On Tue, Oct 9, 2012 at 4:18 PM, Brian Conley wrote: > Thanks for the interesting discussion, but its gone far afield from the > original question. > > Does cryptoheaven seem like a reasonable tool to depend on for journalists > or businesses requiring security for their communications?
The answer to this always depends on your threat model. In this case, cryptoheaven holds your secret keys. That's a very important point: On Tue, Oct 2, 2012 at 8:41 PM, Maxim Kammerer wrote: > From Security FAQ [3]: > > “CryptoHeaven manages public keys automatically and securely. User > simply allows others to communicate with him through the use of > "Contacts" within the CryptoHeaven system. The system takes care of > the exchange of the public keys automatically.” > > [3] http://www.cryptoheaven.com/Security/SecurityFAQ.htm This means that anybody who can bring legal or technical pressure (security holes) to bear on cryptoheaven can expose your secret keys: your data's private to everybody but cryptoheaven and the folks they decide to/are forced to share your data with. If you're writing nasty things about the country in which cryptoheaven's incorporated (or where their SSL CA is incorporated), I'd advise finding a different service provider. For journalists who don't have a particular geographic focus, the issue becomes even broader: they might have different service providers (different identities) for different places. This issue is why the Certificate Patrol Firefox extension exists (to address this at a few different levels) and why this paper was produced: http://files.cloudprivacy.net/ssl-mitm.pdf Nick -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
