Another solution to creating a secure communication channel
The Problem:
One of the issues with email or instant messengers presently is the number of intermediates the communication goes through, each of which could potentially read your messages since they are generally sent in plain text.
The Solution:
To drastically reduce the possibility of Internet communications being intercepted, a joint webmail or online document-editing, or filesharing account that supports end-to-end encryption would be the best.
The Advantages:
- All communication can be done in one place.
- It is accessible from anywhere.
- This technique leaves little trace that anything out of the ordinary is going on.
The Disadvantage:
- In many censored locations, online document-editing and sharing is blocked, thus a circumvention technology must be used to access them, which may be illegal and put the user at risk.
Example (a):
Sharing the same login and password for an email account that supports end-to-end SSL encryption (e.g. GMail, RiseNet, HushMail, CryptoMail) would mean that communication could be accomplished through editing email drafts and saving them only on the server - eliminating any possibility of anyone outside the email service provider intercepting your communications.
Example (b):
An easier way might be to use collaborative editing of online documents as is offered by Adobe (acrobat.com), Google Documents (docs.google.com), Evernote (https://evernote.com) and ThinkFree (thinkfree.com). All of these use SSL encryption to connect you to your documents residing on their servers. Then you can share documents with other users for collaborative editing or share a login and password, and use your online documents as a white board for communication. Acrobat.com even offers an online encrypted meeting place, with built in webcam video capability, messaging, whiteboard, file sharing, and screenview sharing.
Example (c):
Another option is to use a free file hosting and sharing service that uses end-to-end SSL encryption such as https://spideroak.com, http://www.arkiva.com/, http://www.mydatabus.com/ , or http://www.omnidrive.com. You can share a login and passphrase or use the publish or share functions for any document uploaded.
Issues:
- The privacy of your documents or email could be compromised if anyone outside the desired interlocutors know the login and password to your account on any of these sites.
- If the login is known, bruteforce and dictionary attacks could be used to break your password.
Counter-attacks:
- Since your login will likely be an email address, it would be best to use an anonymous email associated to fake credentials that cannot be easily traced to you and that you will only use for the purpose of signing up for one of these services.
- Your password must be strong enough to protect yourself against bruteforce and dictionary attacks: use a passphrase instead of a password, use letters, numbers, capitals, and punctuation but no full words.
- If you share a login, passphrase communication is crucial: perhaps write it in an innocuous picture you send by email as an attachment. The best would be to create the account with the person at your side.
Achieving Privacy & Anonymity from the Service Provider:
- Use an anonymous login linked to an anonymous email you will use only to sign up. Perhaps use a service like 10-minute-mail or trashmail.net which create temporary email inboxes exactly for this purpose.
- Use an encrypted proxy, anonymity network, or a public computer to connect to the service.
- Use a cypher to encrypt the text in your documents, such that the service providers cannot easily read them or scan them for keywords: e.g. one could use a simple cypher like leet (1337) speak, hexadecimal, ascii code, or binary code which are available online or as a firefox extension. Other options include using https://spammimmic.com which allows you to encode text as spam, fake russian, and fake PGP, or actually using proper encryption software such as PGP or GPG or S/MIME.
- Use images that you will embed in the documents to communicate (an alternative to message encryption).
About Civisec: Internet Security for Civil Society
The goal of the CiviSec Project is to address and raise awareness of emerging issues of Internet censorship, surveillance and infowar, and in turn empower organizations and individuals to take informed action when implementing privacy and security solutions online.
Archives
| January 2009 | ||||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |