I recently read about the
FireGPG extension for
Firefox. This extension allows one to interact with encrypted or digitally-signed data included on web pages, using a separately-installed GnuPG installation on the local machine. It also provides tight integration with Gmail, adding a drop-down box that provides digital signature and encryption options for email messages and automatically verifying any signatures that it encounters in viewed messages.
Presently, this extension is a great step toward ease of use for the GPG tool set to allow ordinary computing users to add some security to their communications. It is possible to sign or encrypt a message on the side, and then copy or attach that secured message to the email, but this is a very clumsy process and requires knowledge of many different tools, which is often impractical for the masses.
It is always a concern to look for security leaks in this type of software, but since FireGPG basically provides a parameterized interface to the GPG installed on the user's system, and uses the system keyrings, and prompts the user for the key's passphrase, there is really very little room for a breach of this kind. Personally, I do not let FireGPG cache my passphrase, even for the session, because that is one piece of data in memory that should not see the light of day, and I would prefer it to be overwritten and discarded immediately after it is no longer needed by the encrypting or signing function.
The other element of security in this particular application is open source. FireGPG is open source; the developers provide
Subversion repository access to it directly, and provide snapshot tarballs, all cryptographically signed, of course. The point is that you can verify that FireGPG only references the system utilities and does not leak any information back to its creators or other hackers. The possibility of a utility such as this one doing that is reason enough to verify with absolute certainty that the version one installs is authentic, which is why it is imperative that the download be re-hashed on the end-user's system to check it against its md5sum and also the digital signature; any alteration can be fatal.
What the world needs now, with regard to information technology, is strong and easy-to-use security solutions. It turns out that security is never something we can take lightly. The user is the weakest link in the developer-marketer-user chain, and unless the user is strengthened (average people know about how their security works), no method of security will ever be good enough. Currently, the AES encryption algorithms, the GnuPG encryption and digital signature algorithms (RSA/DSA), and the United States National Security Agency's SHA-256/384/512 hashes make the technology strong enough, though it will take some very careful planning to integrate security based on these technologies into the daily lives of individuals.
See Wikipedia for more information on any topic listed here; the information there is very accurate and current.
Registered Linux User #370740 (http://counter.li.org)
The most that most of us can do it raise awareness, to make it known that these actions are not tolerated by the rest of the world, and if enough people are talking about it, the government which we have put in place and empowered for ourselves will take notice and respond in the power it has at the international level.
