tweex
Bluelighter
You should really be using nothing but AES for sensitive communications. PGP messages are going to have but so long a shelf life now that quantum computers are in development.
Encypting communciations
- Thread starter Foreigner
- Start date
aethera
Greenlighter
#1 thing you could do to protect yourself is use Linux, not windows.
Use Tor at the least, better off going VPN-Tor-SOCKS 5.
Encrypt your hard drive.
Always use HTTPS.
Use PGP.
Don't use Pidgn with OTR. I really could care less what you say about this statement, but I have spoken with people who have been to jail because their messages were being read.
It's funny, your concerned about secure chat, but I would bet your using windows which has an NSA backdoor on all versions. Another thing, uses encryption makes them watch you more. Use Bitmessage, P2P, public key elliptic curve cryptography.
Also, It's a good idea to disable scripts in your browser, although it's a real bother.
But overall your biggest security flaw is yourself. Social engineering can bypass all of it before you even realize something happened. It's the most effective way of compromising you.
Sadly SSL and HTTPS are broken so web traffic can be seen, but they won't know to whom. RSA and AES will fall within the next 10 years, so there who know what's next. If you doubt this do a little research on Shor's algorithm and quantum computing.
If your an average citizen, this is all you need.
Use Tor at the least, better off going VPN-Tor-SOCKS 5.
Encrypt your hard drive.
Always use HTTPS.
Use PGP.
Don't use Pidgn with OTR. I really could care less what you say about this statement, but I have spoken with people who have been to jail because their messages were being read.
It's funny, your concerned about secure chat, but I would bet your using windows which has an NSA backdoor on all versions. Another thing, uses encryption makes them watch you more. Use Bitmessage, P2P, public key elliptic curve cryptography.
Also, It's a good idea to disable scripts in your browser, although it's a real bother.
But overall your biggest security flaw is yourself. Social engineering can bypass all of it before you even realize something happened. It's the most effective way of compromising you.
Sadly SSL and HTTPS are broken so web traffic can be seen, but they won't know to whom. RSA and AES will fall within the next 10 years, so there who know what's next. If you doubt this do a little research on Shor's algorithm and quantum computing.
If your an average citizen, this is all you need.
Windows at least double checks with the admin whether you want to run unsigned code. It's really down to the user which OS they have a preference for and knowledge of. Linux has its quirks, Windows has its quirks, you could be leaving a gaping security hole open if you're not aware of those quirks regardless of which you're using.
I use Pidgin with OTR, and half my contact list now uses OTR with whatever client they use. After the handshake, all the messages are wrapped up in ECC TLS, providing forward secrecy so that if a message is intercepted and decrypted, it's not relevant because all the other messages are using unique keys. How OTR plays with Pidgin and Adium, well, it's not perfect, but the crypto itself is solid and I am satisfied with what shows in the audited traffic logs.
There are plenty of other, far more viable ways to get at encrypted messages. For example, if one party is an informant. Another possibility is one party has a keylogger active, sending all to-be-encrypted messages via plaintext through another connection. These alternative methods are significantly easier than cracking OTR, hence the ongoing preference of hackers to rely on malware and wetware hacks (social engineering) to circumvent the labourious process of busting through crypto; especially ECC.
I'm pretty certain it's been confirmed the suspicious library in question contained crypto for NSA's internal use, not a backdoor. Microsoft would never risk tanking their credibility doing something as stupid as giving third parties backdoors, especially considering how hard the company is working to secure a good position in the server market, where security counts for so so much. Cisco, for example, has already taken a huge loss in the Asian markets over suspicions of NSA backdooring. It doesn't pay to even be suspected of playing with the TLAs (three-letter agencies).
this is a complicated topic, and security holes does not mean a software or protocol is immediately broken. there are routers that examine HTTPS traffic going through them, and that provides the networks of businesses and educational institutions with basically the same capability that the NSA has been doing with their access to internet exchanges. The bottom line is, there's a lot to infosec and it does no good on its own without good opsec to ensure the unreliable (human) components don't compromise the secure components. For the average user just looking to have a private conversation, OTR is still the best idiotproof solution. If you're breaking major federal laws and are attracting the attention of TLAs, then you've got bigger problems than minor insecurities in certain network protocols.
aethera
Greenlighter
Well said. I was more tailored to someone breaking laws. Less relevant for your average citizen. I do agree though, unless you know the issues with your OS, you could leave yourself wide open. But knowing the NSA they would backdoor windows. There are so many reasons I wouldn't use windows,but the unsigned code feature is pretty helpful, It's still absolute nonsense if your talking real security, like facing an experienced hacker, not some punk kid who cracks. Once again not really relevant, it just depends what you define as secure. I think the biggest thing with fighting "big brother" is end to end encryption across the web, and generally being smart about what you do. I also think social engineering is really big one to look out for.