When privacy is outlawed, only outlaws will have privacy!
I’ve mentioned before that privacy, security, and encryption are very important to me. Because of this I decided I wanted a place on my website to permanently link to resources I feel are useful to anyone who shares the same goals. I also needed a place to publish my PGP/GPG key so that anyone wishing to contact me may do so securely. It was rather hypocritical of me to advocate secure e-mail without making it easy to be reached via secure e-mail.
Using encryption products for e-mail ensures both privacy and security. Privacy meaning only the intended recipient(s) can read the message, and security meaning the recipient can verify that the message came from the sender that the expected it to arrive from. Assurance that the message has not been altered is also present. This is accomplished using various versions of a Web of Trust. If I know you and verify your key, I will vouch to others that this is in fact your key. This is the basic premise of a web of trust. I participate in the PGP/GPG web of trust, and am also an assurer and notary in the CAcert and Thawte Webs of Trust, respectively. If you’d like to meet up I’d be happy to validate your ID and/or keys.
PGP/GnuPG
Pretty Good Privacy, otherwise known as PGP is the original and defacto standard for secure electronic communications. Its author (Phil Zimmerman) was actually charged by the US Government for munitions distribution when it was distributed (by a non-related party) overseas. Originally released free of charge, PGP is now a commercial product and is extremely overpriced ($99 and up) for the average user who wants a little privacy.
Gnu Privacy Guard (also referred to as GnuPG or GPG) is an open implementation of the PGP standard. Distributed under the GPL, anyone is free to download and use it at no cost. It is fully compatible with users of the commercial PGP, meaning messages can be sent back and forth without regard to the brand of software used. GnuPG is also cross-platform, with versions available for Linux, Mac, Windows, and other operating systems. The only real drawback to using GnuPG for beginning users is its command-line only interface, but there are GUI wrappers that have been created to help with that issue.
Windows Privacy Tools (aka WinPT)is a graphic interface for GnuPG running under Windows. It simplifies a majority of the common uses of GnuPG such as encrypting and decrypting text and files, downloading and uploading of keys to key servers, and key signing. It includes an installer so you do not need to have GnuPG installed in order to start using it.
Enigmail is a plugin for the Thunderbird e-mail client. If you already use Thundirbird for your e-mail (I highly recommend it) this is the simplest and fastest way to start using GnuPG. Enigmail will automatically verify signed messages against keys in your keyring, as well as making encrypting and decrypting messages a snap.
If you wish to contact me, please download my key. My key ID is 0×84E70EE6 with a fingerprint of C76A BC6C 6426 ACE8 AE52 FD35 4CF4 E7F5 84E7 0EE6. It is available on the Biglumber site linked above, as well as from all of the major public keyservers. My e-mail addresses are contained inside the key itself (and displayed on the Biglumber page.)
X.509/SSL
Another method of encrypting and signing e-mail is using X.509 or SSL certificates. Support for this is built into almost every e-mail client, but configuration and setup is more difficult than using GnuPG. In order to use this method, you would register with CAcert, Thawte, or another similar provider. They will perform an ID check either via a Web of Trust model or by charging a fee to a credit card. Once identified, you may generate your certificate and install it into your mail client. In order to get your key to another user, you sign a message and send it to them. They will then have your key and can encrypt the message to you. The fact that the key is generated based on the provider (CAcert, Thawte, etc.) is the validation of identity and ownership.
Anonymity
An important part of free speech is being able to remain anonymous. If you’re under the control of a repressive regime, the right to free speech is heavily impeded by lack of anonymity. What good would publishing an article regarding the unfair treatment by the government do if the government will simply arrest you after it is published?
TOR (The Onion Router) is one of my favorite tools for remaining anonymous. Developed by the Electronic Frontier Foundation, Tor connects you to a network of relay systems that will randomly route your Internet traffic. Say you are in China and have proof that the gymnastics team members are in fact under age. You would connect to Tor, and browse out to your favorite forum or wiki site and post your information. When you connect to Tor, you establish an encrypted connection to another user. Their computer connects to another user, then yet another connection is established to actually move your data to the destination. Since these connections are encrypted, random, and no logging takes place, there is no way to trace that data back to you.
Anonet is an interesting project I’ve recently discovered. The premise behind this is you establish an encrypted connection to a fully encrypted network that lies on top of the Internet. Giving any information that could be personally identifiable is heavily frowned upon, thus your anonymity relies upon yourself. The only person who would know your real IP address (and could then trace your identity theoretically) would be the person you are directly connected to. Because Anonet doesn’t route you back out to the Internet, it isn’t so much a proxy service like Tor, but a network where you are free to do and say what you want amongst similarly thinking individuals.
Those are a few of my favorite tools for securely using the Internet. Do you have any others you think I would be interested in? Please contact me (securely please!) using the information above.