Re: [tor-talk] PGP fiddly-diddly - action required
I feel you, Druida. Sadly, the EFF is now full of ws and sillicon-valley technocrats that can't see beyond California. I find it chuckle-worthy that every single one of the authors pleading for moving past pgp only list their pgp keys in the staff pages[1][2][3]*. On the signal side, it only takes less access than the EFail attack and an IMSI catcher for the govt to whack you, physically. Stay safe. -S * And all encoded differently, oh my! Imagine, they still think that gpg defaults to SHA1 for signing. [1] https://www.eff.org/about/staff/william-budington [2] https://www.eff.org/about/staff/david-grant [3] https://www.eff.org/about/staff/soraya-okuda On Tue, May 15, 2018 at 08:37:19PM -0400, panoramix.druida wrote: > ‐‐‐ Original Message ‐‐‐ > > El 15 de mayo de 2018 3:01 AM, Iescribió: > > > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now > > I respect the EFF for all of its work, but I don't understund this one. So if > I have PGP to protect my email, their solution is to stop using PGP because > someone could read my encripted mails. So now everyone would be able to read > all of may emails. Wouldn't be better to ask people to disable HTML on email > and to upgrade their email clients to stay protected. > > I know PGP is not perfect, but it is the best we have for email. I know email > is not perfect but it is more or less descentralize. Why should be stop using > email in favor of something such as Signal (recomendation from EFF article) > that is centralize and we should trust the guys running the server are good > guys. I understund that Signal has great security features like foreward > secrecy that PGP doesn't. I know it is open source, but you are forbid to > installed from free repostiories such as Fdroid. > > Also you can not use Signal if you don't have a phone number. How great is > that for anonymity. In the country where I am living you can not activiate a > mobile phone number without your national id. > > I am writing this email from Protonmail wich I only connect from Tor. I don't > really trust Protonmail, but I can be anonymouse to them thanks to Tor. > > Is Signal the replacement to email? I do like the way the Signal protocol > negociate offline the keys and that each message is encrypted with a > different key. That idea of encryption for asynchronous communication can > actually be a good replacement for email, but in a distirbuted network. > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] PGP fiddly-diddly - action required
‐‐‐ Original Message ‐‐‐ El 15 de mayo de 2018 3:01 AM, Iescribió: > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now I respect the EFF for all of its work, but I don't understund this one. So if I have PGP to protect my email, their solution is to stop using PGP because someone could read my encripted mails. So now everyone would be able to read all of may emails. Wouldn't be better to ask people to disable HTML on email and to upgrade their email clients to stay protected. I know PGP is not perfect, but it is the best we have for email. I know email is not perfect but it is more or less descentralize. Why should be stop using email in favor of something such as Signal (recomendation from EFF article) that is centralize and we should trust the guys running the server are good guys. I understund that Signal has great security features like foreward secrecy that PGP doesn't. I know it is open source, but you are forbid to installed from free repostiories such as Fdroid. Also you can not use Signal if you don't have a phone number. How great is that for anonymity. In the country where I am living you can not activiate a mobile phone number without your national id. I am writing this email from Protonmail wich I only connect from Tor. I don't really trust Protonmail, but I can be anonymouse to them thanks to Tor. Is Signal the replacement to email? I do like the way the Signal protocol negociate offline the keys and that each message is encrypted with a different key. That idea of encryption for asynchronous communication can actually be a good replacement for email, but in a distirbuted network. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Anonymity and Voip
For the record. I did some tests with Mumble and it works great. The test where made from Linux and with Plumble + Orbot in Android. I can conect to the onion service when I start Mumble with torify, but when I try to configure proxy socks it doesn't work: hostname: 127.0.0.1 port: 9050 TCP only I did try to do onioncat with Linphone no success yet, but is more a configuration on Linphone than other thing. I need to configure it to use de ipv6 address of the tunnel that OnionCat creates and not the one of the physical interface. Thanks a lot!!! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-talk Digest, Vol 88, Issue 13
> Message: 1 > Date: Mon, 14 May 2018 19:01:32 -0800 > From: I> To: tor-talk@lists.torproject.org > Subject: [tor-talk] PGP fiddly-diddly - action required > Message-ID: <9cd1ba536d3.0641beatthebasta...@inbox.com> > Content-Type: text/plain; charset=US-ASCII > > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now > This is terribly misrepresented in the press. There is no problem with the encryption! The issue is that mail clients are insecurely designed or insecurely configured by users to accept HTML commands to send out clear text content after decryption. This falls into the more general category of, "Stop being stupid!" Set your mail client to TEXT ONLY and stop automatically processing someone else's commands on your machine. If you absolutely can't live without colored fonts and pretty layouts in your email, at least limit the HTML processing to local content only, in Thunderbird this is called, "Simple HTML." Full HTML processing (Thunderbird "Original HTML") will reach out to the Internet and do things you may not like, ranging from confirming you opened the email, exposing your direct IP address, to sending back your now un-encrypted full content. Many email clients even support running Javascript or other embedded code. If you enable these features, you may also wish to roll yourself in butter and seasoned breadcrumbs. Again, PGP/GPG is just fine, stop doing foolish things. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] GNOME Is Removing the Ability to Launch Apps from Nautilus
According to recent commits the desktop enviroment GNOME is removing the ability to launch apps from Nautilus. This will likely affect all Tor Browser users on Ubuntu in the name of "security". What steps will / should be taken from now till the time the update is released to protect Tor Browser users from losing access? Cheers, Nathaniel signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk