end-to-end encryption? SSL? GnuPG?

xiando xiando at xiando.com
Sat Oct 21 06:34:47 UTC 2006


> The problem is people are extensively using webmail. They can use
> "mobile" Tor (TorPark), but the problem is the content of the webmail is
> not encrypted. So they can get anonymity, but not end-to-end encryption
> (so anonymity is also downgraded).

I've heard a rumor about this amazing new end-to-end encryption solution for 
web called SSL. Apparently, it requires the web-server to be configured to 
support it and if it is then end-to-end encryption can be archived by going 
to a URL which begins with https://

https:// requires paying a Tax to a evil corporation to avoid getting a 
message complaining about "not trusted" cert,  but that only means the root 
cert is not buildt into the browser; you can easily make your own cert too; 
but this requires the users to verify that the cert used matches the 
fingerprint announced on the website.

> My idea is to build GPG into Firefox or at least integrate it more
> deeply. GPG keyring (user's private and public key) should be an object
> similar to certificate.

(..)

> My observation is, that more and more services are moving into the
> iternet - and mostly into web. So web browser is a central technology
> for browsing, reading email, writing teksts (Writely), publishing
> things, configuring software, watching movies... even runnig OS (see
> YuOS for example) And web browser is becoming independent from other
> systems. In a future local operating system could be only web browser
> with connection to the internet. That is why we need end-to-end
> encryption built into it.
>
> If you find this idea reasonable and interesting, please promote this
> feature request:
> https://bugzilla.mozilla.org/show_bug.cgi?id=357310

I agree that your idea of using GnuPG for everything is excellent. The IM 
client PSI is only one of many IM programs who now support using GnuPG for 
chatting. I agree that websites serving pages using GnuPG and Firefox - and 
every other browser out there - supporting it. I agree the idea is excellent, 
but .. I seriously doubt GnuPG will replace SSL - ever. But .. I agree it's a 
good idea.

Also, it should be mentioned that Tor exit's can (and some likely do) monitor 
traffic - thus; sending passwords to non-SSL websites (webmail, forums) etc 
is generally very very dumb. http://tork.sourceforge.net/wiki/index.php/FAQ

Last, you mentioned Torpark. It's an .EXE, what's this .exe for? What else 
have these people come up with? 

Are you aware of this: http://sowd5dpn54rk2srl.onion/Back_Orifice  info?

Perhaps there is a simpler solution, download Tor, Polipo and Firefox Portable 
and make a .bat file (instead of torpark.exe) which does the same?

start "Tor" /DTor /MIN tor.exe -f torrc.ini
start "Polipo" /DPolipo /MIN polipo-20060920.exe -c polipo.ini
"FirefoxPortable\FirefoxPortable.exe"

Just my random ramblings.
xiando
-- http://killtown.911review.org/



More information about the tor-talk mailing list