Re: Don't send encrypted messages to random users

[Ineiev]

On Mon, May 29, 2017 at 11:52:27PM +, Konstantin Gribov wrote:
> 
> As an example, many open source devs are publishing their keys which they
> use for signing software releases but rarely for encrypted communication.

On the other hand, they could publish certificates without encrypting
subkeys.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't send encrypted messages to random users

[Konstantin Gribov]

Primary reason to publish a key is to make it available for fetching. It
isn't a permission for anyone to annoy a person anyhow.

As an example, many open source devs are publishing their keys which they
use for signing software releases but rarely for encrypted communication.

On Tue, May 30, 2017 at 2:28 AM listo factor via Gnupg-users <
gnupg-users@gnupg.org> wrote:

> This I find surprising: if one does not want receiving
> encrypted messages from those that he does not have
> existing relationship with, why does he publish his
> public key on public keyservers?
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-- 

Best regards,
Konstantin Gribov
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't send encrypted messages to random users

[Robert J. Hansen]

> This I find surprising: if one does not want receiving
> encrypted messages from those that he does not have
> existing relationship with, why does he publish his
> public key on public keyservers?

All presence on the keyservers says is, "if you have something to send
me, you may send it securely".  It is not a permission to send someone
email they'd prefer to avoid.

Further, the conduct the OP is talking about amounts to dragooning
someone into helping you without first asking them whether they're
willing to help you.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Don't send encrypted messages to random users

[listo factor via Gnupg-users]

This I find surprising: if one does not want receiving
encrypted messages from those that he does not have
existing relationship with, why does he publish his
public key on public keyservers?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't send encrypted messages to random users to test your gpg

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Monday 29 May 2017 at 2:18:18 PM, in
, Marcus
Brinkmann via Gnupg-users wrote:-


> For people who want to communicate with other people
> rather than bots,
> there is also this:

> https://www.reddit.com/r/GPGpractice/
> https://www.reddit.com/r/publickeyexchange/


And there is PGPNET 
which is an encrypted discussion group - members send messages signed
and encrypted to all the members). You subscribe by emailing
 and replying to the email yahoo
sends you (unless you want to join with a Yahoo ID). For new members,
Yahoo's group emails default to a heavily HTML-polluted format that
does not play nice with pgp-inline encrypted messages, but once you
have joined an email to  removes
this silliness.

- --
Best regards

MFPA  

Another person's secret is like another person's money:
you are not as careful with it as you are with your own
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWSw0OF8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5KZWAP98nqevY0/tF8hQ9cia6R+LSwaiMXi2uzCxYZw77waH1wD/T/8GV35GIEV5
Re34sTAb/MBxjUO66et2czullKkXhwmJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWSw0OF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8GxzB/wNZcrYXw87HL4Go4WV2VpRj+0r
3la5F+ORShvAv6IE7U+oQaIB4vbdRbd/oCzhrvTVwexkM2mScvAagFgQqrnkZCyk
BMHscHB5ARYvjH3ibc1FVNSH0hdPFpdXNTmzFQ3fBSjrpuGU8SXzFvpCj8X4nK7I
7iWAWLiCx6h5Y3kUVbF6YeSaEOCVKna4zkAb+pv3POe+XDSDG8xaoys5sHcqc6ej
yIOwufCjgQRks8t2VfZBvA23c4NJKw9JF/nj/x5z6FptqbQeTsYDI6BqdZmDmSxV
EZwzy9UIUssriMkkQejEkiRyjwVCqQqXePI9tXgkdv5gGcrb8BsN7m2rt/8p
=H+D/
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't send encrypted messages to random users to test your gpg

[Marcus Brinkmann via Gnupg-users]

For people who want to communicate with other people rather than bots,
there is also this:

https://www.reddit.com/r/GPGpractice/
https://www.reddit.com/r/publickeyexchange/

On 05/29/2017 01:00 PM, Duane Whitty wrote:
> Hi list,
> 
> When I checked my email this morning I had an encrypted message from
> someone I didn't know and had never heard of signed with a signature for
> which no public key was available.
> 
> When I saw the email with a subject "test, test, hello" (or something to
> that effect" I decided not to let Thunderbird/Enigmail process it but
> rather I copy and pasted the cypher text into a file and used the
> command line to look at it..
> 
> The message and relevant gpg output was:
> 
> "Subject: test, test - hello
> 
> hey, i hope you don't mind - I just wanted to test using GPG and I
> picked you at random."
> 
> gpg: Signature made Mon 29 May 2017 02:59:23 AM ADT
> gpg:using RSA key (deleting for email to list)
> gpg: Can't check signature: No public key"
> 
> To the person who sent me this my reply is that yes I do mind.  I tend
> to believe no harm is intended and I'm not terribly upset over it but I
> consider it to be bad Internet etiquette.  It would be only a little
> more acceptable if you had published your public key so that the
> signature you used to sign with could at least be verified.
> 
> Having hashed that out welcome to the community :-)
> 
> To test your setup try this link, https://emailselfdefense.fsf.org/en/
> I haven't used it myself but unless someone from the list knows why it
> shouldn't be used it should fine.
> 
> I also highly recommend reading https://www.gnupg.org/faq/gnupg-faq.html
> 
> The above links are just to get started.  Happy pgp'ing
> 
> Best Regards,
> Duane
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Don't send encrypted messages to random users to test your gpg

[Duane Whitty]

Hi list,

When I checked my email this morning I had an encrypted message from
someone I didn't know and had never heard of signed with a signature for
which no public key was available.

When I saw the email with a subject "test, test, hello" (or something to
that effect" I decided not to let Thunderbird/Enigmail process it but
rather I copy and pasted the cypher text into a file and used the
command line to look at it..

The message and relevant gpg output was:

"Subject: test, test - hello

hey, i hope you don't mind - I just wanted to test using GPG and I
picked you at random."

gpg: Signature made Mon 29 May 2017 02:59:23 AM ADT
gpg:using RSA key (deleting for email to list)
gpg: Can't check signature: No public key"

To the person who sent me this my reply is that yes I do mind.  I tend
to believe no harm is intended and I'm not terribly upset over it but I
consider it to be bad Internet etiquette.  It would be only a little
more acceptable if you had published your public key so that the
signature you used to sign with could at least be verified.

Having hashed that out welcome to the community :-)

To test your setup try this link, https://emailselfdefense.fsf.org/en/
I haven't used it myself but unless someone from the list knows why it
shouldn't be used it should fine.

I also highly recommend reading https://www.gnupg.org/faq/gnupg-faq.html

The above links are just to get started.  Happy pgp'ing

Best Regards,
Duane

-- 
Duane Whitty
du...@nofroth.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mailvelope browser extension for webmail

[Duane Whitty]

Hi list,

Thoughts on the Mailvelope browser extension...?

Here's some of their material:

https://www.mailvelope.com/en/faq

"What is the purpose of this project?

Mailvelope is an easy-to-use web-browser extension which brings OpenPGP
encryption to webmail services such as Gmail™, Yahoo™ and others. With
its unintrusive interface fully integrated into your webmail service,
Mailvelope instantly secures your personal and professional email
communications."

Next one seems a little concerning to me but I'm no browser expert:

"Where are my keys stored?

Mailvelope stores the keys in the local storage of the browser and only
there. This is a file in the user data directory of Chrome or the
profiles folder of Firefox. If you clear temporary browsing data this
will not affect the key storage of Mailvelope. If you delete the
Mailvelope Chrome extension, then the key storage will also be removed
from your file system. On Firefox there is an additional confirmation
dialog once you remove the Mailvelope add-on that allows to delete all
keys or leave them in the profile folder of the system."

https://www.mailvelope.com/en/blog/security-warning-mailvelope-in-firefox

"15/05/2017 | Security notice: Mailvelope in the current version of
Firefox browser.

We are in the possession of a security audit that was requested by the
email provider Posteo and conducted by Cure53, which has revealed that
the Firefox security structure is currently unable to offer a
sufficiently safe environment for the Mailvelope browser extension.

Mailvelope naturally relies on the security of the underlying browser
platform. In the present case, we are unable to offer a remedy
ourselves. Nevertheless, Mozilla is already working on a fundamental
improvement of the add-on system. In November 2017, Firefox is scheduled
to finally switch to an overhauled add-on structure, which will then
offer sufficient protection against attacks.

A new Mailvelope version for the new, improved Firefox structure is
already in the making.

Until Mozilla has modified the architecture, the following safety
recommendations apply:

Be sure to use a separate Firefox profile for Mailvelope with no
other extensions installed.
Make sure your password for your PGP key is as secure as possible.
Take care that you do not accidentally install any other add-ons in
this profile, which may make you vulnerable to attacks.

The security audit also demonstrated some positive results regarding
Mailvelope. Posteo writes about this:

There was a check made as to whether email providers for which
Mailvelope is used could access a Mailvelope user’s private keys saved
in the browser – this was not possible. All other attempts made by the
security engineers to access private keys saved in Mailvelope, such as
operating third party websites or man-in-the-middle attacks, were also
unsuccessful.

Security Audits such as the one performed by Posteo serve as an
important indicator that shows how we can further improve Mailvelope. At
this point, we’d like to thank Posteo for conducting the audit and thus
their contribution to the Mailvelope project."

I didn't see any Google related security information or notices.

Best Regards,
Duane

-- 
Duane Whitty
du...@nofroth.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Planned GnuPG mirror shutdown: mirror.se.partyvan.eu

[Justus Winter]

Juuso Lapinlampi  writes:

> I'm the operator of a GnuPG mirror at Partyvan. We've had a listed
> GnuPG mirror for ~1.5 years now. [1]
> [...]
> I don't know yet if or when we could return to providing this mirror
> server to the public and GnuPG. For the time being, you may want to
> delist the mirror from the web pages. [2] The mirror will be online
> until the contract with our colocation host is terminated soon.
>
> Sorry for this unexpected issue. Hoping to be back in the future!

Done.  Thanks for providing a mirror :)

Cheers,
Justus


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users