Alice and Bob!

Re:Nerds with something to hide

[brunascle (994197)]

perhaps because i'd like to send an email from work to my GF with something like "hey wanna fuck tonight?" and i'm not particularly keen on the network guys reading that.

Your girlfriend called...

[xxxJonBoyxxx (565205)]

Hey, your girlfriend called. She said she couldn't read the garbled message you sent. However, I passed on your "wanna...tonight" message to her and she said "yes" but I don't think your name came up. So...if you don't mind, I'd like to get out a little early tonight...

 

Re:

[Rob T Firefly (844560)]

This is your boss. The network guys tell me you've just used the Company's network to write "hey wanna fuck tonight?" on a public website. You're fired.

Re:Or you can use an actual mail client

[Enoxice (993945)]

Psh, Lynx. Get with the times, man, everyone is using links2 (perhaps links2 -g if they want to be on the bleeding edge).