ΒΆ Hello this is Huka and welcome to Hacker Public Radio and another in our ongoing series on security and privacy and what I want to do this time is pick up from what we did last time. Last time we took a look at how to do encryption with email in Thunderbird using an add-on called Enigmail. What I want to do this time is take on the task of showing how we can also use encryption with web-based mail. And for this one I'm going to select Gmail because I have to have a Gmail account so that makes it easy. I think that they're probably similar ways to do this with Yahoo or with Outlook.com or what have you but I'm going to use a particular example that I happen to be familiar with. Now you know people use web-based mail a lot. Gmail is certainly one of the more popular ones. The thing that you have to keep in mind is that this is all about encrypting the message with your keys that you control before it leaves the computer. Steve Gibson calls this pre-internet encryption or PIE. Now last time we mentioned Blavabit, Ladar Levison and all of that and the flaw in what they did was that they had keys that the mail provider controlled. And these keys could be and were demanded by the government. So if you use your own GPG keys that you control no provider in this case Google is even capable of giving anything to the government other than a blob of random nonsense. Now I'm not going to get into metadata. That's another discussion and Lord knows we will probably get to that one too at some point. But what I want to do here is talk about an extension that you can install. It's available for both Chrome and Firefox. And I'm going to do it with Chrome because that's what I used to access my Gmail account. And the extension is called mailvillope M-A-I-L-V-E-L-O-P-E. So it's mail and envelope kind of mash together. And as a Chrome extension you basically you just do what you do with any other Chrome extension you go to the Chrome store. You do a search for mailvillope and you install it. Now once you have mailvillope installed you need to give it your keys. We talked about creating keys over a couple of different episodes, how to do with a command line, how to do it with a GUI client. Then last time we talked about using your keys with Enigmail in Thunderbird. Now one of the things about Enigmail that was really nice was that Enigmail knew where to look and we just go grab your keys. Mailvillope is not quite as user friendly in this respect, but it's going to give us a chance to learn something that we're going to need to know and that's all about exporting keys. So when you have mailvillope installed you then in the extensions window in Google Chrome you will see that there's something there it says options. It's a link that you click and that opens up the options window for mailvillope. And when you take a look at that you're going to see you've got a number of things you can do and one of them it's down a couple on the left you're going to see something it says import keys. Now you can import your keys or other people's keys depending on what you have available to you. But the thing is that it has to be pure ASCII text files. Now chances are when GPG created all of this on your hard drive it was not pure ASCII. It was probably a binary file. So what you need to do is you need to do an export. Now you can do this in several ways. You could do it at the command line for instance and there's two different commands one for the private key and one for the public key. So for the private key the command would be GPG space dash export dash secret dash key space dash A space and then your username and this will be your username in this case I'm on a Linux box so to be my Linux username you know the name of my home directory in other words. Now this will display your key as ASCII text in the terminal window you can paste it in the mail of a loop and away you go. Now to get your public key and the public key is the one that's used by other people to encrypt messages to you. So the command slightly different GPG space dash armor ARMOR space dash export space and then the email address remember that when you created your GPG key that the email address was a part of that and it's linked to your email address so that's going to get your public key exported. And again this will show up in the window and you know you can copy and paste what have you. Now if you've already set up Thunderbird we can make this even a little bit simpler because you can export them both at once. In Thunderbird go to that open PGP menu that we talked about last time and this time select key management. In click on your own key to select it and then go to the file menu and select export keys to file. You'll then be asked if you wish to include the secret key say yes and you will be asked to approve a file name and a location for the exported file. Now this will be a dot ASC file in other words ASC key text. And then in mailvelope on the import screen you can click the import from file find that file. So you know put it put it in your home directory somewhere where you know how to find it. And if all goes well you're going to see two green lines. The first one says success. Public key was imported blah blah blah and the second one would be success. Private key was imported blah blah and you know in each case saying that's been added to your key ring. And then you can take a look at your key ring in mailvelope and you should see your name and the idea of your key and you'll actually see two keys two keys in the icon on the left because that's going to indicate that it got both the public and the private. Now if you then later on import the public key of some other people people that you might want to correspond with when you look you would see their name and their key identifier but you'd only see a single key on the left because you obviously would not have their private key. Now I said it was worth learning this import export business with keys because it's really the best way to move your keys to other computers. Now I've seen stuff that says oh just copy your.gpg directory and you know if you're going to another Linux machine that'll probably work but you know what if you're a cross-platform person you know what if you're like our friend nightwise who makes a whole big fetish out of being cross-platform and you know let me this face a lot of people there are times they want to use Linux other times you know I have to use Windows when I'm at work some people may have a Macintosh around that they want to use so understanding how you can export your key files and then in any other computer you just use the import like we just did with mail flow and that's going to be a good way to get your keys moved around. So now that you've imported this let's say you wanted to send a message in Gmail. Now if the only key you have is your own you have to send something to yourself you can actually do that but what you're going to see now because of mail flow is that when you click the compose and in Gmail I'm going to assume you all know how this works when you click the compose button a window opens up in the lower right and it's going to blackbar across the top and you know you start typing your your message what you're going to see now is something has changed and what has changed is that there is an additional icon that is on that window and the icon is an edit icon and it's got the yellow pencil on top of a sheet of paper and if you click that another window opens for you to create your encrypted message so you just type your message in that window so it's going to say at the very top Chrome extension and a bunch of blah blah blah blah yes because the extension is mail the loop that you installed that's taking over this process and then you compose your mail and now what if you simply click the transfer button you get a pop up warning you you're trying to send an encrypted data right so just because you've composed it in this window you haven't finished the process yet but if you take a look there's an icon of a padlock the lock icon so you click that and what happens well another window is going to open remember that when you send encrypted mail you encrypted using the public key of the recipient now right now you may only have your own public key in there because we just imported it a moment ago but at some point you're going to start accumulating public keys of other people and so what you need to do is select the public the the recipient for whom you have a public key now I I think I mentioned last time I'm setting up something with Tony being at being us from the Sunday morning Linux review that I think the two of us are going to do a little program talking about how you do all of the obtaining keys of other people and things like that so you know that should be fun we're going to get there it's like everything else you gotta take it one step at a time so anyway at this point you know you click that maybe the only name you see up there is your own so highlight that and click the add button and when you do that everything gets encrypted then when you click the transfer what's going to get transferred is an encrypted message and so in your Gmail window your compose window now it's just going to say begin PGP message and all sorts of gobbledygook and at the end it's going to say end PGP message so you have a completely encrypted message but so far not a thing has left your computer and that's the important part so if you now click the send button your message will be sent but Google will have no idea what it says and neither will anyone else if they do not have the private key of the recipient ideally they wouldn't now suppose you receive a message that has been encrypted and that means that you have a correspondent out there who has your public key and they use that to encrypt a message to send to you well when that comes in mail the loop is going to notice how wait a minute this is encrypted isn't it I'm supposed to do something so it'll throw an overlay on top of the message with the icon of an envelope and lock your cursor will turn into a key and if you click on the icon you will be asked to provide your passphrase and so many you can do this successfully the message will decrypt help you know your passphrase now the last thing digital signing and I'd have to tell you at this point now I'm recording this now in towards the end of February of 2014 but I'm recording it ahead of time and it's going to go out later on this year at the time I'm recording this mail the loop does not support digital signing but it's clear that they're working on it and I hope it will be added soon obviously they put the priority on ensuring that you can securely encrypt messages and that's not really a terribly bad priority to have when you think about it so with that this is a hookah signing off for hacker public radio and reminding everyone please support free software bye you have been listening to hacker public radio and techer public radio does are we are community podcast network the release of shows every week day one day for Friday today show like all our shows was contributed by a hbr listener like yourself if you ever consider recording a podcast then visit our website to find out how easy it really is hacker public radio is found by the digital dot pound and the information computer world hbr is funded by the binary revolution at binreff.com all binreff projects are currently sponsored by linear pages from shared hosting to custom private clouds go to lunar pages.com for all your hosting needs unless otherwise stages today's show is released on your creative comments attribution share a like details or licenses