When you have something secret to pass on by email, like a username/password combination for some account, you cannot rely on the third party mail servers (yours and the recipient’s) not to leak the information, even if your connection is encrypted with SSL/TLS, because that only encrypts the message while it is in transit to/from the servers. The mail servers can, and do, scan your messages, building up a profile on you. And the mail servers may handle the message in clear text when sending between themselves.
Ed Snowden exposed that Google, Microsoft etc are forced to co-operate with NSA’s snooping, and to deny everything, under the PRISM program.
Source: Washington Post
The solution is to use end-to-end encryption using software which conforms to the OpenPGP standard. This involves the basic principle:
1. Everybody has a pair of keys, a Public Key and a Private Key.
2. The sender encrypts the message using the Public Key of the recipient.
3. The recipient decrypts the message using their Private Key.
So the mail servers only get to handle already encrypted messages.
When I first tried to get started with end-to-end encryption using Thunderbird’s plug-in Enigmail, it was very confusing because although Enigmail does work in simple cases, didn’t seem to be able to cope with the changes to the settings on all my existing email accounts. In the end I uninstalled it in frustration.
A simpler and better alternative to Thunderbird-Enigmail is to use GPG4USB. This is a stand-alone application for Windows and Linux 32-bit and 64-bit operating systems, and only does the encryption/decryption. It has all the functions Enigmail has, only there is not the complication of embedding the plugin in Thunderbird’s already complicated interface.
So, with only the additional steps of copy-pasting the message between the two applications, it will work with ANY email client. It also works nicely with any web browser reading/sending webmail, and instant messagers, SMS, Dropbox, or anything.
So the BASIC process goes like this:
Type your message into the GPG4USB window.
Check the checkbox for the Recipient (and yourself, the Sender, if you want to be able to read the message again later).
Click on the Encrypt button.
The contents of the GPG4USB window changes to the encrypted message.
Click on Select All, then Copy.
Go to your New Email Message window, and Paste (Ctrl-V) the message into the Body of the email.
Fill in the From, To and Subject fields in the usual way (these are not encrypted).
Receiving encrypted messages is the reverse: From your email application, open the message.
Select All (Control+A) and Copy (Control+C) the encrypted message,
then go to GPG4USB, Paste it, make sure your checkbox is checked, and click Decrypt.
If it asks for it, enter the password that controls your keys.
The message can then be read, while the encrypted email message stays in your Inbox.
When GPG4USB starts for the first time, it doesn’t have any keys.
It will ask you if you want to have your Keys generated. Say “Yes”.
It will ask for some details that will help identify the keys, and a password to control access to the keys.
Choose a strong password otherwise the whole thing is pointless.
Wait for it to do that, it can be quite slow.
There will be two keys generated – a Private Key that stays on your computer, and a Public Key which you can publish for anyone to see. At the very least, you will have to distribute your Public Key to one person, so they can send encrypted messages to you that only you can decrypt with your Private Key.
To distribute your Public Key, in GPG4USB click on Manage Keys.
Click on Export to Clipboard, then Paste it into an email and send it,
or Export to File, then Attach the file to an email and send it,
or you can also upload it to a Public Key Server such as http://pgp.mit.edu ,
or you can upload it to your website. If you give the page the Title “your name PGP”, then anyone can find it by searching for “your name” and “PGP”.
Similarly, you will need to have the Public Keys of all the people who you want to send encrypted messages to.
If they send you their Public Key in an email as text, copy it and in GPG4USB click on Import Key then Clipboard.
If they send you their Public Key as a file, in GPG4USB choose Import Key then File.
You can also search for people’s keys on a public key server, with Import Key then Keyserver.
Downloading the GPG4USB package
GPG4USB is free and open source software, and uses GnuPG software libraries. GPG4USB is just a graphical interface to make it easier to use.
Snowden used the GnuPG software libraries for his encrypted communications when on the run:
screenshot from “Citizenfour”
You can download GPG4USB from http://www.gpg4usb.org/download.html
and since we are being serious about security,
check the sha1 checksum of the downloaded .zip file matches the value on the website, to make sure the package hasn’t been tampered with.
Unzip the file to a folder called “gpg4usb” in your user area (like “Documents”).
In that folder there will be 3 files called: “start_windows.exe”, “start_linux_32bit” and “start_linux_64bit”.
Launch the appropriate one for the computer you are working on in the usual way (like double-clicking it, or making shortcuts).
They are completely self-contained, requiring no software to be already installed on the computer.
So if you want to, you can save the folder on a USB stick, and have GPG4USB available on any computer.
(Just remember your password, and DON’T lose the stick!)
That’s it for the basic stuff!