Not true. The problem was not Thunderbird's fault or PGP, it was Enigmail extension in Thunderbird's case and it was corrected. https://www.enigmail.net/index.php/en/home/news/66-2018-05-16-efail-vulnerability-affects-encrypted-mails
If you are concerned about this then you should use Claws Mail which had not any problems while efails affected other emails clients.
Well.. yeah. But if privacy is an issue just use Enigmail. It's an addon (for Thunderbird, not sure about support of different email clients) that encrypts your email in such a way that only the person for whom this email was encrypted can also decrypt it.
Not saying that your source/fact is wrong, it's not, but there are always alternatives :)
For those interested: https://www.enigmail.net/
You dont crack them, as far as known. Probably you mean how do you use them..
For use with email, i use enigmail with thunderbird, i think that is easiest to install, and it is also easy to check whether signatures succeeded.(That said, i feel failure of signatures could be more actionable) It can also encrypt when the recipient also has a public key.(thunderbird is very decent imo) Edit: beware, it cant be read, but they can potentially see who is sending emails to who.
(Digressing)gpg is also easy to use from the commandline; (you do not need to do any of that with enigmail)
#Generating your private and public key. (note, there should be one if enigmail created one) # How big now.. # Defaults are okey. (But afaik 4096 is not a bad idea, i dont think many machines will have issues with taking too long..) # You should let it expire at some point. # Also, remember that your passphrase can be a longish sentence or something, # that probably is easier to remember.(there shall be no password recovery) gpg --gen-key
#Signatures as typically found. --armor
makes it ascii(poor naming for it!)
gpg --armor --detach-sign $FILE
gpg --verify $FILE.asc $FILE #Checks the former.
#This encrypts a file(not asci-ed)
# Getting the user ID manualy a bit of a PITA. In gpg --list-keys
its when a line says 'pub' its the thingy after the slash i think..
gpg -r $USER_ID $FILE
gpd -d $FILE.gpg -o $FILE #And decrypting.
#By the way, you cannot decrypt it yourself, only the recipient cant.
Note: there is also a way to not indicate the recipient, basically requiring receivers to try their private keys to see if any decrypts it.
I may be being silly it saying all this about the commandline, its probably just a repeat on what exists.
My preference:
I really do know all the gpg command line stuff, but it's so much easier using thunderbird :)
Screenshots and guide: https://www.enigmail.net/documentation/screenshots.php
Medmindre jeg har misset nyligere nyheder, består Googles tilgang i at forsimple muligheden for at bruge PGP. Hvis de gør det for brugere på andet end gmail, er det selvfølgelig en god sag, men PGP findes og er åbent tilgængeligt for alle -- det er bare lidt tungt at bruge for folk, der ikke er nede med at installere nyt programmel på deres maskiner; kan man omvendt finde ud af det, gør enigmail det ret let at bruge.
Worst-case finder Google på en løsning a la NemID/Digital Post, hvor de selv får mulighed for at tilgå ens private nøgler, og så er man lige vidt. Under alle omstændigheder er det faktum, at Google læser alles mails, så gmail er lidet tiltalende i første omgang.
Its already fairly easy to use pgp with gmail. Use thunderbird w/ enigmail and you can also use the chrome extension mailvelope for the webui for gmail.
it would be great if google wrote some slick directions or script to make it mind numbingly easier than the easy process it currently is.
the only problem with pgp end to end, is that the person you are mailing has to be using it as well and you have to have their shared key... so until people start widely using/adopting it, it will just be used in small communities and with small groups of associates.
Wrote to my Conservative MP. Should be interesting to see his reply.
Tried to make it more 'this will be bad for business' based. Also pointed out how completely ineffective it'll be at stopping terrorists from emailing each other when stuff like this exists..
Maybe I'll resend my email encrypted to make a point.
> prove the identity of the server
You are correct in that hash functions for themselves do not verify identity. But hash output on a website secured by TLS do! That is my point.
There is also EV certificates. Also if I download from opensourceproject.org and the certificate matches and on the website there are the hashes this binds the downloads to the opensourceproject organisation.
If you trusts signatures, you will also need to verify which signing key is the correct one. How do you do this? Right, you go to the website of opensourceproject.org and look for the <strong>hash</strong> of the signature key.
I'm not sure how trustworthy that service is. Claiming end-to-end encryption of email that is accessible with a browser, while it could technically be true under normal operation, could easily be undermined. If you want something on Thunderbird, use Enigmail.
> Genuinely curious about this. What sort of e-mail client should I use if I want the level of privacy that we assume we get?
The key is to not trust the server of any host, all have some law or capacity allowing for emails to be read. You should encrypt your emails so at least the content is not readable by third parties without compromising your encryption key. The metadata about the email though can not be concealed easily but at least the content can be secured from most prying eyes.
Please see this document. There's a section explaining email encryption.
See this document for a Quick Start setup guide. This works with Thunderbird, the email client made by Mozilla that can be used to read email from your email provider.
It has no advantage over enigmail and is a lot more awkward to use. This is one of those things that's a web app that comes bundled with it's own server, so you connect to it with a browser. I sort of understand - it's an easy way of making something x-platform - but there's got to be a better way. What happened to java?
There's also the enigmail option. I love it, even if I never use it; most people I communicate with don't even understand the word 'encryption' :/ For this to work people must be more technically aware..