Orbifx's compendium

Private communication

Everyone must use privacy enhancing software. Admittedly developers should implement them by default.

| | | topics: computing | keywords: IM, email, otr, pgp, privacy
id: e7a5e3c3-3d9f-4d62-9834-3fefab538278

Why

Privacy is a human right, for a good reason. It's a necessary ingredient for healthy and simplified relationships and a protection from any entities which veer to oppressive attitudes. Predominantly that is your employer, the government and intelligence. But it can also be a peer of yours with better understanding of information and computer systems.

If you understand the above well, you will also understand that privacy is a necessity for legal citizens to maintain their autonomy and liberties. It is an essential buffer that protects the freedom that you have (hopefully) been enjoying.

The omen

But this freedom is at risk because of computer illiteracy. There is little understanding or at least appreciation of what it means to use internet services. From the basic internet access, to email service provider and finally to social networking services.

People which haven't had to earn the technology and freedoms they have access to, they may be desensitised to their worth. Like some wealthy offspring, which inherits assets without really appreciating what it means to build it, our rights are irresponsibly squandered.

One may argue that there is nothing to hide and therefore no reason to care if your information being shared or surveilled. There are two major issues with this point:

  1. When it comes to communication there are more likely others involved, so you may need to maintain the communication private for the sake of the other individual.
  2. It's neglecting the fact that it is the society that needs privacy. In numerous occurrences throughout history small groups of people oppressed the majority given enough power to do so. As intelligent beings we should learn from history and not let mistakes repeat again.

So even if one is convinced their self-interests are not harmed, the harm caused to society should be considered. Our communication culture is sleep-walking into a future where people no longer know how to have a private conversation or share information only with those they intend to.

You owe your family, your friends, your ancestors and descendants to preserve and protect those rights and if anything: make them even better.

The technical issue

There is only one fundamental issue with our communication: clear text.

I believe that for simplicity reasons, encryption wasn't implicitly included in our communication systems. As a results it has become a common to send a message in a way that anyone along the way can read it. There are multiple parties involved:

Email

Email is the most established form of communication. First a very simple introduction into how email works. The message written by the sender is delivered by going through at least one email provider.

 (A)              (B)                         (C)               (D)
sender --> sender's provider   -->   recipient's provider --> recipient

The email is transmitted by the sender's device to their email provider and left there. The email provider holds the message until the recipient's provider is found and can accept the message. Once the message is successfully transfered to the recipient's provider the sender's copy is deleted. The recipients provider copies the mail into the recipients inbox, where it waits until the recipient logs in to see it.

At least in the current convention, during transfer the message should be encrypted. Senders and recipients use encrypted channels to exchange the date. But whilst the message sits on any of the points A, B, C, D, it is clear-text. Anyone with access to those points can read it. What does this mean:

The above can read the whole inboxes of the devices they gain access to. Any email left (or kept without the knowledge of the user) on the server is accessible. Your friends are also compromised by this. Whatever they thought they were entrusting to you it is potentially shared with people not intended.

This is all avoidable!

Enter OpenPGP

Open Pretty Good Privacy (PGP) is an encryption system for protecting your emails (and other data). It encrypts emails before they are stored or send anywhere. The message is only decryptable by the intended recipient and maybe the author. It's an open standard which loosely means, the technology belongs to the public.

Keys & algorithms

There are two fundamental elements of encryption. Keys and algorithms. If you aren't interested on a technical level about encryption, you only need to know some basics about keys.

OpenPGP uses asymmetric encryption (public key cryptography). All you need to understand about that is that each person has two keys: a private and a public one. Their private key needs to remain safe and secret. The public one can be shared with anyone and anyhow. They can publish it on websites and on key-servers.

The public key can only be used to encrypt a message. One can not use the public key to decrypt even the message they just encrypted. The only key that can decrypt the message is the respective private key.

So as you may have figured the keys are generated in pairs (key-pairs). Each person generates a key pair and shares their public key with the world. The world can then encrypt emails for the person using their public and only the person can decrypt them using their private key.

Programs to use

To use OpenPGP, one needs a program which supports it. A quick list of Free Open Source email clients supporting OpenPGP:

For more look at https://en.wikipedia.org/wiki/Comparison_of_email_clients#General_features

Thunderbird is recommended for those who don't want to spend a lot of time figuring out how computers work. Claws is a more lean but in many cases more powerful client. I will cover configuring Thunderbird as it is more popular. But consider using Claws if you are feeling more adventurous.

Thunderbird

Install

In a simple list what you need to do is:

Download and install Thunderbird from Mozilla's website. Start it and go to Add-ons from the menu bar (the icon with the three bars). A new tab should open, named Add-ons Manager. In the search box search for "enigmail" and install the add-on which should turn up in the results.

Install the add-on and restart Thunderbird by clicking restart now, as it recommends. When it restarts, a dialogue window should appear along with Thunderbird's window: "Enigmail Setup Wizard".

  1. With start setup now click next.
  2. Confirm I prefer standard configuration is selected and click next.
  3. If you don't have GnuPG installed, the wizard at this stage will help you install it. Click Install GnuPG. GnuPG is a program that implements the OpenPGP standard. It is free and open source. For Windows it is called Gpg4Win. Just click next to everything on the setup for Gpg4Win.
  4. If you already have a key-pair it should appear on the list and you can use it. Otherwise, select I want to create a new key-pair for signing and encrypting my email and click next.
  5. Enter your passphrase and click next. The pass phrase is not used to encrypt messages. It is used to lock the keys. This is in case your computer gets stolen, as an extra layer of protection. The wizard explains all this on the current page.
  6. Key Creation will commence. It may take a few minutes, depending on your computer's speed. Once complete click create revocation certificate. This is a file which can be used to tell others that you want to invalidate the key-pair. This is in case your computer gets stolen, or you somehow lose control of the private key. Save this file somewhere safe. It will basically make the public key unusable.
  7. You can close the wizard now, you are done!

Encrypted messages

So what have you gained? You can now encrypt emails to others and receive encrypted emails. When you open the message Write window, to write a new message, there should be an enigmail bar now. The keylock icon toggles encryption. The pen icon toggles signing of messages. Signing a message doesn't encrypt it. It adds a unique signature on the message that confirms this message was written from you and has not been changed along the way.

Finally attach public key allows you to easily share your public key with others. Remember your recipient needs to have PGP setup too. You need their public key to send them encrypted messages and they need yours.

Publishing key on key server

An easier way to share your key is to upload it to a key server. That way, anyone wanting to contact you can automatically fetch your key, without having to do anything additional.

Go to menu > Enigmail > key management. Right click you key and click Upload public keys to server. Select one from the list (the default should do) and click ok. That is it.

Your friends & colleagues should do the same. That way Enigmail will automatically get their keys the first time you try to send them an encrypted message. Any keys you use will be stored locally on your computer. You won't have to get them again.

Share & enjoy

This is it! You know all that is necessary to have private conversation. You can learn more about this if you want, but what you now know is enough.

Persuade your friends to join you in private conversations. Avoid receiving unencrypted emails and at the very least, don't leave unencrypted ones on the mail server. Have fun!