Encryption for the masses
End-to-end encryption has been a hot topic for years now as more people realize that their data is highly sought after by criminals, their privacy is compromised by those who want to market to them, and their rights are under attack by governments both authoritarian and authoritarian-under-the-guise-of-national-security.
There are a several measures making their way through the US Congress which wouldn’t necessarily make end-to-end encyption illegal (that would be unconsitutional), but they aim to make it economically or technologically infeasible for technology companies to offer services which incoporate end-to-end encryption. The EARN IT Act is a bill which would remove the immunity that technology companies enjoy under the Communications Decency Act, making them liable for the content their user’s post, unless they “earn” their immunity back. One of the requirements would be the establishment of a scanner for child pornography (won’t someone please think of the children!?). To accomplish this, they must build in a backdoor for the scanner to work. If there’s a backdoor, the US government can also demand access to those communications.
This is just one of the reasons why we need open standard encryption systems that can be implemented on top of an existing communication system. Not everyone will be able to self-host their own communication system or incur the liabiilty of allowing other users to use it, but if everyone can implement an encryption standard on top of an existing communication system, they can make any backdoors useless Keep in mind, though, this doesn’t protect with whom we are communicating, only the contents of the communication itself.
Database of Keys
Enter Keybase.io. Keybase began as a database of public keys used by users of OpenPGP compatible systems such as GPG. The way that these systems work is that there are two keys: a private key and a public key. As the names imply, one you keep private and one you publish. To send an encrypted message, you use your private key and the recipients public key. To decrypt the message, the recipient uses their private key and the sender’s public key to verify the sender and decypt the message. The relationship of the private key and the public key are asymmetrical - it’s easy to derive the public key from the private key but nearly impossible to derive the private key from the public key.
The catch is that you need to know that the public key you have is the correct key for the intended recipient. If I can fool you into encrypting your message with my public key rather than the person you intend to send, I can now read your messages. This opens the possibility of a man-in-the-middle passing messages between two recipients who both think they are communicting with each other.
The way this is typically done is using the “Web of Trust” where you trust a public key because it’s been signed by someone you already trust. That person has verfied, preferably in person, that the key is good. This was done originally at key signing parties, but that becomes less practical at scale.
Keybase.io is still a database of keys, but they have now added blockchain technology to the mix. Blockchain is an encryption technology which uses signed blocks linked togther to form an immutable journal or ledger. Once a piece of information is on the blockchain, you can be sure it can’t be changed. This gives you confidence that the key you thought belonged to your recipient was not replaced or compromised. The only way to change the key would be to post a revocation on the blockchain and issue a new one.
Adding blockchain to the mix opens up other applcations such as file sharing and messaging between individuals and team (like Slack or Microsoft Teams). Everything is posted to an encrypted blockchain with the poster’s key. It also allows you to tie identities together from other communication platforms such that you can be sure that the person you are communicating with via e-mail is the same person who controls a Twitter account, a website/blog, a Reddit account, and even a bitcoin address. How does this work?
Take my Keybase profile. When I signed up for Keybase on my Android device, the app created a key pair for my account. As I added devices, my PGP key, this blog, my Reddit account, my Twitter, or any other identity, the app provided me with a proof which I then had to publicly post under that account. Once it was posted, the Keybase service accessed the public post to verify that it matched the proof expected. Oh, and all of this is tracked in my sigchain. You may not know my full legal name, where I live, or what I do for a living, but you at least know that the same person controls those accounts. That does mean, however, I have to be careful to protect my identity lest someone put together clues from all of these different services to dox me.
So, follow me on Keybase. You can encrypt and decrypt text directly in the Keybase app and copy/paste it into another communication system. Or, just send me a message directly through keybase and let it do the heavy lifting.
E-mail Encryption
Since I don’t want to get tons of spam on my new e-mail server, I won’t outright posted my e-mail address here. It’s not hard to figure out. All you need is my public key from Keybase and you can send me encrypted e-mails.
I mentioned in my last post that I use Thunderbird as my e-mail client on Linux and Windows. The best way to add PGP capabilities to Thunderbird is with the Enigmail add-on.
If you are using the Gmail, I have used Mailvelop Chrome extension, but I currently prefer the Cryptflow browser add-on since I have now switched exclusively to Firefox as my browser and it has an Android app.
Now you have no excuses. Encryption made easy. Go on, try it out. You know you want to.