Nowadays is GPG/PGP-ing your emails really that hard? Thunderbird supports GPG on all platforms, Apple's default Mail works with PGP/GPG, I'm sure there are plenty of windows clients that do the same. In additional, online providers like Hush are bringing PGP to the masses without them having to know what in fucks name it is.<p>Even if you don't encrypt every mail you send, signing is a good idea. Is it unnecessary in many circumstances? Yes, but at least I find it nice to be able to verify authenticity. I don't understand why my bank (Wells Fargo) can't figure out how to sign all their emails [1].<p>______<p>1: <a href="https://www.wellsfargo.com/downloads/pdf/com/cps/Secure_Email_User_Guide.pdf" rel="nofollow">https://www.wellsfargo.com/downloads/pdf/com/cps/Secure_Emai...</a><p>Yes, they can sign some emails...but it requires someone inside WF "sponsor" you to be added to their PKI and it still won't lead to signed or even encrypted emails for online banking. WF is also particularly egregious in not offering <i>real</i> 2FA...they count a username AND a password as "two factor authentication". <i>sigh</i>
I can't support arstechnica anymore after the hatchet job done by joe mullin against snowden.<p><a href="http://arstechnica.com/author/joe-mullin-2/" rel="nofollow">http://arstechnica.com/author/joe-mullin-2/</a><p>How would you feel if your hacker news posts over the years were trolled into a very personal post about you on hacker news, done by a hacker news employee? The whole thing is creepy.
I'm surprised more people haven't read between the lines: the NSA is in possession of quantum computers and interference based decryption is probably already in standard use. Insiders also have dropped hints the Tor networks is, in fact, a trojan horse. We basically have two * extreme * options: 1) a trusted courier with a sealed envelope (don't underestimate this Game of Thrones like scenario as the US Military defeated itself in the largest wargame in the gulf by using courier, sealed envelopes, and motorbikes) and 2) quantum cryptographic communication. The latter is still only the realm of university labs and down at LANL but I read a paper which stated it's physically possible to pass keys along ethernet cable, but all parties need a device which acts as a gate. This in turn opens up Alice and Bob to traditional decryption methods if they're not air gapped from the web.
Meta Comment: Considering that Ars is mining their forum database and pissing off members/subscribers to post tabloid-style shaming articles about the NSA whistleblower, I believe the first step in privacy is to avoid visiting their web site ever again.
I am not sure if such system existed in the past or if I read about it in some sci-fi book, but it worked as follows:<p>You generated your key pair. In (almost) every country in almost every city there were “key signers” (basically trusted members of the PGP community). You met with them and they verified your identity and signed your public key. You needed to visit couple of them to get enough signatures to obtain certain level of trust in the PGP community. Once your level of trust was high enough you could start signing keys of other people. Too good to be true I guess…..
Encrypting email would only make sense if both sides are equally encrypting it.
If you're using the most paranoidal encryption, but your email buddy does not - than it's all just plain silly.<p>But even then if Joe and Bill suddenly got smarty-pants and started encrypting their communication - NSA would get suspicious and <i>will</i> find out what you guys are up to via other channels.<p>"The best way to hide information - is to convince others that it does not exists"
--Me
Are there any heavily supported projects that seek to replace email as we know it with a 'secure by default' implementation?<p>I.e. One that keeps the decentralized simplicity of email as it is today, whilst both securing it and removing the negatives, such as spam?<p>If Microsoft, Yahoo and Google got together they could flesh this out, and as long as the specifications were open and license free, then other third parties would start to develop SecMail servers.
I wonder how much the use of methods to avoid detection by the NSA triggers warning flags that puts you under more individual scrutiny.<p>Sure, you can encrypt most things, but then maybe you look suspicious so you get special attention. Can you encrypt everything? Of course not.
They appear to take a SHA1 Checksum from an unencrypted (non-HTTPS) website to verify the integrity of the download.<p>Surely if you're worried about the integrity of the file you should also be worried about the integrity of the source website also?
We are now using S/mime and in today's Apple+Thunderbird products it's completely built-in and pain-free. Set it up once and after that all emails get encrypted automatically, you don't even need to press a button. Provided of course that You were able to convince your colleagues to invest those 10 minutes to set it up as well.
PGP Was painful because every Mail.app update broke it, not sure about the current state-of-the-art there. But the whole point should be: it is not much of an annoyance anymore! Zero annoyance after installation, Works even on your iPhone etc.
First things first.<p>PGP is useful, but pointless on a system that may be compromised/backdoored at any time (e.g. Windows, iOS, Android ... ). So the first - and possibly most annoying - step would be to install a secure OS.
I think it not outside the realm of realistic to imagine that the NSA has the ability to break all/nearly all encrypted data with ease. I mean, I have had quite a few friends with PhD level mathematics degrees hired by the NSA. Haven't heard from them in a while, but I can guess at the reasons behind hiring people like them.<p>Basically I would say the question isn't if we should encrypt e-mail (I think we should in general, regardless of NSA spying), but instead what encryption methods (if any) exist that would be beyond the capabilities of the NSA to easily break.
Why do you even want to keep the NSA away? I am more worried about companies such as Intelius than the NSA.<p>Private companies such as Intelius are posting my personal information on the internet.<p>Anyone who knows my real name can search the internet and find out where I work, my home address, my spouse's name, my home phone number and my age. I didn't put any of this information on the internet, in fact I don't even have a facebook account. Private companies collected and aggregated this information and put it on the internet. Some of the information came from public records (for example, home address from property ownership records), but some was very private (such as my home phone number, which is not even in my name and rarely given out). This is a huge violation of privacy and I have no way of stopping it. Anyone that wants to harm me can find out where I live with a few clicks of the mouse.<p>I am not worried about the government spying on me. I am very worried about these for-profit businesses spying on me and outing my information on the internet. Why isn't arstechnica writing stories about that instead?
I'm just using <a href="https://www.noteshred.com" rel="nofollow">https://www.noteshred.com</a> to send private messages. I can't be bothered with encrypted email software