recentpopularlog in


« earlier   
oss-security - Re: Recommendations GnuPG-2 replacement
"It's worth repeating: if the Acronym Agencies of various countries aren't sponsoring arms-length keyservers where they get all the traffic logs for some percentage of keyserver traffic, then they're incompetent. If they provide a useful public service and folks choose to use it, then they get the normal operator logs, because they're the operators. All legal. You don't know who is running the keyservers. You don't know what's happening to the logs. You don't know that the keyservers are trustworthy. They are, at most, a useful swamp for collecting the data from so that clients can do WoT calculations without caring about fishing in a contaminated swamp, as the WoT _if done right_ takes care of filtering out the sludge. If you care about privacy in who you talk with, get the keys from some other path, or run a keyserver, and use hkps with a certificate under your control."
security  gpg  pgp  espionage 
4 days ago by mechazoidal
Hilarious rant about GnuPG, software bugs, and bad maintainers
sexism  software  opensource  pgp  gpg  gnupg  tirefire 
10 days ago by nelson
MIT PGP Key Server
Recommended PGP key server.
13 days ago by Sylphe
The Update Framework
A cross-platform system for securely shipping software updates
security  python  opensource  packaging  signatures  pgp  gpg 
4 weeks ago by nelson
Problems with package signing
Well written essay on why package signing doesn't solve all software security problems. (I still think it's a good idea though.)
security  python  badtech  pypi  pgp  gpg  signatures  weboftrust 
4 weeks ago by nelson
In Apple Mail, There’s No Protecting PGP-Encrypted Messages
In a nutshell, the EFAIL attack works like this: First, the attacker needs a copy of a message that’s encrypted to your public key. They could get this by hacking your email account, hacking your email server, compelling your email provider to hand it over with a warrant, intercepting it while spying on the internet, or other ways. PGP was specifically designed to protect against this — the promise of PGP is that even attackers with copies of your encrypted messages can’t decrypt them, only you can. When you receive an email that’s encrypted to your public key, your email client automatically uses your secret key to decrypt it so that you can read it. The EFAIL researchers discovered that they could craft a special email that secretly includes a stolen encrypted message within it, and then send it to you. When you receive the malicious email, your email client uses your secret key to automatically decrypt the pilfered message within the malicious email, and then sends a decrypted copy of the stolen message back to the attacker — for example, through a web request to load an image into the email.
efail  encryption  pgp  gpg  email  cybersecurity 
4 weeks ago by bwiese
New PGP Encryption Exploits Are Being Discovered Almost Every Other Day
Gizmodo was alerted to flaws discovered as recently as Wednesday that currently impact multiple PGP implementations, including Enigmail (Thunderbird) and GPGTools (Apple Mail)—the technical details of which are withheld here while the appropriate developers are contacted and given time to address them.

“It wasn’t a case of having to write software to do this. You could literally just cut and paste what they said in the paper and use it. The video of how easy it was to use, that was the thing that clinched it for me—sitting and watching a video of someone just clicking a few buttons and being able to exfiltrate data.”

“It’s sometimes better to [temporarily] disable encryption (or decrypt in the terminal) than to have your whole past communication at stake.”
pgp  gpg  cybersecurity  crypto  encryption  efail  vulnerability 
4 weeks ago by bwiese
Mailvelope is an easy-to-use web-browser extension which brings OpenPGP encryption to webmail services such as Gmail™, Yahoo™ and others. With its unintrusive interface fully integrated into your webmail service, Mailvelope instantly secures your personal and professional email communications. Mailvelope is an open source project hosted on GitHub (see list of contributors). The developement process is completely transparent, we constantly conduct security audits and publish reports whenever possible. Mailvelope is based on the work of the following open source projects which should be acknowledged: OpenPGP.js email.js DOMPurify Bootstrap jQuery Oxygen Icons
firefox  mail  pgp  privacy  encryption  openpgp 
6 weeks ago by doglord

Copy this bookmark:

to read