As advances in cryptography and technology move forward there is a chance that your once secure system may suddenly be relying on outdated (and perhaps now broken) algorithms or implementations. Some good examples of this in recent memory are the breaking of the MD5 hash algorithm and the constant problems plaguing the RC4 encryption cipher.
When it comes to PGP it is well known that short keys, keys generated without good entropy to pull from or keys using outdated implementations and algorithms can be far less secure than you would hope they would be.
I recently came across a very good (albeit sort of old) post over at Chris Wellons’ null program blog about increasing the default protections on your stored PGP key. The short hand version is that gpg attempts to protect your PGP key from theft by encrypting it on disk so that if anyone gets access to your secret key file they still don’t immediately have access to your PGP key.
Similar to my previous post about forwarding browser traffic through an SSH tunnel, this time I’ll show you how to do it on Android even without root access. Please note that while I’m sure there are a few ways to accomplish this, the following is just one way that has worked for me. I’m also assuming that you already have an SSH server to tunnel your traffic through.
Step 1: Install SSH Tunnel The first thing you’ll want to do is install an application that will actually create the SSH tunnel for you.
Came across pgp.asc a while back but finally got around to setting it up here. What is pgp.asc? From their website:
What is pgp.asc?
pgp.asc is an initiative to decentralize public PGP keys, making it easier to get an up to date and authenticated key.
Sounds complicated? It isn’t: Just upload your public PGP key to your websites root folder and you’re good to go!
So there you have it.
You may have seen something like this before. You go to download your favourite program SuperApp3000 and on the download page they provide you with hashes (usually MD5, SHA1, etc.) for each of the available files to download. Sometimes they even stress that you should verify that the file you downloaded matches the provided hash or that you should never trust anything you download without first confirming the hashesmatch. This is a prime example of people confusing file hashes with digital signatures and it needs to stop.
Here are a couple of neat iOS applications for the paranoid (kidding!) & security inclined.
iPGMail
iPGMail (currently $1.99 on the App Store) is the best OpenPGP application I’ve tried on Apple’s platform. Even within the somewhat restrictive limitations that Apple has created for application developers this particular application does everything it can to be user friendly. I would highly recommend this to anyone that wishes to send signed/encrypted e-mail from their iOS device.
With the recent questions surrounding the security of TrueCrypt there has been a big push to move away from that program and switch to alternatives. One such alternative, on Linux anyway, is the Linux Unified Key Setup (or LUKS) which allows you to encrypt disk volumes. This guide will show you how to create encrypted file volumes, just like you could using TrueCrypt.
The Differences There are a number of major differences between TrueCrypt and LUKS that you may want to be aware of:
If you’ve used KeePass on Windows you may be very attached to its auto-type feature, where with a single key-combo press the application with magically type your user name and password into the website or application you’re trying to use. This is super handy and something that is sadly missing by default on Linux. Thankfully its also very easy to make work on Linux.
Start by installing the xdotool package On Debian/Ubuntu/etc simply run:
If you’ve had issues trying to get Thunderbird to send your PGP signed e-mail using anything other than SHA-1 there is a quick and easy fix that will let you pick whichever hash you prefer.
Open up Thunderbird’s preferences
On the Advanced Tab, under General click Config Editor…
In the about:config window search for “extensions.enigmail.mimeHashAlgorithm” without quotes. Double click on this and enter a value.
After reading this I’m still not 100% sure there can ever be a completely “safe” way to do this with Twitter. That said some ways are certainly better than others…
Personally I think the best of the approaches listed is to include the full key fingerprint and then to also periodically tweet the details. At least that way if an attacker does go and maliciously modify your bio there is still a chance for someone to see the good tweet as well.
