Crypto Culture Links Digest #1

I've had some time to tinker around with Mailvelope and deem it to be worthy of protecting e-mail. It's an implementation of OpenPGP.js so it's got all the advantages of the PGP family of solutions. Since just about everybody uses nothing but web-based mail clients these days, it's a good convenient way to secure the contents of an e-mail message.

It still won't protect your DNS requests, your browsing habits, any of the online shopping you do or your kestrokes from being sniffed out by a keylogger, but it's great at keeping your e-mail from being read by identity thieves, rogue mail servers, and the like.

It also doesn't appear to be very good at decrypting messages sent from other PGP implementations in the Hotmail web interface – but gMail and Y!Mail have worked splendidly.

Everyone who can't use GPG should consider Mailvelope.

One of the reasons I was hesitant to buy Silent Circle was because I wasn't quite sure what they were offering in terms of security. My heuristic is that if anybody charges you for encryption services, it's because they're handling all the crypto for you in their data centers – which is a big no-no to anybody who is serious about privacy (more on that later).

Moreover, if there is a company that advertises itself as a source of data privacy, anybody looking for ripe targets to attack is going to go to a place where targets will conveniently congregate (such as a commercial data security company's data center); making themselves the glowing part of the video game boss's body that just screams "shoot me here to get to the next level!"

In terms of VOIP and SMS, I haven't read a whole heck of a lot about how the cryptography is implemented so anybody with real information on the topic, I beg of you, let me know what's up.

I've tinkered a bit with Redphone on my Android. I don't have (or care to have) an iPhone so I can't say whether it exists on that platform or what alternatives/equivalents may be. But so far, this version seems usable enough — and that's one of the things that is very important for crypto proselyting.

A coworker introduced me to Hushmail the other day. It's a cute idea but it's flatly not secure enough. While it would be very hard to crack open any data resting on their servers, it's still way easier than it should as their own service does the encryption and decryption for you.

This cannot be stressed enough: Never trust somebody else's computer to do the encryption for you! Your computer and only your computer should have ever seen the clear, unencrypted data. Any service that handles the encryption or decryption for you is the same as a service without cryptography whatsoever. With the abundance of web sites that implement client-side crypto for you (such as these guys who I found without even trying and, of course, my version if you can't part with my awesome color scheme), there is no reason to trust somebody else to do it for you.

One of the biggest security flaws in most peoples computers is that of the software writing unencrypted data to the hard disk. This is especially problematic on Windows which has laughable security at the filesystem level.

The most common cause of writing private data to a place where it's readily available is swapping – or using the "page file" as they call it in Windows. When computers run out of available memory, they start pushing the contents of RAM to the hard disk so the more active applications can use the extra space and be more responsive. If any of those lower-priority applications happened to have private keys in memory at the time of the swap, it's there for any attacker to grab.

Better operating systems like OpenBSD actually encrypt the swap partition to help protect any private information that may end up there. It's possible to entirely disable your "page file" in Windows to prevent it from swapping private information to the disk (and that is actually something I used to do when I used Windows because it also did help with performance) but that comes with the risk that running out of RAM could cause your system to hang.