Twice again, privacy has taken a hit across the land. Lavabit and Silent Mail are gone, and to quote Phil Zimmermann, “the writing is on the wall” for any other encrypted email provider located in US territory. This is sure to be repeated for servers located in Europe and other countries. Is this the end of encrypted email?
It might well be the end of encrypted email _servers_, at least for a while, but not of encrypted email itself. I’ve posted this a few times here, but let me repeat it: you only get real security if the encryption is handled completely client-side. Then you don’t rely on a server that can be shut down. You can use any mail system, web-based or otherwise. They’d have to shut down every mail provider and every text provider in order to shut you down. This is what PGP was when it started. We need to go back to that. And yes, client-side today might mean JavaScript. What’s so wrong with that? Sure, it is easy to intercept and modify, but it is also transparent and easy to check. If the user is willing to check a hash of the source code, JavaScript isn’t any less tamper-proof than compiled code. And who even gets to look at compiled code these days (especially if it resides in a server)? This is one of the reasons why I am developing PassLok. Thanks to feedback from members of this forum, the security provided by PassLok is stronger than ever, but you don’t have to believe me. Download it from its source at https://passlok.site44.com (once you have it once, you have it forever), look at it, run it, test it. Get its SHA256 hash from its help page and check it. If you’re as paranoid as I am, you can watch me reading that hash (with some nice background music to make tampering with it more difficult), in this youtube video: https://www.youtube.com/watch?v=VHR_w0FCkC0 There’s no legal action that can shut down PassLok because it consist of pure code, and pure code is speech, protected from government interference under the 1st amendment to the US Constitution. If you don’t think this is enough, let us all know. Let’s come up with a solution. Meanwhile, I appreciate any suggestions on how to make PassLok more secure and easier to use. -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com
-- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
