Re: GPG tool for Windows Embeddd Compact 7
Hi, Can you give the solution for GPGtool which will run for Windows Embedded Compact 7. Or any Binary file which will be compatible for windows embedded compact 7. looking forward to hear from you. Regards D Bhukta +918600096629 On Fri, Feb 21, 2014 at 1:29 AM, Alan Meekins alan.meek...@gmail.comwrote: Not all Windows Embedded OSes are built on top of CE! Look here for a listing of the productshttps://www.microsoft.com/windowsembedded/en-us/downloads.aspx. It sounds like you are likely using Windows Embedded Standard 7(aka WES7, yuck what a mouthful!) which is just a rebranded version of normal old Windows 7. If this is the case it means anything that can run on windows 7(big windows) will run on WES7 with no modification. The caveat about Windows Embedded is that you have the flexibility to strip out just about any componenet of Windows so the most likely issues you will hit are around what you have removed from the image causing breaks in 3rd party software such as GnuPG. So in short we need to know the exact version if Windows you are running to really give accurate advice. CE is a different world which may require you to recompile the programs you wish to run depending on your exact scenario. Cheers, -Alan On Thu, Feb 20, 2014 at 9:01 AM, Andre Heinecke aheine...@intevation.dewrote: Hi, On Wednesday 19 February 2014 08:13:36 dbhukta . wrote: Let me know any version which is compatible for Windows embedded Compact 7 to encrypt/decrypt a text file at least. GnuPG has been ported to Windows CE 5.0 so it should / could work on Windows embedded 7 (I guess its untested) as this work was done 2010 as part of a Project and there has been little interest in Windows CE since. We still have some binaries lying around: http://files.kolab.org/local/windows-ce/gpg-snapshots/gpg_wince-dev-190111.zip Sources for that version: http://files.kolab.org/local/windows-ce/gpg-snapshots/gpg-ce-dev-190111-src.zip And a signed sha1sums file in: http://files.kolab.org/local/windows-ce/gpg-snapshots/ Maybe it works, maybe not. Have fun -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Regards, Dinabandhu Bhukta 8600096629 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
On Tue, Apr 8, 2014 at 11:01 PM, Felipe Vieira fmv1...@gmail.com wrote: Dear GNUPG community, I think a lot of unexperienced users would like to know more about the Heartbleed problem found on some of the openssl versions. I have two broad questions and two specific questions: 1) Which type of clients have been compromised (consider an ordinary user)? 2) Which common applications use openssl and are a potential target? 2) Are firefox users compromised? 3) Are RetroShare users compromised? Thanks in advance. For the most part it is service providers who are affected by the bug. There's a handy website to verbosely explain heartbleed. http://heartbleed.com/ Affected services include HTTP, email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), databases (e.g. mysql), and pretty much any service that uses openssl TSL/SSL to secure transport of services if they're recently patched. Security notices for popular server distros... RHEL - https://access.redhat.com/site/solutions/781793 Ubuntu - http://www.ubuntu.com/usn/usn-2165-1/ CLIENT There's not much you can do at this point. Update your system packages and that's about it. SERVICE PROVIDER Essentially you want to take the following steps if you're service provider. 1. Test for the vulnerability - http://pastebin.com/WmxzjkXJ it is also prudent to search for the affected package versions across all services. 2. If vulnerable patch the OpenSSL version of public front end services first. Patch backend services after the front end is secure. 3. Reissue SSL private keys and certificates. Since the leak exposes the private key it is no longer pristine. For the remaining more thorough steps of what to do see the heartbleed.orgwebsite which has a nice set of instructions. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
On 09/04/14 14:17, Sam Gleske wrote: On Tue, Apr 8, 2014 at 11:01 PM, Felipe Vieira fmv1...@gmail.com mailto:fmv1...@gmail.com wrote: Dear GNUPG community, I think a lot of unexperienced users would like to know more about the Heartbleed problem found on some of the openssl versions. I have two broad questions and two specific questions: 1) Which type of clients have been compromised (consider an ordinary user)? 2) Which common applications use openssl and are a potential target? 2) Are firefox users compromised? 3) Are RetroShare users compromised? Thanks in advance. For the most part it is service providers who are affected by the bug. There's a handy website to verbosely explain heartbleed. http://heartbleed.com/ Affected services include HTTP, email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), databases (e.g. mysql), and pretty much any service that uses openssl TSL/SSL to secure transport of services if they're recently patched. Security notices for popular server distros... RHEL - https://access.redhat.com/site/solutions/781793 Ubuntu - http://www.ubuntu.com/usn/usn-2165-1/ CLIENT There's not much you can do at this point. Update your system packages and that's about it. SERVICE PROVIDER Essentially you want to take the following steps if you're service provider. 1. Test for the vulnerability - http://pastebin.com/WmxzjkXJ it is also prudent to search for the affected package versions across all services. 2. If vulnerable patch the OpenSSL version of public front end services first. Patch backend services after the front end is secure. 3. Reissue SSL private keys and certificates. Since the leak exposes the private key it is no longer pristine. For the remaining more thorough steps of what to do see the heartbleed.org http://heartbleed.org website which has a nice set of instructions. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users It is imperative you revoke old keys! Not just reissue! Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 tristan.sant...@internexusconnect.net Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: tsant...@fedoraproject.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
Dear GNUPG community, That right there should be your first hint. :) This is a great email list to get informed opinions on GnuPG and the OpenPGP RFCs, but this may not be a great place to get informed commentary on OpenSSL. It's a completely different software package run by a completely different outfit. You may get better answers if you ask on the OpenSSL mailing lists. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
It's 2014. Are we there yet?
Folks, I'm an ardent reader of this (and a few other) mailing lists, but usually stay quiet and in the background. However, in light of global events and paradigm shifts in the last few months, I'm tempted to speak up. While I do use PGP/GPG, I have to admit that the usage has been minimal and sporadic over the last few years, with the usual suspects as reasons. But the biggest reason of course is adoption i.e. very few in my social/professional circle use it. Now, we all (probably, subconsciously?) know/acknowledge why that is, we are in 2014 after all. My personal belief is that the awareness for secure communications is starting to rise, not just for the niche users who are already using it/know how to use it, but for the average Joe user as well. My definition of the average Joe user btw is someone who: - Has at least one computing device, if not more - Is familiar with email - Is already using various online mediums - Has usually never thought about secure communications or maybe in an abstract fashion Now, the barrier to entry of secured communications is high. I realize that. I'm sure a lot of you do as well. It's not easy, it takes time, patience, a certain level of expertise and a tacit acknowledgement that they need to use it in the first place (probably the most important). The secure communications paradigm of course spans a whole spectrum from I don't give a to I'll do anything to protect my communications, including giving away my first born. I suspect the average Joe user in 2014 is slightly above the former, but way below the latter. Without going to the other end of the spectrum, what will make adoption of secure communications a bit more palatable to the average Joe user? Let's list a few arguments: - I don't even know what I need. - Well, assuming they are starting to recognize the need, I suspect they will find out relatively easily as to what they need. With a few caveats of course. There's way more FUD/noise/BS out there than the average person can decipher, so it'll probably end as being word-of-mouth recommendations or such. - Even if I know what I need, getting it/installing it is hard. - It is. The setup/install needs to be simpler, i.e. as simple as installing an app. That is what the average Joe user is capable of. - WTF is a key pair/public key/private key/insert more arcane terminology. - J This IS a big problem. I may get it, you may get it, how does the average Joe user gain that understanding? The nomenclature needs to be, well, something that the average Joe user can understand as well. They understood SSL (well, for the most part). - . several more similar arguments. Now, what will help drive this adoption more? - A better install experience? - A dumbed down (if you will) taxonomy that they can understand? - Simpler UIs? (without sacrificing secure functionality) - Better integration with existing systems? - Education? i.e. ongoing information dissemination that educates people on these things. Newsletters? How tos? Youtube videos (shudder)? And others. - Start hitting them on the head with a baseball bat? J All thoughts are very much welcome and appreciated. Kapil Aggarwal. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
It's 2014. Are we there yet?
Folks, I’m an ardent reader of this (and a few other) mailing lists, but usually stay quiet and in the background. However, in light of global events and paradigm shifts in the last few months, I’m tempted to speak up. While I do use PGP/GPG, I have to admit that the usage has been minimal and sporadic over the last few years, with the usual suspects as reasons. But the biggest reason of course is “adoption” i.e. very few in my social/professional circle use it. Now, we all (probably, subconsciously?) know/acknowledge why that is, we are in 2014 after all. My personal belief is that the awareness for secure communications is starting to rise, not just for the niche users who are already using it/know how to use it, but for the “average Joe user” as well. My definition of the “average Joe user” btw is someone who: - Has at least one computing device, if not more - Is familiar with email - Is already using various online mediums - Has usually never thought about “secure communications” or maybe in an abstract fashion Now, the barrier to entry of secured communications is high. I realize that. I’m sure a lot of you do as well. It’s not easy, it takes time, patience, a certain level of expertise and a tacit acknowledgement that they need to use it in the first place (probably the most important). The “secure communications” paradigm of course spans a whole spectrum from “I don’t give a ” to “I’ll do anything to protect my communications, including giving away my first born”. I suspect the “average Joe user” in 2014 is slightly above the former, but way below the latter. Without going to the other end of the spectrum, what will make adoption of secure communications a bit more palatable to the “average Joe user”? Let’s list a few arguments: - I don’t even know what I need. – Well, assuming they are starting to recognize the need, I suspect they will find out relatively easily as to what they need. With a few caveats of course. There’s way more FUD/noise/BS out there than the average person can decipher, so it’ll probably end as being word-of-mouth recommendations or such. - Even if I know what I need, getting it/installing it is hard. – It is. The setup/install needs to be simpler, i.e. as simple as installing an “app”. That is what the average Joe user is capable of. - WTF is a key pair/public key/private key/insert more arcane terminology… - This IS a big problem. I may get it, you may get it, how does the average Joe user gain that understanding? The nomenclature needs to be, well, something that the average Joe user can understand as well. They understood SSL (well, for the most part). -… several more similar arguments. Now, what will help drive this adoption more? - A better install experience? - A “dumbed down” (if you will) taxonomy that they can understand? - Simpler UIs? (without sacrificing secure functionality) - Better integration with existing systems? - Education? i.e. ongoing information dissemination that educates people on these things. Newsletters? How tos? Youtube videos (shudder)? And others. - Start hitting them on the head with a baseball bat? All thoughts are very much welcome and appreciated. Kapil Aggarwal. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It's 2014. Are we there yet?
On Wed, Apr 9, 2014 at 1:20 PM, Kapil Aggarwal ka...@hotmail.com wrote: - I don’t even know what I need. – Well, assuming they are starting to recognize the need, I suspect they will find out relatively easily as to what they need. With a few caveats of course. There’s way more FUD/noise/BS out there than the average person can decipher, so it’ll probably end as being word-of-mouth recommendations or such. - Even if I know what I need, getting it/installing it is hard. – It is. The setup/install needs to be simpler, i.e. as simple as installing an “app”. That is what the average Joe user is capable of. - WTF is a key pair/public key/private key/insert more arcane terminology… - This IS a big problem. I may get it, you may get it, how does the average Joe user gain that understanding? The nomenclature needs to be, well, something that the average Joe user can understand as well. They understood SSL (well, for the most part). -… several more similar arguments. Now, what will help drive this adoption more? - A better install experience? - A “dumbed down” (if you will) taxonomy that they can understand? - Simpler UIs? (without sacrificing secure functionality) - Better integration with existing systems? - Education? i.e. ongoing information dissemination that educates people on these things. Newsletters? How tos? Youtube videos (shudder)? And others. - Start hitting them on the head with a baseball bat? I've actually started talking to my family a lot about using it and getting my parents to use GNUPG. I think the biggest problem is too many paths to accomplish what is needed. There's so much software and so many recommendations that you, as an expert explaining to your friends, need to show them a single path and say, This is how it is done. I've written a document for my family and regularly link it on facebook encouraging friends and family to use it. Warning to PGP experts, the terminology is dumbed down and the concepts are filtered so not everything is technically correct but explained in a way that the user can understand. Also, it's a few pages of text and mostly screen shots. I tried making it fun somewhat so bear with the imagery. http://www.pages.drexel.edu/~sag47/privacy_for_everyone.pdf SAM ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It's 2014. Are we there yet?
The “secure communications” paradigm of course spans a whole spectrum from “I don’t give a ” to “I’ll do anything to protect my communications, including giving away my first born”. I suspect the “average Joe user” in 2014 is slightly above the former, but way below the latter. Without going to the other end of the spectrum, what will make adoption of secure communications a bit more palatable to the “average Joe user”? Every year or so this subject comes up, and my answers are unchanged from last time: start by reading up on academic papers studying this exact problem. For a while John Clizbe and I kept a list of good papers, but I have to confess I haven't been keeping up on the latest literature. Still, our last list is pretty good reading. (These selections come from both John and me, but John is the one who assembled them into proper cite format -- thanks, John. For the original message, see Re: what is killing PKI? on this mailing list, posted on 24 Aug 2012.) = Gaw, S., Felten, E. W., and Fernandez-Kelly, P. 2006. Secrecy, flagging, and paranoia: adoption criteria in encrypted email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montreal, Quebec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM, New York, NY, 591-600. DOI= http://doi.acm.org/10.1145/1054972.1055069 Garfinkel, S. L., Margrave, D., Schiller, J. I., Nordlander, E., and Miller, R. C. 2005. How to make secure email easier to use. In _Proceedings of the SIGCHI Conference on Human Factors in Computing Systems_ (Portland, Oregon, USA, April 02 - 07, 2005). CHI '05. ACM, New York, NY, 701-710. DOI= http://doi.acm.org/10.1145/1054972.1055069 Alma Whitten and J.D. Tygar. Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, Washington, DC, August 1999. http://bit.ly/OaEeTD Steve Sheng, Levi Broderick, Colleen Alison Koranda, and Jeremy J. Hyland. Why Johnny Still Can’t Encrypt: Evaluating the Usability of Email Encryption Software. Poster session, 2006 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 2006. http://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: It's 2014. Are we there yet?
I have. I was hoping there has been atleast a small rise in user perception about secure communications and newer software platforms/delivery channels that are beneficial. -Original Message- From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Robert J. Hansen Sent: Wednesday, April 09, 2014 1:59 PM To: gnupg-users@gnupg.org Subject: Re: It's 2014. Are we there yet? The secure communications paradigm of course spans a whole spectrum from I don't give a to I'll do anything to protect my communications, including giving away my first born. I suspect the average Joe user in 2014 is slightly above the former, but way below the latter. Without going to the other end of the spectrum, what will make adoption of secure communications a bit more palatable to the average Joe user? Every year or so this subject comes up, and my answers are unchanged from last time: start by reading up on academic papers studying this exact problem. For a while John Clizbe and I kept a list of good papers, but I have to confess I haven't been keeping up on the latest literature. Still, our last list is pretty good reading. (These selections come from both John and me, but John is the one who assembled them into proper cite format -- thanks, John. For the original message, see Re: what is killing PKI? on this mailing list, posted on 24 Aug 2012.) = Gaw, S., Felten, E. W., and Fernandez-Kelly, P. 2006. Secrecy, flagging, and paranoia: adoption criteria in encrypted email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montreal, Quebec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM, New York, NY, 591-600. DOI= http://doi.acm.org/10.1145/1054972.1055069 Garfinkel, S. L., Margrave, D., Schiller, J. I., Nordlander, E., and Miller, R. C. 2005. How to make secure email easier to use. In _Proceedings of the SIGCHI Conference on Human Factors in Computing Systems_ (Portland, Oregon, USA, April 02 - 07, 2005). CHI '05. ACM, New York, NY, 701-710. DOI= http://doi.acm.org/10.1145/1054972.1055069 Alma Whitten and J.D. Tygar. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, Washington, DC, August 1999. http://bit.ly/OaEeTD Steve Sheng, Levi Broderick, Colleen Alison Koranda, and Jeremy J. Hyland. Why Johnny Still Can't Encrypt: Evaluating the Usability of Email Encryption Software. Poster session, 2006 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 2006. http://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl / Pertinent? I say yes.
On 4/9/2014 2:08 PM, Robert J. Hansen wrote: safe. How would you protect your home and valuables then? That is the type of problem that Heartbleed is, and it IMO needs to be posted EVERYWHERE, so that people can at least try to protect themselves. Please re-read my message. I never told him to post elsewhere or that it was off-topic for this list. I simply told him where he might get better answers. If I was still teaching at the university and a student came by looking for help with calculus homework, my first response would be, Well, you're in the Computer Science department; the Math department is at the other end of this hallway. And my second response would be, But maybe I can help you: let's see. :) Believe it or not, I did read your message. I did not mean to accuse you of telling him to post elsewhere or that it was off-topic for the list. I am sorry if you got that impression. I just feel the the issue is very important, and needs to be shouted from the roof tops, as the saying goes. Again, my message was nothing personal against you. I just thought I'd provide more information on the bug. My message has not shown up on the list, yet. Is the list moderated, or is it just an issue of a reply to a message showing up before the actual message does? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl / Pertinent? I say yes.
On 4/9/2014 12:51 PM, Robert J. Hansen wrote: Dear GNUPG community, That right there should be your first hint. :) This is a great email list to get informed opinions on GnuPG and the OpenPGP RFCs, but this may not be a great place to get informed commentary on OpenSSL. It's a completely different software package run by a completely different outfit. You may get better answers if you ask on the OpenSSL mailing lists. :) You're right in the respect that this list is only for GnuPG and OpenPGP RFC support. However, the Heartbleed vulnerability is such a pervasive Internet security issue that everyone needs to be made aware of it, so that they may become educated on it. In my experience, the majority of Internet users take for granted that their Internet banking, shopping, and all other secure uses of the Internet are, in fact, truly *secure*. This vulnerability affect the entire SSL of the Internet (since the majority of clients and servers use OpenSSL) - that makes every site vulnerable to spoofing, and everyone who uses the Internet for any secure transactions vulnerable to identity theft. This bug *should* have been reported across the whole Internet when it was discovered about 2 years ago, but even now, no one wants to talk or hear about it anywhere. Imagine if ALL companies that produce locks, safes, and provide home security had a security problem that would allow anyone who knew about the problem to anonymously get keys (or even master keys) to any lock, and to override any home security system, and get the combination to any safe. How would you protect your home and valuables then? That is the type of problem that Heartbleed is, and it IMO needs to be posted EVERYWHERE, so that people can at least try to protect themselves. Regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It's 2014. Are we there yet?
On Wed, Apr 9, 2014 at 3:23 PM, Daniel Kahn Gillmor d...@fifthhorseman.netwrote: Hi Sam-- [offlist for now, see why below] On 04/09/2014 01:29 PM, Sam Gleske wrote: I've written a document for my family and regularly link it on facebook encouraging friends and family to use it. Warning to PGP experts, the terminology is dumbed down and the concepts are filtered so not everything is technically correct but explained in a way that the user can understand. Also, it's a few pages of text and mostly screen shots. I tried making it fun somewhat so bear with the imagery. http://www.pages.drexel.edu/~sag47/privacy_for_everyone.pdf I'm really glad to see popularization of these tools. thank you for writing this up. i also really like your tinfoil hat photograph :) But... i read your disclaimer above, but the document (sha1sum 6dac22e5fa1095638149a537d6a3b641ad2dd551) has dangerously misleading directions. I strongly recommend you take it down for now while we figure out what to do about it. I haven't reviewed the whole document yet, but page 15 is particularly troubling. the problem is that you describe the concept of key validity, but associate it with key ownertrust. key validity is does this key belong to a person whose name and e-mail are indicated in the User ID? key ownertrust is am i willing to rely on identity certifications made by the holder of this key? These are entirely separate questions. I may know for sure that my boss's key belongs to my boss, but i don't want her to be able to create a new key that appears to belong to my husband, certify it, and send me mail that would then appear to come from my husband. Even worse, i wouldn't want my mail to my husband to be encrypted to this bogus key, because my boss could then read the contents of the mail. There are other problems with the text, including (from a quick skim, not exhaustive, ordered from trivial to security-critical): * page 17 is far too much information about a useless-at-best feature (see [0]) * the document recommends the use of pgp.mit.edu instead of the standard pool.sks-keyservers.net * the document discourages the creation of revocation certificates * page 11 seems to assume that asking their key ID is sufficient to verify identity, though this is distinctly not the case [1]. this is seriously insecure. I can send you a new OpenPGP key show private half i control, but with your user ID and your keyID later if you need convincing. :/ I recommend you read the riseup/debian OpenPGP best practices document [2] and the GnuPG DETAILS document and consider trying to align your document with the information and recommendations in those materials. I've left this message offlist for now, because i'm hoping you'll follow up on the message publicly and make it clear what your plan is with this document; If you'd like, either you or i can post these concerns publicly, and we can have the discussion on-list. But i think a quick note from you asking people not to rely on the current draft of that document while you revise it for clarity and correctness would be great. let me know what you think. sorry to send you a lengthy critique, and i hope it doesn't discourage you from continuing to spread the word about encryption. It's just important to avoid making recommendations that give people a sense of security that turns out to leave them vulnerable in hidden ways. All the best, --dkg [0] https://www.debian-administration.org/users/dkg/weblog/98 [1] https://www.debian-administration.org/users/dkg/weblog/105 [2] https://we.riseup.net/debian/openpgp-best-practices I agree with your concerns. In reality I only started using GPG a few weeks ago which would explain my amateurish approach I suppose. There is a source document written in openoffice... http://www.pages.drexel.edu/~sag47/privacy_for_everyone.odt Also, I have created sha1 files... just append *.sha1 to the file name e.g. http://www.pages.drexel.edu/~sag47/privacy_for_everyone.odt.sha1 For now I have removed the PDF since I have widely distributed the link to the PDF so that people don't download it and receive misinformation. The odt file remains. I'm open to editing the document for clarity and fact checking. Once, an acceptable revised copy is well received on the list then I'll recreate a PDF and upload it again. SAM ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
On Apr 10, 2014 12:22 AM, Felipe Vieira fmv1...@gmail.com wrote: So going back to the original question as I can see there is no disagreement on its importance: 1) What are the consequences to the ordinary user? All the news are lacking information on that. Can you point relevant examples? Any service using a vulnerable version of OpenSSL in the last two years could have been silently attacked, with the attackers being able to gain access to information stored in the servers memory. The attacker might get memory containing empty sections, boring system files, secret cryptographic keys (the compromise of which could, in some cases, lead to user data being decrypted or a MITM being possible with no warnings), user data, etc. Its not clear of any bad guys knew about the bug prior to the announcement. If they didn't and one patched any affected servers as soon as possible, then the effects would be quite minimal. If they did know and exploited things, or if one has not yet patched vulnerable systems, things could be very bad. In short: the consequences could be dire but there is no way of knowing for certain what, if any, things have been compromised. Its probably best to assume the worst. All I could gather is that the only major/well known server to be compromised was Yahoo. Yahoo fixed the issue shortly after the public announcement of the bug. It is not clear of bad guys were able to compromise their systems before it was fixed, but researchers were able to successfully probe various systems at Yahoo prior to the fix, so one should assume bad guys could do the same. For example: Gmail and Dropbox and Hotmail seem to be imune to this. I also found out that Mozilla/Firefox browser were also imune. If I would persuade someone of this bug's importance, which other examples could I give? No service using an affected version of OpenSSL is immune. Some (like Cloudflare) received advanced notice and patched their systems before the public announcement, while others may have used other SSL libraries or versions of OpenSSL that were not vulnerable. 2) (specific question) Does Firefox use openssl to connect to some servers while browsing? No. Firefox is immune because it uses the NSS Crypto library. The issue typically exists on and affects servers. A server using an affected version of OpenSSL is vulnerable regardless of what browser clients use. 3) How about Ubuntu and other OSs? Do they use openssl to update themselves? (as in apt-get update apt-get upgrade). Ubuntu and Debian use GnuPG to sign packages but updates typically take place over unencrypted connections. The update mechanism is not affected by this bug. Cheers! -Pete ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
So going back to the original question as I can see there is no disagreement on its importance: *1) What are the consequences to the ordinary user? * All the news are lacking information on that. Can you point relevant examples? All I could gather is that the only major/well known server to be compromised was Yahoo. For example: Gmail and Dropbox and Hotmail seem to be imune to this. I also found out that Mozilla/Firefox browser were also imune. If I would persuade someone of this bug's importance, which other examples could I give? 2) (specific question) Does Firefox use openssl to connect to some servers while browsing? 3) How about Ubuntu and other OSs? Do they use openssl to update themselves? (as in apt-get update apt-get upgrade). Be as clear and basic as possible. In the context of It's 2014. Are we there yet? thread, I would like more shocking/tangible examples to suggest friends to start thinking of cryptography (and then we are back to gnupg). Thanks again. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
On Wed, Apr 9, 2014 at 6:45 PM, Pete Stephenson p...@heypete.com wrote:
On Apr 10, 2014 12:22 AM, Felipe Vieira fmv1...@gmail.com wrote:
So going back to the original question as I can see there is no
disagreement on its importance:
1) What are the consequences to the ordinary user?
All the news are lacking information on that. Can you point relevant
examples?
In short: the consequences could be dire but there is no way of knowing
for certain what, if any, things have been compromised. Its probably best
to assume the worst.
^ That. Assume the worst because the vulnerability was there for two
years. Not sure who you're having a hard time convincing but send them to
heartbleed.com. The first three paragraphs are for high flying executives
whose business critical documents are at risk.
For example: Gmail and Dropbox and Hotmail seem to be imune to this. I
also found out that Mozilla/Firefox browser were also imune. If I would
persuade someone of this bug's importance, which other examples could I
give?
What type of person are you trying to persuade? If you download any of the
vulnerability test scripts in the wild you'll notice that the 64k output is
truncated and the script simply states you're vulnerable. Edit that
script so that it dumps the full 64k. While you're at it put that script
in an infinite while loop and dump the output to a file on disk. Then use
Firefox or chrome or whatever browser you want and log in to the service.
When you're done search the file for your credentials. It doesn't matter
what browser you're using.
2) (specific question) Does Firefox use openssl to connect to some
servers while browsing?
No. Firefox is immune because it uses the NSS Crypto library.
I have verified this claim. (Firefox Version: 28.0+build2-0ubuntu0.12.04.1)
$ dpkg -L firefox | while read x;do [ -f ${x} ] (if ldd ${x}
2/dev/null | grep libssl /dev/null;then echo ${x};fi);done | while
read x;do echo ${x};ldd ${x} 2/dev/null | grep libssl;done
/usr/lib/firefox/components/libmozgnome.so
libssl3.so = /usr/lib/x86_64-linux-gnu/libssl3.so
(0x7ffd9d836000)
/usr/lib/firefox/components/libdbusservice.so
libssl3.so = /usr/lib/x86_64-linux-gnu/libssl3.so
(0x7f778ceda000)
/usr/lib/firefox/libxul.so
libssl3.so = /usr/lib/x86_64-linux-gnu/libssl3.so
(0x7f326e66)
/usr/lib/firefox/browser/components/libbrowsercomps.so
libssl3.so = /usr/lib/x86_64-linux-gnu/libssl3.so
(0x7fa4537f3000)
/usr/lib/firefox/plugin-container
libssl3.so = /usr/lib/x86_64-linux-gnu/libssl3.so
(0x7f0807de7000)
$ dpkg -S /usr/lib/x86_64-linux-gnu/libssl3.so
libnss3: /usr/lib/x86_64-linux-gnu/libssl3.so
If it was openssl then it would be linked to
/lib/x86_64-linux-gnu/libssl.so.1.0.0 which is a part of the libssl1.0.0
package which is a dependency of the openssl package.
The issue typically exists on and affects servers. A server using an
affected version of OpenSSL is vulnerable regardless of what browser
clients use.
While it's true Firefox does not link openssl in binaries the vulnerability
allows an attacker to easily hijack sessions, steal usernames and
passwords, and steal the server private key during the SSL negotiation
phase. See my comments above for how you can verify that.
3) How about Ubuntu and other OSs? Do they use openssl to update
themselves? (as in apt-get update apt-get upgrade).
Ubuntu and Debian use GnuPG to sign packages but updates typically take
place over unencrypted connections. The update mechanism is not affected by
this bug.
True. $ grep -rH 'http:' /etc/apt/sources.list*
I'm not sure who you're trying to convince, Felipe, but HOPEFULLY you have
already handled this bug by patching and added rules to your intrusion
detection system for packets trying to attack SSL using this method (the
attack packets look very different from normal SSL communication).
Pete, forgive me breaking down your reply but I found it a good exercise in
attempting to verify your claims.
Environment
KUbuntu 12.04.4 LTS
Linux 3.8.0-37-generic x86_64
SAM
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
1) What are the consequences to the ordinary user? None. The ordinary user is such an easy target that as bad as this attack is, I don't see it as making things any worse. All the news are lacking information on that. Can you point relevant examples? Not yet. Give it a few days: news reports will develop, Wikipedia will be updated, and so on. 2) (specific question) Does Firefox use openssl to connect to some servers while browsing? https://www.google.com/search?q=does+firefox+use+openssl No, it does not. Nor does Chrome. 3) How about Ubuntu and other OSs? Do they use openssl to update themselves? (as in apt-get update apt-get upgrade). Usually not. Repositories are normally accessed via HTTP, not HTTPS. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It's 2014. Are we there yet?
On 09/04/2014, Kapil Aggarwal ka...@hotmail.com wrote: Now, what will help drive this adoption more? All thoughts are very much welcome and appreciated. One possible answer: https://www.mailpile.is/faq/ I haven't tried it myself, btw. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
On 04/09/2014 07:20 PM, Robert J. Hansen wrote: No, it does not. Nor does Chrome. Chromium (from which chrome is based) actually embeds a copy of openssl, but doesn't use it for its TLS implementation, which is where the bug would be triggered. (i'm not sure why they do this embedding actually, i haven't reviewed it). 3) How about Ubuntu and other OSs? Do they use openssl to update themselves? (as in apt-get update apt-get upgrade). Usually not. Repositories are normally accessed via HTTP, not HTTPS. even if they were accessed via https, this bug wouldn't have caused any problem greater than a malicious attacker on the network being able to see what packages you were downloading, and/or making you fetch an older version of the repo you're looking at (or giving you this repository can't be authenticated warnings). This is the same situation you're in when you download via HTTP, though, so it's not a big deal in this context. Your software updates for apt and yum are secured by OpenPGP signatures over the archives themselves, which are made (for responsible repositories anyway) via secret keys that aren't exposed to the web servers that host the archives. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP/GPG does not work easily with web-mail.
PGP/GPG does not work easily with web-mail. Most email, today, is read and write using the browser POP ou IMAP mail is a rarity That is the problem Some text/link in this problem? José Simões ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
Chromium (from which chrome is based) actually embeds a copy of openssl, but doesn't use it for its TLS implementation, which is where the bug would be triggered. (i'm not sure why they do this embedding actually, i haven't reviewed it). I have heard that Chrome is migrating to OpenSSL instead of Mozilla's NSS libraries; it's possible Chromium is a testbed. Speculation on my part, though. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
Thanks everyone for the quick and complete feedback. New questions arose: 1) Firefox uses NSS instead of OpenSSL. Still it can communicate with a OpenSSL based server (say X) and thus the browser's type is irrelevant. The communication between browser and X could be eavesdropped. Is that correct? 2) If the first answer is yes, only the X service credentials/data could be stolen or does that compromis the whole browser session (e.g.: communication browser - service Y and browser - service Z)? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/GPG does not work easily with web-mail.
On Wed, Apr 09, 2014 at 11:37:52PM +0100, One Jsim wrote: PGP/GPG does not work easily with web-mail. Most email, today, is read and write using the browser POP ou IMAP mail is a rarity That is the problem Some text/link in this problem? José Simões Well... I started to write a firefox addon, but never had enough time to finish it. Perhaps later. If anyone wishes to get what I've done (that is, a js-ctype binding of gpgme, along with tests AFAICR), I can try to locate the source code! However, a major issue remains the encryption of HTML documents, which is, AFAICT, not possible today (well, not automatically at least, as of course gpg can be used to sign html files); and besides not obviously secure: what about white-on-white text and such? I don't doubt there are fixes for such, and most isn't even an issue; I just remember enigmail forbids it, so I guess there are reasons. Sorry for not helping you more, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
Thanks everyone for the quick and complete feedback. New questions arose: Again, you will have better luck asking on an OpenSSL mailing list. There is no guarantee that anyone on this mailing list is an expert in OpenSSL. The communication between browser and X could be eavesdropped. Is that correct? Someone else could connect to X and use Heartbleed to scan the contents of X's memory. Anything sent to X could be considered compromisable for so long as it's stored in X's RAM. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
request for pgp encrypted messages for testing
Hey there, As I've said before, I'm working on a PGP based web mail program. https://github.com/timprepscius/mv The whole thing is GPL-Affero. Copy, steal, add, reduce, as you wish. Demonstration is here (which is often killed/reset/etc/so...): http://pmx.mooo.com/ And some screenshots: http://tinypic.com/r/2ljmj9i/8 http://tinypic.com/r/4vp7hu/8 Also, if anyone is interested in what the db looks like (without actually setting it up for yourself) http://pmx.mooo.com/mv/util/Dump - At this point I'm at 100% for testing signatures of messages (both inline and pgp-mime). (Prob actually 95% but not enough test cases yet.) I need more messages testing encryption. I have found a few bugs in openpgpjs concerning mime signing, and am dubious that it will function perfectly with pgp-encryption. If anyone here would like to help, please send an encrypted message to: g...@pmx.mooo.com g's public key is here: http://pastebin.com/raw.php?i=RAi8cfjC If you would like your message to be placed in a public repository of these messages, please include that in the encrypted block. Please send whatever you'd like, html/text/attachment/etc. My email address is timprepsc...@gmail.com. You can let me know through the gmail if mooo does not go through (I'm using postfix default settings) Thank you to those who have already helped, and thank you all for your time previously (with regard to the mime signing issues) -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/GPG does not work easily with web-mail.
You may want to look at these: - http://www.mailvelope.com/ - https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba/details - https://www.penango.com/products Some info about the above: http://www.makeuseof.com/tag/encrypt-your-gmail-hotmail-and-other-webmail-heres-how/ Also, this is a promising project: https://www.mailpile.is/ --aslamK http://gplus.to/akwala PGP key http://is.gd/aslampgpmit (id: FECF84FB) fingerprint: 736C D83E 32DB A2FD 0208 9113 0FC8 BA7D FECF 84FB On Wed, Apr 9, 2014 at 6:37 PM, One Jsim one.j...@gmail.com wrote: PGP/GPG does not work easily with web-mail. Most email, today, is read and write using the browser POP ou IMAP mail is a rarity That is the problem Some text/link in this problem? José Simões ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
Hello Robert ! Robert J. Hansen r...@sixdemonbag.org wrote: 1) What are the consequences to the ordinary user? None. The ordinary user is such an easy target that as bad as this attack is, I don't see it as making things any worse. Does it make sense to disable SSL in my browser for a couple of weeks? HTTPS is linked with TLS v1.2 128 bit ARC4 (2048 bit RSA/SHA) instead. -- Laurent Jumet KeyID: 0xCFAF704C ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
On 4/9/2014 9:06 PM, Laurent Jumet wrote: Does it make sense to disable SSL in my browser for a couple of weeks? No, but for my own curiosity what is your thought process that leads you to ask that question? Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Heartbleed attack on Openssl
On 4/10/2014 12:06 AM, Laurent Jumet wrote: Does it make sense to disable SSL in my browser for a couple of weeks? HTTPS is linked with TLS v1.2 128 bit ARC4 (2048 bit RSA/SHA) instead. I am flattered that you think I am a mind reader, but I assure you, I am not able to use the Heartbleed attack to pull important information out of your frontal cortex -- like what operating system you're using, what browser you're using, and so on and so on. At any rate, these are questions for your browser vendor. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/GPG does not work easily with web-mail
PGP actually does work well with web mail. There are two libraries which do pgp encryption, there are 3 that I know which do AES-SHA256-CBC-PKCS7. There are at least two libraries which do pkdf2 sha 256. There is also one library which does AES-SHA256-GCM, but I'm not sure if it does pkcs7 or not. (or whether padding is incorporated into GCM, need to research). Looking up keys on a pgp key server is trivial, registering a key is also trivial. --- However there are some legitimate concerns. The most important to my mind are javascript injection attacks. For instance, let's say the NSA takes over your web-mail server. You think, well my users' data is fine, because all of the encryption is happening client side, I never see any of the keys, etc. However the NSA could *force* you to place code inside your server which tells the client to send the keys to you randomly. This would be difficult (not impossible) to detect, and when executed *once* would completely destroy the privacy of the target machine forever. Generally these days, (at least the conversations I've been reading), people are talking about making plugins out of the client side code and protecting them through the app store. So, I download the app for the client, I check it's signature. It *NEVER* downloads code again. I think there are some other solutions to this problem, which I could babble about, but won't right here. However, there are still attacks. For instance, I'm the NSA, I've spent the hours necessary reading through your code to know that if I write you an email with SO-and-SO pattern, when you display that e-mail my script will be run. That script then would destroy the privacy. This is a very hard attack to guard against. --- In my webmail I'm developing (I wrote one previously using GWT which was too complicated, too difficult to maintain and enhance, this one is much simpler). My goals are three fold: 1. raise the cost of the NSA exponentially. I want them to have to spend considerable time for each target, instead of just hey Google, give me these 20,000 peoples' email. 2. re-normalize the idea of privacy. Google has pretty much destroyed privacy. And they are trying to destroy anonymity as well. I believe it is important to have by this year's end at least 10 services running which re-normalize privacy in e-mail. Each service hopefully will castigate Google and call them for what they are. 3. give good security. Nothing will protect you if you are *actually* some terrorist or something, but it would be nice if we weren't being big-brothered *all* of the time. --- I encourage you to look at those others people referenced. Also, if you care to, take a look at mine as well. https://github.com/timprepscius/mv If you need any help setting up a server, let me know. If you are versed in sys-admin, it should take 5 minutes to get a VM running, or use something like DigitalOcean. The benefits of my server, (I think), is that you should be able to change how it looks and feels without changing any of the fundamental code. Meaning you can change the html templates and css and what not, and it will still function correctly. It uses Backbone, so the rendering is clearly separated from the code/models. Anyhowz, If you are looking for perfect security, web mail is not the way to go. Hopefully a plugin will be able to provide near-ish the same security that a standalone program with no javascript interpreter might. But that doesn't mean that PGP WebMail won't be a billion-million times better than gmail. (can't wait to leave it! so close, soon soon) Good night, -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
