Privacy, Email and Activism - a brief intro
Recently there was a conference for activists interested in security issues - obviously something that any activist should be interested in. Notes from the gathering are being compiled along with previous documents into a printed booklet for activists which is expected to be distributed next year.
In the meantime I've been doing a little additional research on solutions specific to securing email communication...
Emails and passwords used by activists are vunerable to snooping from both the state and from private investigation. Even seemingly unimportant information gathered from emails can help build a profile on a person and their associates. Personal information might provide your enemies with leverage to turn somebody you know into a grass or make it easier to place an infiltrator in a position of trust.
What most people do not realise is that by default, the vast majority of email and even passwords are sent over the internet in plain text that can be rmonitored by anyone. Sit down at a computer in a library, college or internet cafe and anyone else on that network can easily read the emails you send and receive, not to mention steal your password. There are several ways to avoid this depending on how you access your mail.
Most activists tend to use web based mail these days so we'll start with those.
If you look in the address bar on your web browser you will see that most addresses start with the letters http:// but sometimes you will see https://. The 's' indicates that the connection is using SSL, a secure encrypted link between your browser and the web server. Most browsers also display a locked padlock symbol somewhere to provide a visual confirmation that the connection is secure. When you are viewing webpages over a SSL connection (such as on Indymedia), the data being transfered is no longer in plain text and can not be read by people attempting to monitor you. This protection also applies to information you submit in web forms, such as usernames and passwords when checking webmail.
In other words, the most basic and essential thing to do to secure your email is use SSL connections if you use webmail. For example, if you use riseup webmail you should go to https://mail.riseup.net rather than http://mail.riseup.net
We should now breifly look at the use of POP and SMTP for those not using webmail. If you don't know what these are, don't worry, they are two of the most common protocols used for downloading and uploading messages using an email client installed on your own computer. Examples of email clients include Outlook, Eudora, Pegasus and Thunderbird. Again, the problem you need to be aware of is that these protocols are by default not secure and all emails and passwords are sent as plain text. You need to configure your account settings within your email client to use a secure authenticated connection such as SSL. It's beyond the scope of this article to explain how but the help function of your client plus the help pages for your email provider will provide specifics.
It's obviously essential to use SSL (or similar) to protect your email password. However, when you send an email it will still travel over the internet in plain text as SSL only protects the connection between your computer and the server. To protect the contents of the email for the entire trip it will need to be encrypted so that only the intended recipient can read it.
You may have heard of PGP ( http://en.wikipedia.org/wiki/Pretty_Good_Privacy), a computer program that encrypts (scrambles) and decrypts (unscrambles) documents and emails. The initials stand for pretty good privacy and like it says, it's pretty good! Some people claim that the worlds most powerful computers could use brute force to break the encryption in a mater of just a few hundred of years while other put the time required at longer than the age of the universe. Of course, computers get faster all the time so either way the time frame might eventually be reduced to within a human lifetime but even so, it's likely that by the time anyone broke the encryption the content would no longer be valuable. ( http://axion.physics.ubc.ca/pgp-attack.html)
I will not go into detail how PGP works as there is plenty of information about it on the web. More important is how to use it. The trouble with PGP has traditionally been that people not to confident using computers have been unable to use it effectively. However, over the years it has become much easier to use as it has been provided with a simply graphical point and click interface and also intergrated into email clients. Once installed and configured correctly, it's now a simple mater of click decrypt or encrypt plus typing your passphrase.
There is the saying that a little knowledge is a dangerous thing and that is certainly true of encyrption technology. PGP uses Public Key Cryptography and it is vunerable to what is known as a man in the middle attack. This vunerability exists only during the exchange of public keys required to initiate exchange of encrypted messages. Again, it is beyond the scope of this article to describe the attack and you can easily look up the information elsewhere. The important thing is that if these keys can not be exchanged in person then it is vital to confirm that the keys have not been substituted on route. This is done by comparing the keys 'fingerprint' by reading them out on the phone etc.
Finally. They say misery likes company and so, ironicaly, does privacy. The more people who routinely encrypt their communications the more secure everyone becomes. If you were the only one using encryption then it might draw attention to you and anyone you communicate with. If you only use encryption for 'dodgy' emails then this might also attract attention. Once you have the software installed and configured it makes sence to use it whenever possible regardless of the contents of the email.
http://www.gnupg.org/ (also known as gpg, open source version of pgp)
http://www.gpg4win.org/ (gpg installer for windows)
http://macgpg.sourceforge.net/ (Mac OSX port of GnuPG)
Additional software suggestions
Don't have your own computer or don't take it with you everywhere you go? Well there are interesting options available now utilising USB memory sticks. These have got really cheap recently and you can get a 1gb drive for under 20 pounds. That's a lot of space and it fits in your pocket.
People have been developing what are called portable applications ( http://portableapps.com/). These run from the USB stick rather than needing to be actually installed on a specific computer. More importantly they are configured so that temporary files ect are store on the stick so as not to leave a trace on the computer they are running on.
With one of these sticks and the right software you can walk into a library etc and use a public computer to run your own software and access your own files. It is a very useful way to have access to your mail etc and the data on the stick can be encrypted using software such as TrueCrypt.
Anyway, in the context of the article above I wanted to mention a couple of specifc portable applications. Both are portable email clients based on Thunderbird.
One is called Mobility Email and it includes OpenPGP and S/MIME encryption. It supports IMAP, POP, SMTP and web based email. It is designed to from any location with no installation or configuration, allowing access your email and contacts on multiple machines. Most importantly, no personal data is left behind once the application is closed.
There is also the official Mozilla Thunderbird Portable Edition (formerly Portable Thunderbird). There are two packages available, one with GPG and Enigmail preconfigured to encrypt and sign your email.
Note. Those npeople who don't require portability may well be interested in using the orinary Thunderbird email client plus openPGP and the Enigmail extension to provide an easy to use and fully interigrated email encryption system. It's cross platform, free and has a large community of user and developers. You can even use it with the Webmail extensions to access yahoo, hotmail and gmail accounts etc.
Riseup users and PGP
It's a little known fact but riseup users can use PGP from within their webmail accounts. I only discovered this recently and as far as I can tell it's only been an option since riseup upgraded to version 4 of IMP in late 2005.
Only the IMP webmail has the PGP feature, not Squirrelmail which I guess most riseup people use simply because it's at the top of the login page. However, you can swap between the two without problem if you've already been using Squirrel.
The PGP features are not enabled by default and it's a bit hidden away which might explain why I've never heard mention of it. The riseups documentation on security makes no mention of the feature, not even in their PGP page. I checked on google for anything about pgp on riseup but couldn't find anything either so I decided to write a 'how to'.
HOW TO SET UP PGP IN RISEUP
To enable the feature you have to login to the IMP webmail (obviously make sure you are using a secure connection https:// as described in the article above). When logged in you click options from the top navigation menu then click 'PGP Options' under other options on the right hand side.
Now you tick 'Enable PGP functionality?' then click 'Save Options' and the page refreshes and you have a bunch more options. I suggest you don't tick ''Should your PGP public key to be attached to your messages by default?' but you probably should click 'Should the body of text/plain messages be scanned for PGP data?'
Further down the page you have two more sections which weren't there until you enabled PGP. One of these is 'Your PGP Public/Private Keys'. If you already have a PGP keys then you will need to upload them here by clicking upload and either copy and pasting the approbriate key or browsing the file on your machine and attaching it.
However, if you don't have a PGP key pair then you can actually create them now from within IMP. Personally I feel this is a bit of a security risk as it requires you to trust riseup, but then again you have to trust riseup if you are planning on using webmail with your email in the first place. Creating a key pair using IMP is easy, just follow the instructions.
Once you have you keys created or uploaded you need to enable the address book. This is perhaps the most illogical part of the configuration. There is a line on the page where the words 'PGP Options' appears on the left and the following on the right '<< Address Books | S/MIME Options >>'
Click on the link to Address Books and then on the new page you will see a pull down menu towards the bottom with the words 'Choose the address book to use when adding addresses' written above. Change the selection from 'None' to 'My Address Book' within the drop down menu and then click 'Save Options' at the very bottom of the page.
You can now return to the PGP Options page and upload your friends PGP public keys to the newly enabled address book. It's just a matter of cut and pasting the key block from an email etc.
That should be it... click 'Save Options' again just incase and then return to your Inbox
USING PGP ON RISEUP
When you create a new message you will find new options below the text body, just below the Send Message button. These are a drop down menu from which you can choose to sign and/or encrypt your message with PGP, and also a tick box enabling you to send a copy of your PGP public key with your message. When you click Send Message you will be asked for your passphrase in a seperate box and then you click Send Message again.
! It's worth pointing out that if you have popup filtering activated (and you should), then you must configure it to allow popups from tern.riseup.net and petrel.riseup.net otherwise you won't get the enter passphrase window appearing and you won't be able to encrypt or decrypt anything.
When you recieve a PGP encrypted message you will find a box that reads "This message has been encrypted with PGP. You must enter the passphrase for your PGP private key to view this message." (again, popups must be enabled or it won't work). Obviously you type your passphrase and you get to read your message.
! Don't forget to log out when you have finished or somebody else might come along and continue using your webmail session with the passphrase still cached so be able to read your encyrpted messages!
That covers it all I think. For the best security it would be preferable to use PGP locally on your own machine which you are sure is secure. However, the PGP option with riseup is still very very useful. DONT FORGET.. YOU MUST USE A SECURE SSL CONNECTION TO HTTPS://RISEUP.NET
Finally, a few quick notes on choosing a PGP passphrase.
Do not use the same password as you use for your email or any other purpose. .
Do not write it down but obviously choose something you can remember.
Avoid dictionary words and names of your family or pets.
Aim for at least 12 to 16 characters
Mix uper case and lower case letters, numbers and punctuation for the strongest passphrase.
Use secure email providers
Following the link to riseups pages on security I found this information which is quite interesting. Basically it's about a protocal which mail servers can use to talk to each other securely so that emails are passed from source to destination and not be read on route. Not all mail servers offer this service but riseup does and it lists other activist tech collectives that provide such mail mail servers. Obviously it would be better to encrypt all mail using PGP etc but that's not currently realistic so for those messages that still go as plain text it is a very good idea to be using a mail service that provides StartTLS.
(taken from riseup...)
What is StartTLS?
There are many governments and corporations which are sniffing general traffic on the internet. Even if you use a secure connection to check and send your email, the communication between mail servers is almost always insecure and out in the open.
Fortunately, there is a solution! StartTLS is a fancy name for a very important idea: StartTLS allows mail servers to talk to each other in a secure way.
If you and your friends use only email providers which use StartTLS, then all the mail traffic among you will be encrypted while in transport. If both sender and recipient also use secure connections while talking to the mail servers, then your communications are likely secure over its entire lifetime.
We will repeat that because it is important: to gain any benefit from StartTLS, both sender and recipient must be using StartTLS enabled email providers. For mailing lists, the list provider and each and every list subscriber must use StartTLS.
Which email providers use StartTLS?
Currently, these tech collectives are known to use StartTLS:
We recommend that you and all your friends get email accounts with these tech collectives!
Additionally, these email providers often have StartTLS enabled:
* universities: berkeley.edu, johnhopkins.edu, hampshire.edu, evergreen.edu, ucsc.edu, reed.edu, oberlin.edu, pdx.edu, usc.edu, bc.edu, uoregon.edu, vassar.edu, temple.edu, ucsf.edu, ucdavis.edu, wisc.edu, rutgers.edu, ucr.edu, umb.edu, simmons.edu.
* organizations: action-mail.org, no-log.org
* companies: speakeasy.net, easystreet.com, runbox.com, hushmail.com, dreamhost.com, frognet.net, frontbridge.com, freenet.de, blarg.net, greennet (gn.apc.org)
What are the advantages of StartTLS?
This combination of secure email providers and secure connections has many advantages:
* It is very easy to use! No special software is needed. No special behavior is needed, other than to make sure you are using secure connections.
* It prevents anyone from creating a map of whom you are communicating with and who is communicating with you (so long as both parties use StartTLS).
* It ensures that your communication is pretty well protected.
* It promotes the alternative mail providers which use StartTLS. The goal is to create a healthy ecology of activist providers--which can only happen if people show these providers strong support. Many of these alternative providers also also incorporate many other important security measures such as limited logging and encrypted storage.
What are the limitations of StartTLS?
However, there are some notable limitations:
* Your computer is a weak link: your computer can be stolen, hacked into, have keylogging software or hardware installed.
* It is difficult to verify: for a particular message to be secure, both the origin and destination mail providers must use StartTLS (and both the sender and recipient must use encrypted connections). Unfortunately, it is difficult to confirm that all of this happened. For this, you need public key encryption (see below).
512 bit encryption broken in less than a second
The problem with technology as a means for secure communication is it's own advancement. What is secure today may not be secure tomorrow. And people who think they're safe, using PGP or whathaveyou, then share information over email that should only be shared face-to-face.
"The report's authors, Onur Aciicmez, Cetin Kaya Koc and Jean-Pierre Seifert depict a concrete attack on OpenSSL on a Pentium 4 processor, albeit using a key that would be considered quite short by today's standards (512 bit)."
Hmmm.. What is described requires the attacker to be running hiden software on the machine performing the encryption operation - in other words it requires that attacker to have installed software either with physical access to a machine or remote access. Now certainly, if you are using an insecure operating system like windows then it would be a risk, however a far easier attack in this case would be to use a keylogger, either software or hardware.
In other words, Seifert and his colleagues discovery is unimportant in relation to email security since much easier and more practical exploits exist already.
Bloggers writting about the new technique have suggested it it is the security of applications using Digital Rights Management (DRM) most likely to be threatened by such techniques. For example, user might use the technique to remove the license protection on WMA audio files they purchase so that they can share them with friends. In this situation they would obviously be well placed to install the spy processes required in the attack.
You attempt to discourage people from using the technology employed by financial and government institutions etc is a waste of time. The weak point in all these security measures is the people using them. Obviously there is a lot to be said for low tech 'cold war' solutions like going to meet somebody face to face but it's a lie to suggest they are themselves are without significant risk.