back to article Google: OK world, make our 'End-to-End' crypto tool SPOOK PROOF

Google has released the source code for an encryption plugin for Chrome that makes the secure sending of email easier. The web giant said its End-to-End Chrome plugin, currently in alpha development status, will provide a secure method for transmitting data between users, with data encrypted locally in a user's browser and …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Google, privacy

    ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha

    1. Anonymous Coward
      Linux

      Re: Google, privacy

      Could you possibly suck more, AC? You would prefer to trust your privacy to M$ and Apple I'm sure? Maybe AOL? Yahoo?

      Have you ever thought for a second that at least Google uses and supports open source software in their efforts, and many of their tools can be audited?

      Dipshit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Google, privacy

        "Have you ever thought for a second that at least Google uses and supports open source software in their efforts, and many of their tools can be audited?"

        Quite. This effort is also intended to offer *END-TO-END* PGP encryption - much like (and hopefully/presumably compatible with) Enigmail et al. If achieved effectively, *END-TO-END* encryption will be completely opaque to Google thus rendering it *IMPOSSIBLE* for them to betray the user's security/privacy even if they want/are-secretely-ordered to. Which is probably the point!

        My only reservation is that attempting to achieve security in a web page/browser is *SDOOPID*

        Just ask the team who developed FireGPG

        XSS, injections, DNS spoofing, etc, etc... the entire Internet security infrastructure would have to be *PERFECT*, when, as we all *KNOW* - instead of perfect it's *FUCKED BY DESIGN*

        1. Anonymous Coward
          Anonymous Coward

          Re: Google, privacy

          I should also point out that I'm not the first AC (RICHTO)

        2. Anonymous Coward
          Anonymous Coward

          Re: F*cked by design

          Yup, 100% agree.

          There is more: security depends on layers of defence, not one, I, for one, will not go near a service provided by a company which has been repeatedly in court (and still is) for being casual with privacy - motive matters, and I just have too many questions there. I have zero reasons to trust Google but plenty to distrust them, and publishing code <> it being safe. If they really wanted to make something to our benefit they should start with changing their T&Cs.

          Last but not least, it again solves the wrong problem. The real problem is US law, which is a problem Google helped create (which makes me agree with the "ha ha" statemen too, long as it was :) ).

      2. Anonymous Coward
        Anonymous Coward

        Re: Google, privacy

        Well certainly Microsoft and Apple are more trustworthy. Microsoft makes money off of Windows and Office. Apple makes money off its hardware and software. They have less reason to betray your privacy. Not sure about AOL and Yahoo.

        What does Google sell? Oh right ... nothing.

        It's easy to support open source when you don't make or sell anything. It's brilliant: Bait potential users with free and genuinely awesome tech to collect more information.

        There just has to be catch to this crypto tool ...

      3. Anonymous Coward
        Anonymous Coward

        Re: Google, privacy

        My question is, since this Gmail thing is PGP based, is it compatible with other email clients with PGP (e.g. Thunderbird with the Enigmail extension.) ? Or is Google adding an, ahem, "enhancement" whose sole purpose is to raise the Google garden wall higher?

        1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Google, privacy

      Quite surprised how many down votes this got. If you trust Google you are out of your mind! They want all your data and to track your every move. They are only releasing this now because there are customers leaving in their droves, because the secure services are cleaning up right now! so they have to do this to keep people on their service, anything to keep your data on their servers. Meanwhile off they go sucking in everyone's wifi codes with their street view cars and all the rest.. If they care so much why didn't they do any of this before? Personally I prefer to keep my stuff with providers that charge money for the service. That way there is no conflict of interest.. Oh and make sure it based in a country with strong and fair privacy laws.

      1. bigtimehustler

        Re: Google, privacy

        It probably got a lot of down votes due to the complete misunderstanding of the point in hand, shown by his statement that the real problem is US law. If the encryption is end to end, not even Google can read or decrypt it, so they can not hand it over to the US government or in fact scan it for advertising. So this really in no way benefits Google, is not reliant on US law and hence the down votes.

        1. Anonymous Coward
          Anonymous Coward

          Re: Google, privacy

          f the encryption is end to end, not even Google can read or decrypt it, so they can not hand it over to the US government or in fact scan it for advertising.

          Maybe, but I can see where this is coming from: the assertion that Google is indeed not able to read the messages is unproven, and an inability to read messages seems to run 100% counter to their business model.

          1. Anonymous Coward
            Anonymous Coward

            Re: Google, privacy

            "the assertion that Google is indeed not able to read the messages is unproven."

            While technically this is true, this sentence displays a complete lack of knowledge about cryptography and how it works.

          2. Steve Knox
            Holmes

            Re: Google, privacy

            the assertion that Google is indeed not able to read the messages is unproven

            Erm, yeah.

            That's the whole reason they've released the source code: so that cryptoboffins can test the general form of that assertion (i.e, that any third party cannot read the message.)

            In future, it might be a good idea to ensure you understand the premise of the article before you comment on it.

            1. Anonymous Coward
              Anonymous Coward

              Re: Google, privacy

              That's the whole reason they've released the source code: so that cryptoboffins can test the general form of that assertion (i.e, that any third party cannot read the message.

              I hate to be picky, but that contains the unspoken assumption that the released source code has a relation to what is used in production. Evidence is a play of many variables - you're too willing to accept things on trust from an entity that has been proven to be rather cavalier with user data.

              BTW, this disconnect between what is provided and is used was one of the problems with Truecrypt (binaries provided could not be independently be identically replicated from source code, I hope the Swiss guys fix that).

              1. Anonymous Coward
                Anonymous Coward

                Re: Google, privacy

                That's the whole reason they've released the source code: so that cryptoboffins can test the general form of that assertion (i.e, that any third party cannot read the message.

                I hate to be picky, but that contains the unspoken assumption that the released source code has a relation to what is used in production. Evidence is a play of many variables - you're too willing to accept things on trust from an entity that has been proven to be rather cavalier with user data.

                "I hate to be picky"... then please try to do less of it... and you've dropped an "r". The article is about JAVASCRIPT! Ergo, "the released source code" WILL BE "what is used in productions". You really should try to read some of these articles before you commence splaffing your worthless crap into the comments. You might even learn something. Prick.

                BTW, this disconnect between what is provided and is used was one of the problems with Truecrypt (binaries provided could not be independently be identically replicated from source code, I hope the Swiss guys fix that).

                Wrong again. Prick.

                1. shovelDriver

                  Re: Google, privacy

                  "the released source code" WILL BE "what is used in productions".

                  And how, exactly, can you guarantee that?

      2. Anonymous Coward
        Anonymous Coward

        Re: Google, privacy

        Quite surprised how many down votes this got. If you trust Google you are out of your mind!

        I suspect you'll get plenty of downvotes for that one. I have been noticing this for some time: any negative comments about Google (especially factual ones) get immediately downvoted, which suggests that either the forums are populated by a lot of Google astroturfers, or many are as blind to what Google is really doing as Pamela Jones of Groklaw was (which in itself will generate downvotes).

        1. ratfox
          Angel

          Re: Google, privacy

          …Says the nth Anonymous Coward attacking Google in the same thread…

          1. Anonymous Coward
            Anonymous Coward

            Re: Google, privacy

            …Says the nth Anonymous Coward attacking Google in the same thread…

            n=1

            It's just RICHTO off on one of his schisms. Naughty little monkey can become quite frenetic when he gets excited.

            Would never have happened if we'd all stuck with M$, would it RICHTO?

  2. Travelling_Tom
    Facepalm

    TSL or TLS - Come on Ed !!!

    Quote : The company reports that, because other providers do not always support Transport Security Layer (TSL) encryption, currently as much as 50 per cent of incoming messages and 35 per cent of outgoing mail was transmitted in the clear, even though Gmail itself supports TLS in both directions.

    SO.. lets stick with TLS, a quick google (sic) search for "Transport Security Layer " only returned pages on TLS not TSL

  3. John Smith 19 Gold badge
    Gimp

    While THE PATRIOT Act is in force so what?

    US company + US servers = All your data belong to Uncle Sam.

    1. Dr. Mouse

      Re: While THE PATRIOT Act is in force so what?

      They can only reveal information they have access to. If the data is encrypted before if reaches Google, and decrypted only after it has left Google, they have no data to reveal.

      Not that I have the largest amount of faith in Google's morals in this area. A false impression of security, or weak or compromised security, is worse than no security.

      1. Anonymous Coward
        Anonymous Coward

        Re: While THE PATRIOT Act is in force so what?

        If the data is encrypted before if reaches Google, and decrypted only after it has left Google, they have no data to reveal.

        Yup. Now for a few questions.

        (1) what's Google's main activity?

        (2) whose code are you using to encrypt?

        (3) ever heard of the obfuscated C contest? Not that this is in C, but it serves as a very clear example why open code does not automagically equate to trustworthy code.

        Let me know if you need any more help.

        1. Anonymous Coward
          Anonymous Coward

          Re: While THE PATRIOT Act is in force so what?

          "(2) whose code are you using to encrypt?"

          To quote: "data encrypted locally in a user's browser and decrypted by the recipient using OpenPGP"

          "Let me know if you need any more help."

          Let me know if you need any more help with reading the article.

          1. Yet Another Anonymous coward Silver badge

            Re: While THE PATRIOT Act is in force so what?

            >To quote: "data encrypted locally in a user's browser and decrypted by the recipient using OpenPGP"

            Using a key entered into and stored by a browser (and on chromebook, an OS) that Google control and you know nothing about.

            1. Anonymous Coward
              Anonymous Coward

              Re: While THE PATRIOT Act is in force so what?

              "Using a key entered into and stored by a browser (and on chromebook, an OS) that Google control and you know nothing about."

              Sorry, but no. You can obtain the source for both via the Chromium and ChromiumOS projects, and the plugin project is here

              1. Anonymous Coward
                Anonymous Coward

                Re: While THE PATRIOT Act is in force so what?

                "Sorry, but no. You can obtain the source for both via the Chromium and ChromiumOS projects, and the plugin project is here"

                Let's see what's wrong here. Google "makes stuff easy" so if I'm going to be able to use this anywhere, where's the PGP key going to reside? On my computer where I can't use it in the office or on holiday in the cybercafe? No, if not now, but later it'll be stored on Google's servers because a usb drive is just too hard to use.

                Will the user be asked to craete "A really long passphrase so they there is a better chance of security", no, they will use the same password as your gmail account so as not to be 'intrusive' or ask the user to remember two secrets, the password will be passed to PGP behind the scenes so as not to be 'too technical', because privacy is soooo hard.

                The result will be a fog of privacy/security, one where the key is already retrieved and stored for later use by snoopers and mail 'protected' by the average users MyP4ssw0rd easy to decrypt.

                So, it is not necessarily the codebase that is the problem, but the implementation.

                Another question to ask is how will Google target adverts if they can't read the content for keywords?

                I doubt they will push users to anything that takes away from their bottom line.

      2. theblackhand
        Black Helicopters

        Re: While THE PATRIOT Act is in force so what?

        The e-mail content is encrypted, but the SMTP header will still provide useful metadata about who you are talking to and how frequently.

        Add that most of the people will probably use the same password for their encryption keys as for Google or users won't properly secure their tinfoil hats allowing state agencies to read their minds and the encryption doesn't really address the privacy concerns raised about the US based clouds.

  4. Anonymous Coward
    Anonymous Coward

    Meta data people

    The snoopers always say they _only_ collect meta data, as if that would justify their wholesale intrusion of our privacy.

    It is not, for instance, what a book contains, but who is reading it or in this case who is communicating with whom, identified by meta data which is preserved in the clear.

    Always remember those same big US corps that give you your shiney trinkets have a law specifically drafted for them, a law which allows them to lie and deceive you with impunity.

    For what it's worth, I recommended reading, listening or viewing whichever you prefer, a set of four lectures by Eben Moglen, Columbia law professor and historian. http://snowdenandthefuture.info/index.html

    @Andy Prough. I don't abandon my privacy for trinkets offered by Google, why would I offer it to Yahoo, MS, Feaclebook or others.

    I answered your question, please answer mine.

    Why is your trusted list limited to such a few untrustworthy companies?

    Isn't your privacy worth a few quid a month?

  5. Tim 11

    solving the wrong problem

    transport security isn't the big problem with email - it's identity.

    when every email has to be "signed" with the sender's credit card, and the recipient gets a "this is spam" button which donates $1 from the sender to charity, then we might have the makings of a sensible email mechanism.

    1. Anonymous Coward
      Anonymous Coward

      Re: solving the wrong problem

      Excellent idea, that'll mean Google, Yahoo, facebook, Twiiter and MS will go bankrupt within a week.

  6. JDX Gold badge

    Plugins

    So after telling us plugins are bad, Google is admitting they need to use plugins? Why not build it into Chrome?

  7. breakfast Silver badge

    Secure by design

    I have to say the phrase "JavaScript Cryptography" fills me with a little bit of concern, just because JavaScript is, by it's very nature, a massively shonky language. I know there are apologists and ECMAScript is getting better, but if I wanted to write something that had any serious security requirements I cannot think of a worse platform for it than JavaScript.

  8. Blacklight

    I posited something similar a while back (http://forums.theregister.co.uk/forum/1/2014/01/09/yahoo_always_on_crypto_unstrong/#c_2074093) - so I'm pleased to see it.

    My only 'concern' would be that (as mentioned above) I'd like to see it opensourced (with deterministic build instructions) and audited to show that the plugin doesn't harvest and send back your private key & passphrase (regardless of who authored it!)

    1. Anonymous Coward
      Anonymous Coward

      My only 'concern' would be that (as mentioned above) I'd like to see it opensourced (with deterministic build instructions) and audited to show that the plugin doesn't harvest and send back your private key & passphrase (regardless of who authored it!)

      Pfff - finally someone who gets it, but even open source is not an automatic guarantee of security - only when someone with proven competence goes through the code line by line and you build from that specific source code can you invest some confidence (and if you want to see the likelihood of that, keep in mind what appears to have happened to Truecrypt). Even then you'd have a problem because the originator is not really in the business of protecting privacy.

  9. Anonymous Coward
    Anonymous Coward

    Except that the Snowden docs revealed that Google backdoored the root of android for the NSA. Sorry, but that relationship makes any attempts at privacy from Google laughable.

    1. ratfox
      Stop

      "Google backdoored the root of Android for the NSA"

      Really? I must have missed that particular revelation. Do you have a link, Mr. AC?

  10. Anonymous Coward
    Anonymous Coward

    Quite surprised how many down votes this got. If you trust Google you are out of your mind! They want all your data and to track your every move. They are only releasing this now because there are customers leaving in their droves, because the secure services are cleaning up right now! so they have to do this to keep people on their service, anything to keep your data on their servers. Meanwhile off they go sucking in everyone's wifi codes with their street view cars and all the rest.. If they care so much why didn't they do any of this before?

    Personally I prefer to keep my stuff with providers that charge money for the service. That way there is no conflict of interest.. Oh and make sure it based in a country with strong and fair privacy laws.

    That's about the best you can do apart from not using the cloud of course.

    1. Mr.Mischief

      yeah riiiiiight..

      Yes, because when someone charges you money, they are completely trustworthy.

      Hold on my eyes are rolling all over the floor.

      1. Anonymous Coward
        Anonymous Coward

        Re: yeah riiiiiight..

        Yes, because when someone charges you money, they are completely trustworthy.

        No, but by accepting payment for a service they have entered into a trade relation with you which requires that to some degree they deliver what they promise. Or, translated, you have at least some legal grip on them, which you don't have with "we're American so your laws don't apply" Google and other outfits which live in a country where lawyers seem to be consuming most of what's left of the nation's GDP after the military and espionage services had their fill. This is also why you don't want to use a "secure" provider somewhere out in, say, Panama.

  11. Anonymous Coward
    Anonymous Coward

    But chrome extensions have existed to do this for ages: http://tiny.cc/dzwxgx

    Honestly i would prefer to trust something that runs on my client side than something that was provided by the service platform i was using that i assume is essentially running (and controlled) server side...

  12. chris 17 Silver badge

    as has already been said, if you encrypt (use a sufficiently strong algorithm) end to end, then they can't read it in the middle.

    Want to use the 'free' services google offer but concerned about your privacy, then encrypt your stuff before putting it on or through.

    Yes we are all doomed as the collectives harvest our data in the clouds, but the masses are too busy face booking, sms'ing and generally living their lives blissfully unaware and grateful for the way these 'free' services have enriched their lives.

    yin yang

  13. Anonymous Coward
    Anonymous Coward

    You want secure: you can't handle secure

    Build two computers yourself from bits that you can verify. Neither of these machines will ever be connected to another computer let along the internet.

    Install an OS from scratch yourself on them. You'll write this OS yourself along with its bootstrapping compiler and you will also add a provably secure encryption algorithm to your toolkit

    Use one of the computers to generate a one time pad

    Securely give OTP to the other end

    Communicate by using the two offline machines to encrypt messages that are securely transferred to the "dirty" side

    Now you are secure - ha!

    Cheers

    Jon

  14. Anonymous Coward
    Anonymous Coward

    Saved!

    They've "released the source code". That all conquering magical mantra.

    Anyone who is tired of hearing this used as a universal panacea, and questions such tiresome use, is set upon by the open source pit bulls. As with all thugs, their pack mentality means they only feel safe and brave when together.

    No one is allowed to question the faith.

    Like all zealots they find it inconceiveable that anyone could hold an opinion different to their own. Much less be allowed to express that opinion. Open source does not go hand in hand with open expression it would seem. Their way is the only true way. You either worship at the altar of "Open Source" or you are the enemy. They fail to see that their rabid attitude actually harms the very cause they say they support. That it is they and their attitude that puts many off open source.

    They fail to understand that there are others who can see both sides of an argument. Who use both open source/Linux and the products of 'evil' from Micro$oft/Windoze, to use their infantile wording, Apple and all the other usual suspects. People who can see benefit in both. That it isn't a case of them wrong, we right. Who are actually discouraged from using open source by the way their legitimate questions, concerns and opinions about open source are ripped to shreds by the pack.

    It's ironic that the "freedom" of open source is protected by such self appointed "dipshits". To use one of their number's charming turn of phrase.

    1. Anonymous Coward
      Anonymous Coward

      Re: Saved!

      I would have phrased it slightly more diplomatic, but I agree. There a too many people protecting holy cows without the slightest knowledge what it takes to make something secure, and to properly protect privacy. Added to that is number of rabid foaming at the mouth zealots who confuse reasoned debate with a personal attack on their ego and you can turn a forum into a pointless exercise.

      I'm not sure where I read it, but the actual author of the "many eyeballs make errors shallow" argument has stated himself that that was more for marketing purposes than a serious statement, mainly because such a statement would assume that all eyeballs involved are not bloodshot with Monday morning hangovers and attached to individuals not only competent but also willing to mine for problems. That is not an automatic given.

  15. shovelDriver

    End-to-End Encryption is Irrelevant

    "If the encryption is end-to-end" . . .

    TLS back-channel end-to-end encryption is already available and in use. So what? If you think the Windows provided source hasn't already been cracked, well, I've got a bridge in the Sahara . . .

    What the comments are, so far, ignoring is the "using OpenPGP" part. The original PGP was the target of a major attack by the NSA, which faded away after a court ruled that encryption was not a munition under US law and thus could be - and was - exported and placed into use world-wide. Smooth move, NSA. Get your targets to switch to, deploy, and place into use a system you've spent how many man and computer years cracking?

    If OpenPGP source code is available, and if there are "un-public" means of compromising it, guess what? Your "end-to-end will hide it from Google" assumption is nothing more than a red herring.

  16. shovelDriver

    End-to-End Encryption is Irrelevant

    "If the encryption is end-to-end" . . .

    TLS back-channel end-to-end encryption is already available and in use. You can use TLS/SSL to authenticate servers and clients and then use it to encrypt messages between the authenticated parties. The Transport Layer Security (TLS) protocol, Secure Sockets Layer (SSL) protocol, versions 2.0 and 3.0, and the Private Communications Transport (PCT) protocol are based on public key cryptography. The Security Channel (Schannel) authentication protocol suite provides these protocols. All Schannel protocols use a client/server model.

    So what? If you think these protocols haven't already been cracked, well, I've got a bridge in the Sahara . . .

    What the comments are, so far, ignoring is the "using OpenPGP" part. The original PGP was the target of a major attack by the NSA, which faded away after a court ruled that encryption was not a munition under US law and thus could be - and was - exported and placed into use world-wide. Smooth move, NSA. Get your targets to switch to, deploy, and place into use a system you've spent how many man and computer years cracking?

    If OpenPGP source code is available, and if there are "un-public" means of compromising it, guess what? Your "end-to-end will hide it from Google" assumption is nothing more than a red herring.

  17. savitas

    Not so Open.

    This add-on restricts the user from communicating with people not using Google Chrome.

    https://code.google.com/p/end-to-end

    "To communicate with other people that don't use End-To-End, you will need to either generate a key in GnuPG and then import it, or build GnuPG 2.1 yourself."

    Google's choice of key format is so obscure it's not compatible with any other OpenPGP software, nor with any public release of GnuPG.

    https://www.gnupg.org

    As an alternative consider Mailvelope.

This topic is closed for new posts.

Other stories you might like