>>> Encrypted communications app Signal is mulling an exit from the UK
>>> market in response to a new law threatening its core operational
model,
>>> while E2EE email service provider Tutanota is taking the opposite
>>> approach, pledging to stay and help the British protect their
>>> communications from government scrutiny.
>

>
>> Instead of an encryption service, use PGP.
>
>> http://www.rossde.com/

>Excellent advice. Unfortunately, for the vast majority of the public,
this
>advice is about as acceptable as a glass full of castor oil.

>Stainless Steel Rat

I agree SS Rat.
Even before you get to the PGP stage, you'd be battling for the
majority to
string two cognitive sentences together, let alone accept that PGP
might be the way to go.

At 70 years of age I've given up expecting any of my family, associates
or
friends to use it. I find the dumbing down of communication very
depressing.

Just to demonstrate this further, examine a bit closer some of the
famous UAP researchers.
A lot of them expect whistleblowers to contact them either through a
very unsecure website, or
their site never ever supplies their public key !
One even thought Facebook was an acceptable idea.
I've tried to explain to one in particular, that writing in the clear,
destroys any attempt
at privacy and anonymity for both the sender and receiver.
Therefore why would a whistleblower with 1st hand evidence consider
making contact.

Cheers
Fred

Nomen Nescio <nobody@dizum.com> wrote:

> Therefore why would a whistleblower with 1st hand evidence consider
> making contact.

Make contact through a nym account with your PGP key added
to the message and ask for an encrypted conversation in
case they are interested in some confidential information.

OmniMix is your friend!

On Sat, 16 Mar 2024, Anonymous wrote:

> Nomen Nescio <nobody@dizum.com> wrote:
>
>> Therefore why would a whistleblower with 1st hand evidence consider
>> making contact.
>
> Make contact through a nym account with your PGP key added
> to the message and ask for an encrypted conversation in
> case they are interested in some confidential information.
>
> OmniMix is your friend!
>
>

Btw, isn't omnimix windows only?

On Sat 16 Mar 2024 1:58 pm, Anonymous wrote:
> and ask for an encrypted conversation

Good luck with asking a nice normal citizen
to twist their brain with pgp.

<root@127.0.0.1> wrote:

> Get yourself a sharpie and scribble on the wall of a pisser if you think people take anon communication seriously.

Am I anyone's nanny? No, not my business.

I only need to care about my own privacy
and am glad to have appropriate tools,
which don't require the goodwill of others.

On Sat, 16 Mar 2024 12:31:40 +0000, Anonymous wrote:

>On Sat 16 Mar 2024 1:58 pm, Anonymous wrote:
>> and ask for an encrypted conversation
>
>Good luck with asking a nice normal citizen
>to twist their brain with pgp.

We're talking about reporters and investigators, for
whom confidentiality in communication is mandatory.
So it's their duty to know about ciphering methods.

D <nospam@example.net> wrote:
>Btw, isn't omnimix windows only?
It works very well in Linux Wine.
https://danner-net.de/omom/tutorinstall.htm
https://danner-net.de/omom/tutor_install_14.png

On Sat, 16 Mar 2024 10:58:13 +0000 (UTC), Anonymous <nobody@remailer.paranoici.org> wrote:
>Nomen Nescio <nobody@dizum.com> wrote:
>> Therefore why would a whistleblower with 1st hand evidence consider
>> making contact.
>
>Make contact through a nym account with your PGP key added
>to the message and ask for an encrypted conversation in
>case they are interested in some confidential information.
>OmniMix is your friend!

big plus ones (one plus its own shadow) . . . as a casual user, omnimix
has made it easy to use remailers with tor (i use tor browser for this)
for posting to unmoderated usenet newsgroups; omnimix is most essential
and should appear at or very near the top of everyone's anon links list

On Sat, 16 Mar 2024 13:23:18 +0100, in article
<595bd00d-8c1b-4aa7-56b6-c305c0a21940@example.net> D
<nospam@example.net> wrote:

>
>
>On Sat, 16 Mar 2024, Anonymous wrote:
>
>> Nomen Nescio <nobody@dizum.com> wrote:
>>
>>> Therefore why would a whistleblower with 1st hand evidence consider
>>> making contact.
>>
>> Make contact through a nym account with your PGP key added
>> to the message and ask for an encrypted conversation in
>> case they are interested in some confidential information.
>>
>> OmniMix is your friend!
>>
>>
>
>Btw, isn't omnimix windows only?

But it's a server you can access from throughout your network, and with
its .onion addresses even from abroad.

On Sat 16 Mar 2024 6:17 pm, Nomen Nescio wrote:
> So it's their duty to know about ciphering methods.
Sir, yes Sir.

Nomen Nescio <nobody@dizum.com> writes:

>>>> Encrypted communications app Signal is mulling an exit from the UK
>>>> market in response to a new law threatening its core operational
>model,
>>>> while E2EE email service provider Tutanota is taking the opposite
>>>> approach, pledging to stay and help the British protect their
>>>> communications from government scrutiny.
>>

>>
>>> Instead of an encryption service, use PGP.

Traffic analysis.

--
A host is a host from coast to coast...............wb8foz@panix.com
& no one will talk to a host that's close..........................
Unless the host (that isn't close).........................pob 1433
is busy, hung or dead....................................20915-1433

On 2024-03-21, David Lesher <wb8foz@panix.com> wrote:
> Nomen Nescio <nobody@dizum.com> writes:
>
>>>>> Encrypted communications app Signal is mulling an exit from the UK
>>>>> market in response to a new law threatening its core operational
>>model,
>>>>> while E2EE email service provider Tutanota is taking the opposite
>>>>> approach, pledging to stay and help the British protect their
>>>>> communications from government scrutiny.
>>>
>
>>>
>>>> Instead of an encryption service, use PGP.
>
> Traffic analysis.

Ane exactly what information will that give you other than that you are
communicating with a certain IP address? And what is wrong with a VPN to
hide even that? And the question was why use an encrytion service when
you can encrypt using PGP and if you want to hide who your talking to,
use an external VPN. To let someone else encrypt your stuff for you
seems to me to be the hight of folly. You want to hide your stuff, so
you give it to someone else in clear text. For all you know, Tutanota
is an arm of the government (I am not saying it is, but do you have
proof it is not?)
>

On Thu, 21 Mar 2024, William Unruh wrote:

> On 2024-03-21, David Lesher <wb8foz@panix.com> wrote:
>> Nomen Nescio <nobody@dizum.com> writes:
>>
>>>>>> Encrypted communications app Signal is mulling an exit from the UK
>>>>>> market in response to a new law threatening its core operational
>>> model,
>>>>>> while E2EE email service provider Tutanota is taking the opposite
>>>>>> approach, pledging to stay and help the British protect their
>>>>>> communications from government scrutiny.
>>>>
>>
>>>>
>>>>> Instead of an encryption service, use PGP.
>>
>> Traffic analysis.
>
> Ane exactly what information will that give you other than that you are
> communicating with a certain IP address? And what is wrong with a VPN to
> hide even that? And the question was why use an encrytion service when
> you can encrypt using PGP and if you want to hide who your talking to,
> use an external VPN. To let someone else encrypt your stuff for you
> seems to me to be the hight of folly. You want to hide your stuff, so
> you give it to someone else in clear text. For all you know, Tutanota
> is an arm of the government (I am not saying it is, but do you have
> proof it is not?)
>>
>

I think you can safely ignore the Nomen-guy. He seems to be some kind of
paid marketing guy for tutanota.

Personally I completely share your position. Tuta could be compromised
without any of its users ever knowing, so much better and safer to "roll
your own" or use truly decentralized services.

If you're in europe it would of course be better to rely on a service
that's not in europe, that would add some paper work in case the
government is after you.

William Unruh <unruh@invalid.ca> wrote:
>On 2024-03-21, David Lesher <wb8foz@panix.com> wrote:
>> Nomen Nescio <nobody@dizum.com> writes:
>>
>>>>>> Encrypted communications app Signal is mulling an exit from the UK
>>>>>> market in response to a new law threatening its core operational
>>>model,
>>>>>> while E2EE email service provider Tutanota is taking the opposite
>>>>>> approach, pledging to stay and help the British protect their
>>>>>> communications from government scrutiny.
>>>>
>>
>>>>
>>>>> Instead of an encryption service, use PGP.
>>
>> Traffic analysis.
>
>Ane exactly what information will that give you other than that you are
>communicating with a certain IP address?

Which easily can be resolved. The metadata around an encrypted channel
tells volumes!

Ex-NSA Director Michael Hayden once told us:
"We Kill People Based on Metadata"

> And what is wrong with a VPN to hide even that?

Short answer: You don't hide it from the VPN. Better to use Tor and
remailers instead of having to trust anyone.

On 2024-03-21, D <nospam@example.net> wrote:
>
>
> On Thu, 21 Mar 2024, William Unruh wrote:
>
>> On 2024-03-21, David Lesher <wb8foz@panix.com> wrote:
>>> Nomen Nescio <nobody@dizum.com> writes:
>>>
>>>>>>> Encrypted communications app Signal is mulling an exit from the UK
>>>>>>> market in response to a new law threatening its core operational
>>>> model,
>>>>>>> while E2EE email service provider Tutanota is taking the opposite
>>>>>>> approach, pledging to stay and help the British protect their
>>>>>>> communications from government scrutiny.
>>>>>
>>>
>>>>>
>>>>>> Instead of an encryption service, use PGP.
>>>
>>> Traffic analysis.
>>
>> Ane exactly what information will that give you other than that you are
>> communicating with a certain IP address? And what is wrong with a VPN to
>> hide even that? And the question was why use an encrytion service when
>> you can encrypt using PGP and if you want to hide who your talking to,
>> use an external VPN. To let someone else encrypt your stuff for you
>> seems to me to be the hight of folly. You want to hide your stuff, so
>> you give it to someone else in clear text. For all you know, Tutanota
>> is an arm of the government (I am not saying it is, but do you have
>> proof it is not?)
>>>
>>
>
> I think you can safely ignore the Nomen-guy. He seems to be some kind of
> paid marketing guy for tutanota.
>
> Personally I completely share your position. Tuta could be compromised
> without any of its users ever knowing, so much better and safer to "roll
> your own" or use truly decentralized services.

Of course the problem with rolling your own is that 99% of the computer
user have vey little idea about cryptography or about "rolling you r
own" "Use PGP" is of very little help since it needs to be made
automatic and needs to have a "phonebook" containing people you might
want to communicate with and their public keys. Plus you have to make
sure to keep your own private keys secret. There are so many ways of
messing up and making the system insecure, depite using the best tools.
That is of course what companies presumably like Tutanota provide.
Unfortunaely with a huge potential security hole. The balance between
security and ease of use (both of which are crucial) is delicate. Oepn
source is a bare minimum ( so you can check up on their claims, or at
least have others check up on their claims).
Also you have to make sure that the people you communicate with also
have the software, and use it. encrytion is useless if your recipient
replies to your missive by quoting it all in cleartext and then adding
their own reply.

>
> If you're in europe it would of course be better to rely on a service
> that's not in europe, that would add some paper work in case the
> government is after you.

William Unruh wrote:

> Of course the problem with rolling your own is that 99% of the
> computer user have vey little idea about cryptography or about
> "rolling you r own" "Use PGP" is of very little help since it needs
> to be made automatic and needs to have a "phonebook" containing
> people you might want to communicate with and their public keys. Plus
> you have to make sure to keep your own private keys secret. There are
> so many ways of messing up and making the system insecure, depite
> using the best tools. That is of course what companies presumably
> like Tutanota provide. Unfortunaely with a huge potential security
> hole. The balance between security and ease of use (both of which are
> crucial) is delicate. Oepn source is a bare minimum ( so you can
> check up on their claims, or at least have others check up on their
> claims). Also you have to make sure that the people you communicate
> with also have the software, and use it. encrytion is useless if
> your recipient replies to your missive by quoting it all in cleartext
> and then adding their own reply.

There is Mailvelope for Gmail and others, which is a browser based
plug-in and it has it's own key server. This should simplify the
process of using PGP for encrypted email and you don't have to sign-up
for tuta, proton.me etc.

https://mailvelope.com/

--
Regards
Stefan

In article <effbb18a0d042348c0725175ae8737fb@dizum.com>
Nomen Nescio <nobody@dizum.com> wrote:
>
> William Unruh <unruh@invalid.ca> wrote:
> >On 2024-03-21, David Lesher <wb8foz@panix.com> wrote:
> >> Nomen Nescio <nobody@dizum.com> writes:
> >>
> >>>>>> Encrypted communications app Signal is mulling an exit from the UK
> >>>>>> market in response to a new law threatening its core operational
> >>>model,
> >>>>>> while E2EE email service provider Tutanota is taking the opposite
> >>>>>> approach, pledging to stay and help the British protect their
> >>>>>> communications from government scrutiny.
> >>>>
> >>
> >>>>
> >>>>> Instead of an encryption service, use PGP.
> >>
> >> Traffic analysis.
> >
> >Ane exactly what information will that give you other than that you are
> >communicating with a certain IP address?
>
> Which easily can be resolved. The metadata around an encrypted channel
> tells volumes!
>
> Ex-NSA Director Michael Hayden once told us:
> "We Kill People Based on Metadata"
>
> > And what is wrong with a VPN to hide even that?
>
> Short answer: You don't hide it from the VPN. Better to use Tor and
> remailers instead of having to trust anyone.

"You can't hide it from the VPN" is more factual. Some VPNs are
DIA honeypots.

On Thu, 21 Mar 2024, William Unruh wrote:

> On 2024-03-21, D <nospam@example.net> wrote:
>>
>>
>> On Thu, 21 Mar 2024, William Unruh wrote:
>>
>>> On 2024-03-21, David Lesher <wb8foz@panix.com> wrote:
>>>> Nomen Nescio <nobody@dizum.com> writes:
>>>>
>>>>>>>> Encrypted communications app Signal is mulling an exit from the UK
>>>>>>>> market in response to a new law threatening its core operational
>>>>> model,
>>>>>>>> while E2EE email service provider Tutanota is taking the opposite
>>>>>>>> approach, pledging to stay and help the British protect their
>>>>>>>> communications from government scrutiny.
>>>>>>
>>>>
>>>>>>
>>>>>>> Instead of an encryption service, use PGP.
>>>>
>>>> Traffic analysis.
>>>
>>> Ane exactly what information will that give you other than that you are
>>> communicating with a certain IP address? And what is wrong with a VPN to
>>> hide even that? And the question was why use an encrytion service when
>>> you can encrypt using PGP and if you want to hide who your talking to,
>>> use an external VPN. To let someone else encrypt your stuff for you
>>> seems to me to be the hight of folly. You want to hide your stuff, so
>>> you give it to someone else in clear text. For all you know, Tutanota
>>> is an arm of the government (I am not saying it is, but do you have
>>> proof it is not?)
>>>>
>>>
>>
>> I think you can safely ignore the Nomen-guy. He seems to be some kind of
>> paid marketing guy for tutanota.
>>
>> Personally I completely share your position. Tuta could be compromised
>> without any of its users ever knowing, so much better and safer to "roll
>> your own" or use truly decentralized services.
>
> Of course the problem with rolling your own is that 99% of the computer
> user have vey little idea about cryptography or about "rolling you r
> own" "Use PGP" is of very little help since it needs to be made

Sorry, this is true. I was in the mindset of "solving the problem" as a
somewhat computer literate user.

What would you suggest as the best solution for the rest? Centralized
solutions will never work at scale, because they become natural targets
for the government.

So I believe decentralized or federated is the way to go. But I also think
that before any solution will happen, privacy has to be seen as something
valuable by the public.

As long as privacy is not seen as something valuable by the public, it
doesn't really matter what technologists do, since no one will use it.

There is this law of security with 100% security on one end of the scale,
and 100% usefulness on the other. It is impossible to combine the two, you
will always have a trade off between security and use.

> automatic and needs to have a "phonebook" containing people you might
> want to communicate with and their public keys. Plus you have to make
> sure to keep your own private keys secret. There are so many ways of
> messing up and making the system insecure, depite using the best tools.
> That is of course what companies presumably like Tutanota provide.
> Unfortunaely with a huge potential security hole. The balance between
> security and ease of use (both of which are crucial) is delicate. Oepn
> source is a bare minimum ( so you can check up on their claims, or at
> least have others check up on their claims).
> Also you have to make sure that the people you communicate with also
> have the software, and use it. encrytion is useless if your recipient
> replies to your missive by quoting it all in cleartext and then adding
> their own reply.
>
>>
>> If you're in europe it would of course be better to rely on a service
>> that's not in europe, that would add some paper work in case the
>> government is after you.
>

On Thu, 21 Mar 2024, Stefan Claas wrote:

> William Unruh wrote:
>
>> Of course the problem with rolling your own is that 99% of the
>> computer user have vey little idea about cryptography or about
>> "rolling you r own" "Use PGP" is of very little help since it needs
>> to be made automatic and needs to have a "phonebook" containing
>> people you might want to communicate with and their public keys. Plus
>> you have to make sure to keep your own private keys secret. There are
>> so many ways of messing up and making the system insecure, depite
>> using the best tools. That is of course what companies presumably
>> like Tutanota provide. Unfortunaely with a huge potential security
>> hole. The balance between security and ease of use (both of which are
>> crucial) is delicate. Oepn source is a bare minimum ( so you can
>> check up on their claims, or at least have others check up on their
>> claims). Also you have to make sure that the people you communicate
>> with also have the software, and use it. encrytion is useless if
>> your recipient replies to your missive by quoting it all in cleartext
>> and then adding their own reply.
>
> There is Mailvelope for Gmail and others, which is a browser based
> plug-in and it has it's own key server. This should simplify the
> process of using PGP for encrypted email and you don't have to sign-up
> for tuta, proton.me etc.
>
> https://mailvelope.com/

Doesn't that just trade tuta for mailvelope.com?

D wrote:

>
>
> On Thu, 21 Mar 2024, Stefan Claas wrote:
>
> > William Unruh wrote:
> >
> >> Of course the problem with rolling your own is that 99% of the
> >> computer user have vey little idea about cryptography or about
> >> "rolling you r own" "Use PGP" is of very little help since it needs
> >> to be made automatic and needs to have a "phonebook" containing
> >> people you might want to communicate with and their public keys.
> >> Plus you have to make sure to keep your own private keys secret.
> >> There are so many ways of messing up and making the system
> >> insecure, depite using the best tools. That is of course what
> >> companies presumably like Tutanota provide. Unfortunaely with a
> >> huge potential security hole. The balance between security and
> >> ease of use (both of which are crucial) is delicate. Oepn source
> >> is a bare minimum ( so you can check up on their claims, or at
> >> least have others check up on their claims). Also you have to make
> >> sure that the people you communicate with also have the software,
> >> and use it. encrytion is useless if your recipient replies to
> >> your missive by quoting it all in cleartext and then adding their
> >> own reply.
> >
> > There is Mailvelope for Gmail and others, which is a browser based
> > plug-in and it has it's own key server. This should simplify the
> > process of using PGP for encrypted email and you don't have to
> > sign-up for tuta, proton.me etc.
> >
> > https://mailvelope.com/
>
> Doesn't that just trade tuta for mailvelope.com?

Well, I would say no. People can keep their email account and do
not need to switch to tuta.com, for encrypted email. Mailvelope
is also older than tuta.com

--
Regards
Stefan

On Fri, 22 Mar 2024, Stefan Claas wrote:

> D wrote:
>
>>
>>
>> On Thu, 21 Mar 2024, Stefan Claas wrote:
>>
>>> William Unruh wrote:
>>>
>>>> Of course the problem with rolling your own is that 99% of the
>>>> computer user have vey little idea about cryptography or about
>>>> "rolling you r own" "Use PGP" is of very little help since it needs
>>>> to be made automatic and needs to have a "phonebook" containing
>>>> people you might want to communicate with and their public keys.
>>>> Plus you have to make sure to keep your own private keys secret.
>>>> There are so many ways of messing up and making the system
>>>> insecure, depite using the best tools. That is of course what
>>>> companies presumably like Tutanota provide. Unfortunaely with a
>>>> huge potential security hole. The balance between security and
>>>> ease of use (both of which are crucial) is delicate. Oepn source
>>>> is a bare minimum ( so you can check up on their claims, or at
>>>> least have others check up on their claims). Also you have to make
>>>> sure that the people you communicate with also have the software,
>>>> and use it. encrytion is useless if your recipient replies to
>>>> your missive by quoting it all in cleartext and then adding their
>>>> own reply.
>>>
>>> There is Mailvelope for Gmail and others, which is a browser based
>>> plug-in and it has it's own key server. This should simplify the
>>> process of using PGP for encrypted email and you don't have to
>>> sign-up for tuta, proton.me etc.
>>>
>>> https://mailvelope.com/
>>
>> Doesn't that just trade tuta for mailvelope.com?
>
> Well, I would say no. People can keep their email account and do
> not need to switch to tuta.com, for encrypted email. Mailvelope
> is also older than tuta.com
>
>
Sorry, what I meant is that does this not mean that someone could break
into mailvelop and send malicious updates to people who have the mailvelop
plugin?

D wrote:

>
>
> On Fri, 22 Mar 2024, Stefan Claas wrote:
>
> > D wrote:

> >>> https://mailvelope.com/
> >>
> >> Doesn't that just trade tuta for mailvelope.com?
> >
> > Well, I would say no. People can keep their email account and do
> > not need to switch to tuta.com, for encrypted email. Mailvelope
> > is also older than tuta.com
> >
> >
> Sorry, what I meant is that does this not mean that someone could
> break into mailvelop and send malicious updates to people who have
> the mailvelop plugin?

If they can break into Mailvelope Server, hosting the plug-in, than this
a problem. Same as with other security software.

But users can also switch to GnuPG as backend for Mailvelope.

Last but not least the software had an audit.

<https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.pdf?__blob=publicationFile&v=1>

--
Regards
Stefan

On 2024-03-23, D <nospam@example.net> wrote:
>
>
> On Fri, 22 Mar 2024, Stefan Claas wrote:
>
>> D wrote:
>>
>>>
>>>
>>> On Thu, 21 Mar 2024, Stefan Claas wrote:
>>>
>>>> William Unruh wrote:
>>>>
>>>>> Of course the problem with rolling your own is that 99% of the
>>>>> computer user have vey little idea about cryptography or about
>>>>> "rolling you r own" "Use PGP" is of very little help since it needs
>>>>> to be made automatic and needs to have a "phonebook" containing
>>>>> people you might want to communicate with and their public keys.
>>>>> Plus you have to make sure to keep your own private keys secret.
>>>>> There are so many ways of messing up and making the system
>>>>> insecure, depite using the best tools. That is of course what
>>>>> companies presumably like Tutanota provide. Unfortunaely with a
>>>>> huge potential security hole. The balance between security and
>>>>> ease of use (both of which are crucial) is delicate. Oepn source
>>>>> is a bare minimum ( so you can check up on their claims, or at
>>>>> least have others check up on their claims). Also you have to make
>>>>> sure that the people you communicate with also have the software,
>>>>> and use it. encrytion is useless if your recipient replies to
>>>>> your missive by quoting it all in cleartext and then adding their
>>>>> own reply.
>>>>
>>>> There is Mailvelope for Gmail and others, which is a browser based
>>>> plug-in and it has it's own key server. This should simplify the
>>>> process of using PGP for encrypted email and you don't have to
>>>> sign-up for tuta, proton.me etc.
>>>>
>>>> https://mailvelope.com/
>>>
>>> Doesn't that just trade tuta for mailvelope.com?
>>
>> Well, I would say no. People can keep their email account and do
>> not need to switch to tuta.com, for encrypted email. Mailvelope
>> is also older than tuta.com
>>
>>
> Sorry, what I meant is that does this not mean that someone could break
> into mailvelop and send malicious updates to people who have the mailvelop
> plugin?

It is opensource, which is a plus. It is javascript, which I suspect is
a minus (I am not at all sure how safe Javascript is). It is a plugin
into browsers (chrome or firefox), which again is a minus (how much does
it depend on the the security of the whole browser?)

mailvelope runs on your own machine and encrypts (using a javascript
version of OpenPGP) on you own machine. So the breaking would have to
occur on your own machine. Not sure what you mean by "malicious
updates". Updates of what? mailvelope? I think you would have to
initiate the download and the installation. I presume it does not
initiate and install its own updates.

On Sat, 23 Mar 2024, William Unruh wrote:

> On 2024-03-23, D <nospam@example.net> wrote:
>>
>>
>> On Fri, 22 Mar 2024, Stefan Claas wrote:
>>
>>> D wrote:
>>>
>>>>
>>>>
>>>> On Thu, 21 Mar 2024, Stefan Claas wrote:
>>>>
>>>>> William Unruh wrote:
>>>>>
>>>>>> Of course the problem with rolling your own is that 99% of the
>>>>>> computer user have vey little idea about cryptography or about
>>>>>> "rolling you r own" "Use PGP" is of very little help since it needs
>>>>>> to be made automatic and needs to have a "phonebook" containing
>>>>>> people you might want to communicate with and their public keys.
>>>>>> Plus you have to make sure to keep your own private keys secret.
>>>>>> There are so many ways of messing up and making the system
>>>>>> insecure, depite using the best tools. That is of course what
>>>>>> companies presumably like Tutanota provide. Unfortunaely with a
>>>>>> huge potential security hole. The balance between security and
>>>>>> ease of use (both of which are crucial) is delicate. Oepn source
>>>>>> is a bare minimum ( so you can check up on their claims, or at
>>>>>> least have others check up on their claims). Also you have to make
>>>>>> sure that the people you communicate with also have the software,
>>>>>> and use it. encrytion is useless if your recipient replies to
>>>>>> your missive by quoting it all in cleartext and then adding their
>>>>>> own reply.
>>>>>
>>>>> There is Mailvelope for Gmail and others, which is a browser based
>>>>> plug-in and it has it's own key server. This should simplify the
>>>>> process of using PGP for encrypted email and you don't have to
>>>>> sign-up for tuta, proton.me etc.
>>>>>
>>>>> https://mailvelope.com/
>>>>
>>>> Doesn't that just trade tuta for mailvelope.com?
>>>
>>> Well, I would say no. People can keep their email account and do
>>> not need to switch to tuta.com, for encrypted email. Mailvelope
>>> is also older than tuta.com
>>>
>>>
>> Sorry, what I meant is that does this not mean that someone could break
>> into mailvelop and send malicious updates to people who have the mailvelop
>> plugin?
>
> It is opensource, which is a plus. It is javascript, which I suspect is
> a minus (I am not at all sure how safe Javascript is). It is a plugin
> into browsers (chrome or firefox), which again is a minus (how much does
> it depend on the the security of the whole browser?)
>
> mailvelope runs on your own machine and encrypts (using a javascript
> version of OpenPGP) on you own machine. So the breaking would have to
> occur on your own machine. Not sure what you mean by "malicious
> updates". Updates of what? mailvelope? I think you would have to
> initiate the download and the installation. I presume it does not
> initiate and install its own updates.
>

Ahh... thank you that sheds more light on it, and yes, that's what I had
in mind, if mailvelop "pesters" people to upgrade, or even worse,
automatically upgrade. That would be an enormous risk in case they are
broken into.

On 2024-03-23, D <nospam@example.net> wrote:
>
>
> On Sat, 23 Mar 2024, William Unruh wrote:
>
>> On 2024-03-23, D <nospam@example.net> wrote:
>>>
>>>
>>> On Fri, 22 Mar 2024, Stefan Claas wrote:
>>>
>>>> D wrote:
>>>>
>>>>>
>>>>>
>>>>> On Thu, 21 Mar 2024, Stefan Claas wrote:
>>>>>
>>>>>> William Unruh wrote:
>>>>>>
>>>>>>> Of course the problem with rolling your own is that 99% of the
>>>>>>> computer user have vey little idea about cryptography or about
>>>>>>> "rolling you r own" "Use PGP" is of very little help since it needs
>>>>>>> to be made automatic and needs to have a "phonebook" containing
>>>>>>> people you might want to communicate with and their public keys.
>>>>>>> Plus you have to make sure to keep your own private keys secret.
>>>>>>> There are so many ways of messing up and making the system
>>>>>>> insecure, depite using the best tools. That is of course what
>>>>>>> companies presumably like Tutanota provide. Unfortunaely with a
>>>>>>> huge potential security hole. The balance between security and
>>>>>>> ease of use (both of which are crucial) is delicate. Oepn source
>>>>>>> is a bare minimum ( so you can check up on their claims, or at
>>>>>>> least have others check up on their claims). Also you have to make
>>>>>>> sure that the people you communicate with also have the software,
>>>>>>> and use it. encrytion is useless if your recipient replies to
>>>>>>> your missive by quoting it all in cleartext and then adding their
>>>>>>> own reply.
>>>>>>
>>>>>> There is Mailvelope for Gmail and others, which is a browser based
>>>>>> plug-in and it has it's own key server. This should simplify the
>>>>>> process of using PGP for encrypted email and you don't have to
>>>>>> sign-up for tuta, proton.me etc.
>>>>>>
>>>>>> https://mailvelope.com/
>>>>>
>>>>> Doesn't that just trade tuta for mailvelope.com?
>>>>
>>>> Well, I would say no. People can keep their email account and do
>>>> not need to switch to tuta.com, for encrypted email. Mailvelope
>>>> is also older than tuta.com
>>>>
>>>>
>>> Sorry, what I meant is that does this not mean that someone could break
>>> into mailvelop and send malicious updates to people who have the mailvelop
>>> plugin?
>>
>> It is opensource, which is a plus. It is javascript, which I suspect is
>> a minus (I am not at all sure how safe Javascript is). It is a plugin
>> into browsers (chrome or firefox), which again is a minus (how much does
>> it depend on the the security of the whole browser?)
>>
>> mailvelope runs on your own machine and encrypts (using a javascript
>> version of OpenPGP) on you own machine. So the breaking would have to
>> occur on your own machine. Not sure what you mean by "malicious
>> updates". Updates of what? mailvelope? I think you would have to
>> initiate the download and the installation. I presume it does not
>> initiate and install its own updates.
>>
>
> Ahh... thank you that sheds more light on it, and yes, that's what I had
> in mind, if mailvelop "pesters" people to upgrade, or even worse,
> automatically upgrade. That would be an enormous risk in case they are
> broken into.

Well, if they find a security bug, pestering them to upgrade is what
they should do. One would hope that if they were broken into, and a
security flaw introduced and then the cracker sent out requests to
upgrade, that they would quickly notice and take down the bad version.
The same is true of the kernel, which would be evenmore of a security
threat.