I recently read about the FireGPG extension for Firefox. This extension allows one to interact with encrypted or digitally-signed data included on web pages, using a separately-installed GnuPG installation on the local machine. It also provides tight integration with Gmail, adding a drop-down box that provides digital signature and encryption options for email messages and automatically verifying any signatures that it encounters in viewed messages.
Presently, this extension is a great step toward ease of use for the GPG tool set to allow ordinary computing users to add some security to their communications. It is possible to sign or encrypt a message on the side, and then copy or attach that secured message to the email, but this is a very clumsy process and requires knowledge of many different tools, which is often impractical for the masses.
It is always a concern to look for security leaks in this type of software, but since FireGPG basically provides a parameterized interface to the GPG installed on the user's system, and uses the system keyrings, and prompts the user for the key's passphrase, there is really very little room for a breach of this kind. Personally, I do not let FireGPG cache my passphrase, even for the session, because that is one piece of data in memory that should not see the light of day, and I would prefer it to be overwritten and discarded immediately after it is no longer needed by the encrypting or signing function.
The other element of security in this particular application is open source. FireGPG is open source; the developers provide Subversion repository access to it directly, and provide snapshot tarballs, all cryptographically signed, of course. The point is that you can verify that FireGPG only references the system utilities and does not leak any information back to its creators or other hackers. The possibility of a utility such as this one doing that is reason enough to verify with absolute certainty that the version one installs is authentic, which is why it is imperative that the download be re-hashed on the end-user's system to check it against its md5sum and also the digital signature; any alteration can be fatal.
What the world needs now, with regard to information technology, is strong and easy-to-use security solutions. It turns out that security is never something we can take lightly. The user is the weakest link in the developer-marketer-user chain, and unless the user is strengthened (average people know about how their security works), no method of security will ever be good enough. Currently, the AES encryption algorithms, the GnuPG encryption and digital signature algorithms (RSA/DSA), and the United States National Security Agency's SHA-256/384/512 hashes make the technology strong enough, though it will take some very careful planning to integrate security based on these technologies into the daily lives of individuals.
See Wikipedia for more information on any topic listed here; the information there is very accurate and current.
Registered Linux User #370740 (http://counter.li.org)
Nerd Test
v1.0:
 |
v2.0:
|
Bloggers' Rights
1 comment:
You should try the Voltage Security Network. It’s the easiest encryption product I’ve used – it secures emails, files and documents.
I use the email encryption in Outlook (and all you have to do is hit “send secure” – seriously!), but you can use it in webmail like Gmail too. The best part is I don’t have to waste time looking up public keys for people I want to send messages to, cause it uses the email address as the encryption key … don’t ask me how. And I can send to anyone I want, even if they don’t have any software. http://www.voltage.com/vsn/index.htm
Post a Comment