Tag Archives: PGP

MonkeySphere – Using OpenPGP to Route Around Broken Web Security Model

Posted on by
Reply

The Monkeysphere Project is a project to use OpenPGP to securely identify servers in web browsers and elsewhere that routes around the growing potential problems with certificate authentication. As The Monkeysphere website sums it up,

Everyone who has used a web browser has been interrupted by the “Are you sure you want to connect?” warning message, which occurs when the browser finds the site’s certificate unacceptable. But web browser vendors (e.g. Microsoft or Mozilla) should not be responsible for determining whom (or what) the user trusts to certify the authenticity of a website, or the identity of another user online. The user herself should have the final say, and designation of trust should be done on the basis of human interaction. The Monkeysphere project aims to make that possibility a reality.

. . .

When you direct the browser to an https site using the Monkeysphere plugin and validation agent, if the certificate presented by the site does not pass the default browser validation (using standard, hierarchical X.509), the certificate and site URL are passed to the validation agent. The agent then checks the public keyservers for keys with UIDs matching the site url (e.g. https://zimmermann.mayfirst.org). If there is a trust path to that key, according to your own OpenPGP trust designations, the certficate is considered valid, and a browser ‘security exception’ is put in place to allow connections to the site.

Don’t Leave Your Draft Designs Laying Around Web

Posted on by
Reply

I am a big fan of encrypting my laptop’s hard drive, and typically use PGP Whole Disk Encryption product for that purpose. So yesterday I installed the 30-day trial, encrypted the drive, and ran it through its paces. As usual, WDE impresses me for its speed and unobtrusiveness.

But paying for  it — that’s a whole other ball of wax. So I open up PGP, go to the “Buy a License” setting, and end up at their online store. Put in my credit card and other details and hit submit.

Uh oh — server error message. But there’s a helpful mailto link that suggests I send a notice to the web master to resolve the problem. So I click on the link, draft a quick “I’m just trying to register PGP WDE” and hit send.

And, of course, it bounces back. The interesting thing, though, is the e-mail address is clearly a dummy filler address that the web designer put in with the intent of adding a real address later . . . in fact the designer helpfully named the placeholder e-mail address:

changeme@pgp.com

Except, of course, it looks like no one ever bothered to go in and change changeme@pgp.com

Sigh. I’ll try again tomorrow.

Serious Google Calendar Encryption with GnuPGP

Posted on by
Reply

IBM’s Nathan Harrington has written an article outlining how to use the GnuPGP Firefox extension to create encrypted events within Google Calendar. This isn’t just accessing Google Calendar securely, but rather encrypting event details locally before passing that text on to Google Calendar. Anyone who compromises your Google account then would know the time of events, but would only see encrypted text for the actual event detail as in the example below,

That is frackin’ awesome. Now if there were only a GnuPGP plugin for my Blackberry calendar so I could sync the events meaningfully.