ut it:
https://news.ycombinator.com/item?id=8873182
Apparently some of the funds will be donated to the GnuPG project. I suspect
he hasn't been in contact, and I imagine the funds would not be welcome?
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC
ff which was not encrypted when it was sent:
https://grepular.com/Automatically_Encrypting_all_Incoming_Email
https://grepular.com/Automatically_Encrypting_all_Incoming_Email_Part_2
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F
mailbox.org is useful. Maybe we'll have to look at this topic again in
> 10 years or so.
FWIW, if you run your own mail system, this is a fairly trivial feature to
set up. I've been doing it myself for about three and a half years. Here's
how I do it, including links to the softwa
s so you don't
have to do this particular step, you can add e.g the following to
your ~/.gnupg/gpg.conf file:
keyserver keys.gnupg.net
keyserver-options auto-key-retrieve
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2 1F84 3DC
gs about the state of OpenPGP.js
source code yesterday:
https://news.ycombinator.com/item?id=7843297
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1
For the average person, SSL warnings are a nuisance that needs to be
ignored and clicked so they can continue doing what they were doing. For
the average geek, an SSL warning seems to be a declaration of War.
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC
e.
Also, note that the link there is none-https, which would redirect
people out of the "secure" version of the site if they're using a
browser which does not support HSTS, e.g Internet Explorer 11 and
below.
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
Ope
known, and at no point was it discouraged.
Several of my colleagues also used OpenPGP, although I don't believe
any of them used a smart card.
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR
my work machine, so I never have to worry about it being
compromised. When I left my previous job, I revoked the UID
containing the email address assigned by that company, and then
added the new UID for the new company.
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP K
replaced by a similar but better protocol (HTTP). I would be
happy to see Email replaced by a similar but better protocol. It will
probably still be called Email though. I think it's more likely that
various Email protocols will be extended and refined rather than an
outright replacement thoug
ote on wikipedia, but people will still be using Email,
in some form or other.
There will always be a system for pushing messages around electronically
that isn't tied to a single provider. If email is replaced, it will be
by something similar to email. Not by whichever social ne
Also, if there are
any XSS flaws, there's another potential way of losing the key.
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
si
s with APG to add OpenPGP
encryption for email...
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
signature.asc
Description:
1ZHpGa9VTvYaoPXX
> > B9wx+EcqNysF/6FTVNC2dZwKPULK6niA5l/CIf61GW+cMt0IczBmO9GhUxnd+1px
> > hd2uhcCWXXzR/Gm2VJNA
> > =Ig2O
> > -END PGP SIGNATURE-
> >
> > ___
> > Gnupg-users mailing list
> > Gnu
1.
I have a V2 OpenPGP SmartCard. I'm wondering if this would be vulnerable
to the attack in question? Also, what about the Crypto Stick? Presumably
these generate the same sort of noise during signing/decryption that
the CPU would, but there's nothing GnuPG can do in software to mask i
side channel attack.
> In this context is there any best practices? I was thinking creating a new
> signing subkey and removing the master private key from keyring that I want
> to upload to the VPS. That way I might limit the damage to the subkey alone
> while keeping the maste
carry a smart card
reader around with me, or the patience to pull it out and plug it in
each time I want to read an email/sms. I agree that it would be cool
though.
- --
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 46
> verification and increment it later (so that you can't mount power
> glitch attacks).
Damn. I didn't run any automated tests... What other operations can only
be performed a limited number of times with one of these cards? If I
were to PGP sign or decrypt 10,000 emails would t
to the card. The c=00 i=20 indicates the
> verify command which fails for you. If it works the next line would be
> a
>
> scdaemon[17805]: DBG: response: sw=9000 datalen=0
>
> However your SW will be different. What is it?
6581:
2011-08-10 10:16:02 scdaemon[5153] D
ated Smart Card Reader 00 00'
Application ID ...: D2760001240102050D58
Version ..: 2.0
Manufacturer .: ZeitControl
Serial number : 0D58
Name of cardholder: Mike Cardwell
Language prefs ...: en
Sex ..: unspecified
URL of public key : [not set]
Login da
ate and use it to decrypt
my files. I am thinking of hard coding *part* of my pin into gpg on my
primary system, so I can only be observed typing in part of the pin.
Every little helps.
--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/
> v2 card uses a modern chip and card OS and thus the effort to read off
> the key wouldn't be worth what you will gain from it.
That is reassuring. Although, I'd be happier if I could find a technical
description of the feasibility of such an attack. But if one doesn
e more secure leaving the key on your laptop encrypted
with a strong pass phrase. It's a judgement call.
When I say a rich/powerful adversary, this could include industrial
espionage as well as governments.
Ideally the key would be encrypted on the smartcard. I haven't found
anythi
smartcard chipset by looking directly
at the circuitry?
Are the keys on the smartcard perhaps encrypted with the access PIN?
That still wouldn't be perfect, definitely easier to bruteforce than a
long passphrase, but it would be better than nothing...
--
Mike Cardwell https://grepu
24 matches
Mail list logo