Wednesday, January 28, 2015 New thorn in the side of the NSA


I'm trying it out, and I've spotted a security hole, but they aren't responding in 2 seconds.  I'll put the response here when I get it.

There is no documentation, but it appears that they have made public/private key easier, by having it enclosed in a community.  It works with browsers, since they use a standard https pipe.  There's the problem.  I input my passphrase down a secure channel, but they hold the key to decrypt the pipe.  Everything I enter must be in cleartext before it hits their encryption.  It could be the North Koreans or the NSA that runs this whole thing.  The comments and email are all encrypted, but they must be retrieved by the passphrase, which the NSA has (if they are running it).  I think a gag court order could tap into this.

Encrypting with my own keys is the secure way of doing it, but it is a pain, since nobody else probably runs the same version of PGP, and Windows users are hopeless.  Although this is compromise, I wonder about it, since it relies on the integrity of the owners.

Update:  OMG they are the NSA!  I'll give them another little while to respond in a rational manner.  They don't understand what I'm saying.  I'm just setting up a phoney group, I'll wait to see what the encryption experts have to say, but right now I think it is slightly better security for those who run Win7 and old IE.  :)

Update2:  Ok, these guys are useless.  No white paper, no external review.  They are the NSA, trying to sucker the Saudi driving ladies in.  DON'T DO IT!

No comments: