HomeAboutMailing ListList Chatter /0/0

GPG Signed Admin Emails and Flowcrypt

2020-02-24 by: Michael Harrison
From: Michael Harrison 
1st the good: Flowcrypt (an extension for Chrome/Gmail) mostly works.
the bad; It hold the public key "somewhere"... so I wouldn't consider it
very secure. I assume there is at least 1 LEO/Spook working there with
insane access, and 2 malevolent bogons that need a payoff.

Other good: PHP's GnuPG stuff seems to work.

Wish Alpine had built in support, but I'm good at export and cli gpg. Or at
least, getting better.

Melee is now signing all admin emails (subscribe, unsubscribe, help,
digest, fortune...).
but doing NOTHING (I hope) for general list emails.

Yeah, I attached an image. a screen show of Gmail and Flowcryot showing the
email as "signed" with a bogus script signature. It was/is cute.

--Can you tell it's been cold outside? I've been productive--

[image: image.png]

=============================================================== From: Adam Jimerson ------------------------------------------------------ The downside to flowcyrpt (if it's the one I'm thinking of) that I found is if you have a detached key (like part of your private key on a smart card/ubikey) it completely barfs. I have reported it and the dev has little interest in fixing it. The good is it uses the browsers local store so for chrome it gets buried in $HOME/.config/google-chrome and Firefox stores it in the .Mozilla directory and is not synced if you make use of such features in Firefox/Chrome (so presumably not uploaded anywhere but trust as you will). If anyone finds a browser extension that plays nice with such keys I would be interested to try it out. On Sun, Feb 23, 2020, 8:05 PM Michael Harrison wrote:

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ That explains some behavior I saw. I could also not get it to decrypt messages sent by GPG and me. It kept asking for a passphrase, even though I had just entered it and it was working on their sample "welcome" messages. It was useful for testing. I'm trying to move away from gmail all the things that don't work better with a gmail mail address. I don't plan on using gmail for anything that actually requires GPG/PGP, or for that matter, requires much security/privacy. It's fun for testing. Not for my top secret plans to overthrow the planet. (Eh Pinky?) What I am interested in is increasing the amount of encrypted email traffic usage, for pretty much the same reasons as "LetsEncrypt.org" does it for web traffic. But not requiring it or making it obnoxious by signing or encrypting people that don't use PGP. Personally: If I get one encrypted email every couple of months, it stands out. If an important thing (emailed data, credentials, etc..) is but one of several encrypted emails a day, it doesn't stand out. When the Gestapo knock on my door because I do a lot of encypted email, I get to laugh and show them my chugalug mailing list mail...Hopefully they'll laugh and call me a geek. Unless actually using end to end encryption actually becomes illegal and enforced. Then we all lose.

=============================================================== From: Adam Jimerson ------------------------------------------------------ There are ways around it, I have just been too lazy to do myself, like exporting a copy of your GPG key with the detached part included and import that into the browser extension or use a mail client that has full/native PGP/GPG support and treat Gmail like a IMAP/POP3 (people still use this for for some reason ). I might give Flowcrypt another try knowing that limitation and just have to deal with the fact that it can sign/encrypt/decrypt things without my Yubikey (My FreeBSD boxes already have my full key on it since I'm one of those weirdos that like to sign my Git commits with my GPG key). On Mon, Feb 24, 2020 at 8:45 AM Mike (meuon) Harrison wrote:

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ I gotta play more.. I like that idea. :)

=============================================================== From: Adam Jimerson ------------------------------------------------------ It atleast helps show you (or someone who has access to your GPG key) authored the commit, most repo hosts will verify the GPG signature and adds a "Verified" badge to the commit like so https://gitlab.com/vendion/dotfiles/-/commits/master and of course Git provides a way for people to verify this locally with GPG if they have your public key.