Internet privacy

14 posts / 0 new
Last post
mark_alfred
Internet privacy

*

Regions: 
mark_alfred

From the thread linked to above:

radiorahim wrote:
From both Schneier and Snowden and folks like Jacob Appelbaum we know that things like PGP and GNU PGP work, Jabber works, the Tor Browser works.   On the mobile side Red Phone and Text Secure work for internet phone calls and SMS text messaging.   And like any software, they only work if you use the most up-to-date version of the software.

mark_alfred

http://rabble.ca/babble/canadian-politics/mulcair-opposes-harpers-police...

In the thread, linked above, about the Oppositions' response to Harper's Bill C-51, radiorahim made the case for why it is socially important for people to better protect their privacy on their various gadgets (smart phones, computers, etc).  radiorahim also made some suggestions for tools people could use to do this, referring to some open source solutions.

I figured I'd start a new thread in technology to look at the nuts and bolts of how to do this, since I'm interested and since I've got some tech questions about how to do it. 

mark_alfred

For Tor Browser, I haven't found an onion site for youtube.com.  So just using youtube.com, which would not work without javascript, so I enabled it for youtube.  plugins such as flash-player are not enabled, but it does work with html5.  Is this safe?  Is there some information place or test site or way that I confirm privacy safety of what I do or set up?

mark_alfred

radiorahim, thanks for the suggestions.  I don't have a smart phone, but I'm now working on getting some of what you suggested for computers set up.

So, I've got Tor Browser installed and running.  But as is, I found some of the restrictions were too odious. 

So, I enabled history to be maintained until I close the browser, so that I could enable saving passwords.  In doing so, I allowed cookies from a visited site until I close the browser (and never 3rd party cookies).  Also I created a Master Password.  Thus, this one password should be all I have to enter when accessing sites that require passwords (all of which are unique with numbers, letters -- lower & upper case -- and punctuation or symbols.)

Rabble works with NoScript on, but Facebook does not.  Is it safe to enable scripts on Facebook while on Tor Browser?  In doing a search, I discovered this site:  https://www.facebookcorewwwi.onion  Supposedly it's a private Facebook place (which seems an oxymoron, but whatever -- some details here).  It allowed me to log in, but would not proceed unless I enabled javascript.  So, temporarily for that site, I did.  Not sure if this was a wise thing to do, but browsing Facebook would have been impossible otherwise.  Other than this, scripts are forbidden globally.... Well, even though Rabble/Babble works with NoScript on, I've disabled it here to get more than the minimal functions going.

Anyway, I don't know if I'm being any more private or safer with Tor Browser running, as I've set it up, or not.  Presumably so, but I'm not sure. 

The other thing I'm working on is setting up PGP with Claws Mail, using instructions from https://www.gnupg.org/gph/en/manual.html along with a couple of Claws Mail plugins, those being PGP/Core and PGP/MIME.  I'm finding this a bit tricky, since it's new to me.  I'll likely be post a few questions for you and the general Babble-World on this in the near future.

mark_alfred

mark_alfred wrote:

The other thing I'm working on is setting up PGP with Claws Mail, using instructions from https://www.gnupg.org/gph/en/manual.html along with a couple of Claws Mail plugins, those being PGP/Core and PGP/MIME.  I'm finding this a bit tricky, since it's new to me.  I'll likely be post a few questions for you and the general Babble-World on this in the near future.

I'm having a conflict between my expectations and what actually happened.

Okay, I have two email addresses.  One is a Toronto Freenet address, and the other is a yahoo.ca address.  So, I ran the command "gpg --gen-key" on the freenet address, creating (I think) a public and private password for it.  So, I used the freenet address to send a message to the yahoo address.  But, it couldn't find the password.  I figured it would want the sender's password to encrypt the sender's message.  But instead it demanded the recipient's password, which I had not created yet.  So, I went ahead and created it (meaning, I also ran "gpg --gen-key" for the yahoo address).  Then I was able to do it.  Upon receiving it, it then demanded the sender's password of the recipient.  I gave it this.  So I was successful in viewing the encrypted message.  But I'm confused still.

Somehow this seems backwards to me.  Do I have to create different passwords for all the people I would send email to?  Seems very work heavy.  I'm trying to grasp how this would work with others outside of my two addresses.

Any feedback that will allow me to grasp how this works would help.

mark_alfred

Hmm.  Seems to be another case of RTFM.  Happens to me alot.  I think I should be able to figure it out.

mark_alfred

No, I still can't quite figure it out.  I used a netbook that I have to provide a pseudo outside recipient.  So, I exported a public key for my email to this recipient in a pgp file (sender.pgp) in a non-encrypted email.  I then had the recipient receive this (IE, recipient@there.com), and import the public key of me, the sender (IE, sender@here.com).  I then tried to send an encrypted email to the recipient, but it demanded the recipient's private password.  How am I supposed to have this?  I figured that it would sender locks her/his email, but then sends it to a receiver who has previously been given a key.

However, I guess that wouldn't be very safe, since the receiver could then share the key and the encryption blown.  Still, having to create unique keypair passwords for everyone I send an email to, and then having to send a public key of my own password to each of them as well just seems like a lot of work (again, I don't know if that's the case, but at this point I'm guessing it is).  Is this what's required?

I don't think I can see the general public going to this effort.  I enjoy stuff like this, and I'm not sure I can see myself going to this effort.

mark_alfred

Hmm. Perhaps my using Claws Mail is the problem. I think I'll switch to Thunderbird with Enigmail.  And maybe with the addon TorBirdy.

mark_alfred

The facebook onion site (https://www.facebookcorewwwi.onion) didn't work the second time. I think it only worked the first time because I had tried the normal FB site first, and signed in with the security question due to it not recognizing my device (IE, my different ip number). So, it just kept spinning its wheels when I tried without logging into the normal FB site first. So, guess I'll just use the normal site. It must be more private using Tor Browser, I figure.

ETA:  I find I can get it to work sometimes if I'm persistent in my cursor clicking.  I'm undecided whether using this onion site with Tor, or just using Facebook with Tor, is the better option.  Both work, so it's not like I need to use the onion site.  I may default to the onion site anyway.

mark_alfred

Things actually are the same with Thunderbird -- it's prettier than Claws Mail, but basically the pgp stuff works the same.  I'm think I'm starting to figure out how it works.  There's two keys, a public and private one.  To send an encrypted email, the public one of the recipient is required by the sender, and thus a prompt for a password is given.  To read an email that is encrypted, the recipient also receives a prompt for a password, this being for the private password of the recipient.  Keys can be obtained by signatures, by file, or by public keyservers. 

Okay, I'm still not really sure what I'm talking about, but I feel I'm at least not completely lost anyway.  Even though I've been using a couple of different email addresses to test, I'm getting skewed results due to generally using the same machine to monitor the gpg keys.  Things were a bit clearer when I later involved a different computer into the mix, though.  Should have done that initially.

Time to look at keyservers.  Apparently this has some useful stuff.  ..... hmm, https://www.gnupg.org/gph/en/manual.html#AEN464 .... nope, I don't really understand it.

mark_alfred

I think the main thing I've learnt is this (from the gnupg manual):  "To use GnuPG effectively both parties communicating must use it."  That's been my stumbling block, really.  I figured I could encrypt my emails, send 'em out coded with the offer of a key, and if people were interested, they'd open 'em up, and if not, then screw 'em.  Not so, it seems.  I need a key from them first before I can send anything out encrypted.

Unionist

*bump* - because I'd like to hear answers to some of mark_alfred's questions.

mark_alfred

Apparently rabble.ca is vulnerable and/or is being used for cross site scripting (aka XSS).  This, apparently, is when others from an outside site inject malicious code into another site.

I use Tor Browser, which has NoScript.  NoScript is a program that blocks site scripts, unless you whitelist a site to allow scripts from the site.  I've whitelisted rabble.ca to allow scripts such as javascript.  But, the NoScript program has a safety feature that protects against XSS even on whitelisted sites.

I recently received a warning stating,

NoScript wrote:
NoScript filtered a potential cross-site scripting (XSS) attempt from [http://rabble.ca].  Technical details have been logged to the Console.

There are a few sites I've whitelisted, but this is the first time I've gotten this feedback.  I checked out the Console feedback, but it was way over my head.

ETA:  Well, I guess rabble.ca is off my whitelist.  Heck, rabble/babble is usable without scripts, you just don't get frilly options like emoticons and some other frills.