secure gpg webmail service

• How can secure communication can be achieved?
• More precisely: How can I have secure encrypted communcation from everywhere (internet cafe)?

These are important questions for activists.
Recurrently I am thinking about this topic. So far I could not get a good solution, so I will share my information and hope to get help.

• 1 Webmail
• 1.1 Encrypted webmail
• 1.2 gpg webmail software
• 2 thin clients
• 2.1 open mobile architecture
• 3 unsorted resources

Personally I use cone on our server to read and write encrypted mail, which is no solution for most of the people.
Another paranoid solution for remote gpg.

Es gibt auch eine gute gpp-Anleitung von Kai Bingen (ravenhorst).

Webmail¶

There are commercial freemail webmail services (gmail, ymail, hotmail, comparism), but let’s not use them.
If you use them though, freenigma (firefox-extension adding GPG-encryption to GMail, Yahoo! Mail and Hotmail.) could be interesting for you.

Besides this, there are more advisable possibilities:

1. Use an mail service that you trust and convince everybody to use it (like mail.riseup.net)
2. Find a webmail service that supports gpg encryption
3. Find a webmail software that supports gpg and setup your own mail service.

The first way I am using already (to be accurate: I use multiple mailboxes where I communicate locally to have few mails that need to be transferred between servers.)
Another discussion could be to establish a net of servers, that transfer mails only encrypted – as long as you trust the admins involved, this could be a fallback solution.

Encrypted webmail¶

• hushmail

The following quotes are taken from a slashdot discussion about this topic.

“Encrypted webmail is a tricky issue. In the final analysis you basically have to use a passphrase that is so good that you don’t mind having your (encrypted) private key publicly available.
Consider that the webserver admin(s) will have access to the encrypted private key. Also consider that the webserver (process) has read access to the key. The upshot is that if anyone gets root access to the box, gets a shell under the webserver’s UID, or convinces the webserver to serve up a file that it is supposed to have read access to, the only thing between your private key and an attacker is your passphrase.”

“It’s worse than that. If they root the webmail server (or a little more difficult if they just get the webserver UID), they can read the SSL traffic, including your passphrase. In short the only way to have securely encrypted email is to store the private key on your own private local machine – a webmail service simply cannot gaurantee you jack.”

“Webmail is for roaming. If you’re roaming, then you don’t trust the client. PGP is useless if you don’t trust the client.
And don’t say signed java applets ‘cause (1) if you trust the provider’s signature then just use https (I’ll give you an account at inbox.org) and (2) if you don’t trust the computer then you can’t store your private key.”

gpg webmail software¶

I followed this list

• Horde Webmail
• Squirrel
• ilohamail (last update: Jan 25, 2006)

• For roundcube a gpg feature has been requested, but there seems to be no progress on this. Resource list

• OpenPGP Webmail – Is a web based mailer to send encrypted messages. (server not found)
• Privaria – Is a secure networking suite that uses GnuPG as part of its authentication and encryption scheme. (seems to be dead)
• Securemail – Is another webmail client. (seems to be dead as well)

thin clients¶

Some more thoughts on thin clients (machines that provide nothing else than a web browser) like in internet cafes usually.

• If there is an ssh client, you are lucky as you can use your favourite mail software remotely.
• If there is FireGPG (firefox plugin) installed, you still need a way, to reach your keyrings. You could download them from any website and tell firegpg where to serach. But is this secure?
  • Introduction to firegpg
• Generally you never know, which software is installed. So how can you be sure, there is no keylogger submitting all you key strokes? You can not.

open mobile architecture¶

• So: The only solution seems to be to have an own laptop / mobile phone with you, that you trust. That means 100% FOSS. There are only few mobile phone architectures, that support free software:
  • OpenMoko is a project which encompasses two related sub-projects, with the combined aim of creating a family of open source mobile phones
  • A mobile Internet device (MID) is a multimedia-capable handheld computer providing wireless Internet access.
  • The Linux Phone Standards Forum (LiPS Forum) is a consortium created by a group of companies as an effort to create standards aimed at fostering the use of Linux on mobile devices.
  • The Open Handset Alliance (OHA) is a business alliance of 65 firms including Google, HTC, Intel, Motorola, Qualcomm, Texas Instruments, Samsung, LG, T-Mobile, Nvidia, and Wind River Systems to develop open standards for mobile devices.[
    • Android able Mobile Phones
  • German podcast about OpenMoko and free mobile phones
  • LiMo_Foundation – Linux Mobile Foundation was founded in January 2007 by Motorola, NEC, NTT DoCoMo, Panasonic Mobile Communications, Samsung Electronics, and Vodafone with the goal of establishing a globally competitive, Linux-based mobile operating system for smartphones mobile devices.
  • Moblin, short for ’mobile Linux’, is an open source operating system and application stack for Mobile Internet Devices (MIDs), netbooks, nettops and embedded devices.

unsorted resources¶

• en.wikipedia.org/wiki/Web_of_trust
• www.top4download.com/free-secure-web-mail
• www.e-ignite.co.uk/html/webmail.html

German:

• Wikibooks: GnuPG Web-of-Trust-Anleitung
• home.arcor.de/rose-indorf