Mailing List Archive

Am Mon, 6 May 2019 16:17:01 +0100
schrieb Mark Rousell <markr@signal100.com>:

> On 06/05/2019 15:39, Stefan Claas wrote:
> > Maybe I should set-up squid on a VPS and let people register from
> > there, while keeping no log files. :-D
>
> Check your local laws first. I am pretty sure that doing that
> (specifically the no logs bit) in the UK would now be a criminal
> offence. ;-) This is the same as many other EU countries due to one of
> the EU's data retention regulations whose name I've now forgotten.

Thanks for pointing that out! O.k. I do not want to get to off-topic
here but it interests me what would happen if I use a US based server
and a US domain with whois guard? Would ProtonMail really hunt down
a proxy server operator, or let's say other email providers, when
doing such a thing, or would they simply block access from that
domain? I mean it is not a crime to run a proxy server.


Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Mon, 6 May 2019 06:52:10 +0200
schrieb Stefan Claas <sac@300baud.de>:

> Am Sun, 5 May 2019 17:16:12 -0700
> schrieb Mirimir <mirimir@riseup.net>:
>
> > Well of course that's not anonymous!
> >
> > So what you do, if you want ~anonymity, is to use their Tor onion
> > site. That doesn't ask for anything beyond an email address.
>
>
> Assuming that this is their real .onion address, I just tried that.
>
> https://protonirockerxow.onion/login and got this:
>
> Are you human?
>
> To fight spam, please verify you are human.
>
> Your email or phone number will not be linked to the account created.
> It is only used during the signup process. A hash will be saved to
> prevent abuse of the ProtonMail systems. (Why is this required?)
>
> SMS
> Donate
>
> Now my question for privacy experts ... Would you give away your
> mobile phone number when using Tor ???

In case someone from the ProtonMail team is reading this thread ...

When using Tor for sign-up and using the donate* button I would
suggest support for the crypto currency Monero, so that users
stay anonymous.

*I have learned a while ago that privacy may cost also a bit
of money, even when using Open Source software only.

Regards
Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 06/05/2019 16:27, Mauricio Tavares wrote:
> On Mon, May 6, 2019 at 11:17 AM Mark Rousell <markr@signal100.com> wrote:
>> Check your local laws first. I am pretty sure that doing that (specifically the no logs bit) in the UK would now be a criminal offence. ;-) This is the same as many other EU countries due to one of the EU's data retention regulations whose name I've now forgotten.
>>
> Going maybe on a tangent, how would those data retention
> regulations play with GDPR?

It would not be a problem for GDPR. GDPR certainly doesn't prohibit all
data retention or usage. If data/metadata/log retention is legally
mandated then this will be allowed for in GDPR.

--
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

On 06/05/2019 16:39, Stefan Claas wrote:
> Maybe I should set-up squid on a VPS and let people register from there,
> while keeping no log files. :-D

The only purpose of that would be to specifically subvert the intentions
and processes of ProtonMail. They have designed a system which chooses
policy based on the source IP (including a different policy for Tor exit
nodes), and you try to subvert this policy selection, and possibly give
a route for spammers to register on the system.

If you don't like their policies, don't use them. Don't try to work
around the policies they impose on the use of their service. You don't
have a right to the use of their services under your conditions.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

On 06/05/2019 17:07, Stefan Claas wrote:
> Thanks for pointing that out! O.k. I do not want to get to off-topic
> here but it interests me what would happen if I use a US based server
> and a US domain with whois guard? Would ProtonMail really hunt down
> a proxy server operator, or let's say other email providers, when
> doing such a thing, or would they simply block access from that
> domain? I mean it is not a crime to run a proxy server.

(a) It's not a crime to run a proxy in the UK or EU[1]. It's just that
there are metadata logging and log-retention requirements if you do so.
(Once again, I apologise because I've lost my notes on all the EU and UK
legislation that may require this. It's findable on DuckDuckGo or the
search engine of your choice of course).

(b) ProtonMail isn't going to hunt down anyone (unless, maybe, they are
forced to by their local law enforcement). They aren't the police and
they're not even based in the EU, so they don't care.

(c) I do not know how the relevant legislation would work if you are a
UK or EU resident but set up your proxy service on hardware based in the
USA or another jurisdiction that does not enforce logging. A careful
reading of the legislation that is relevant to your local jurisdiction
might inform you.


Footnote:-
1: Although I fear that the UK is heading in this direction. That it,
not to outright criminalise proxies or VPNs but to 'regulate', control
and license their use. The cassus belli for this will, I suspect, be
probably very widespread evasion of the forthcoming 'porn block' using
proxies and VPNs.

--
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

Am Mon, 6 May 2019 18:55:50 +0100
schrieb Mark Rousell <markr@signal100.com>:

> (a) It's not a crime to run a proxy in the UK or EU[1]. It's just that
> there are metadata logging and log-retention requirements if you do
> so. (Once again, I apologise because I've lost my notes on all the EU
> and UK legislation that may require this. It's findable on DuckDuckGo
> or the search engine of your choice of course).

Thanks for pointing that out! I will do more research on this topic.

> (b) ProtonMail isn't going to hunt down anyone (unless, maybe, they
> are forced to by their local law enforcement). They aren't the police
> and they're not even based in the EU, so they don't care.

That is was I am thinking as well, but it does not hurt to ask.

> (c) I do not know how the relevant legislation would work if you are a
> UK or EU resident but set up your proxy service on hardware based in
> the USA or another jurisdiction that does not enforce logging. A
> careful reading of the legislation that is relevant to your local
> jurisdiction might inform you.

I will check that out, because I am currently doing a project
which is similar and it is better to be properly informed than
instead later falling on my nose.

Thanks again for your valuable input, much appreciated!

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 6 May 2019 at 10:19:35 AM, in
<mid:6b3e1a02-6d44-6a8c-8d00-45706bc3bdbb@digitalbrains.com>, Peter
Lebbing wrote:-



> If this is a referral link, I would consider that
> *extremely* bad form
> of you.

The “fbclid” parameter looks like a Facebook click identifier. It's a
tracking ploy added to external URLs from the Facebook site, similar
to Google's “gclid”.

- --
Best regards

MFPA <mailto:2017-r3sgs86x8e-lists-groups@riseup.net>

Great minds discuss ideas;
Average minds discuss events;
Small minds discuss people.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXNISfl8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+lLvAPkBXb7U5fYH0tE8sxW+Goh6aV5X/ZWnQEPcEtp07mSV+wEA+4Cqxek1og8s
zZxtNBu44xuqLmlMuFhHPAXKBKZ+RwyJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXNISfl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/1X0D/9dJeMq52G25usMWuCBzCLndY/5
CifloqoVwOND5qX2VrPDGJ4mPgPUvqDXUz9SEOMzeCGZgkOMchZ29j45eLippSjc
zWY6nKTB7OE7D8ZMF6TpypXDAdQX8ULemUZOJDvgyb4Xj2yTYYDieQgu6bPivZni
PB9oLIEcaA2h3VXnDYWYrSAITA8YlPKVb/2ocGlv+f3Cu1VZZF119rHFpBrMc436
XcKVybXaYQccUlAyI87vm2GxnGDbnGXIv6dMw2tEhVYHeyjo4iE0wizz+IyKSXfv
H0fXWTskB+rPnHqORUFKoSIZtjTiKg7Y0/IUNCj4Zpr0MkNFs+xImYpCNRvnf1Ae
665t1tWMsmk/nTAmLLK7bLK38do9HmFjIpNZHB/2PZpsfrfyCSmJX4DaWofd1hZg
VXmRz5977o2IeMMwAUuykb+y9Kn30PqSE60Tt/fXBqjTSP5xw83RgJCAzWtGFB6s
d23ZcmOp6VRuHwXLFLjNtuQzPdohTN8OGLM6ZpmQO0ZBc2WB7XOLigs9IGj9qKOZ
+6LftMODff34h7ItKzqDUgpvhJmRMiW1R31VnYuKWtLmPKL7j11LtenyU/mEA3Mh
/U2z6QelkiPjLoSmNpROtJj6VYetqABhXCtXDAuYECP0X4oiaYyDcTQu/ljg0XIZ
VgeUtaRSsOKs0mSylw==
=ep1T
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Wed, 8 May 2019 00:19:26 +0100
schrieb MFPA <2017-r3sgs86x8e-lists-groups@riseup.net>:

> The “fbclid” parameter looks like a Facebook click identifier. It's a
> tracking ploy added to external URLs from the Facebook site, similar
> to Google's “gclid”.

That's correct, the fbclid parameter is from Facebook. I was careless
and copy / pasted the link from my PGP forum article. I already
appologized to Peter, but forgot to reply here as well.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de <mailto:sac@300baud.de>> wrote:
>
> ProtonMail's procedure is not anonymous like
> real anonymous email services

What are some such “real” anonymous email services?

Protonmail is anonymous† if used correctly and if you trust them.  Any user worried about text messages being tied to them could use cash at a place far from where they live with no cameras to buy a burner phone for a one time text message code if they are really that paranoid. 

If Protonmail didn't do some sort of vetting of accounts then it'd literally be infeasible to use because it would be RBL'd to hell and back due to being overrun with spammers.  

†Against typical adversaries.  If you are trying to hide from a powerful nation state willing to expend significant resources to look into you and you are not yourself supported and trained by a nation state's intelligence services, well, good luck with that.

-Ryan McGinnis
PGP: 486ED7AD
Sent with ProtonMail

??????? Original Message ???????
On Wednesday, May 8, 2019 3:08 PM, Christopher W. Richardson <cwr@cwrichardson.com> wrote:

> > On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de> wrote:
> >

> > ProtonMail's procedure is not anonymous like
> > real anonymous email services
>

> What are some such “real” anonymous email services?

On 05/08/2019 01:08 PM, Christopher W. Richardson wrote:
>
>
>> On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de <mailto:sac@300baud.de>> wrote:
>>
>> ProtonMail's procedure is not anonymous like
>> real anonymous email services
>
> What are some such “real” anonymous email services?

Any service that's available as a Tor onion service, and doesn't require
any verification, is about as anonymous as it gets. There aren't many of
those, because they get very popular among jerks. One is cock.li
(cockmailwwfvrtqj.onion). It came out of the chans, and it shows. Tor
Mail and Sigaint were great in their day, but both got taken down. I
could come up with others, but many are ~hobby-level.

ProtonMail is less anonymous for sure. There is a Tor onion service
(protonirockerxow.onion) but it can switch to the clearnet address
during registration. And they do require verification. But you can use a
cock.li address for that. But not an anonbox.net address :(


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Or you could just use qmail+GPG with the -R option.
Or heck, just post it the clearnet on some *chan. Isn't the whole point of GPG to hide the content or who it's intended to?
GPG is perfect for this imo
-----BEGIN PGP SIGNATURE-----

iLkEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXNNbCQAKCRDo8fj9gx4T
08U6AgkBU8XYac2+1C/zc6f+MEgit+MmladaKxb8BVP+xb1x3Sj5yi8k9iDStXID
2JdoVgbHmc79I7rgZ42Ab8V/6CCNoroCCQG0IOcaYdL1PPyZGH9EeZ9vCnLd1xNc
J4H7bAoMwLKthOXsE3kkAGFK9YZ9CkZSZ1BQ+dNyrFKuY5mQ2f5Kxl38zw==
=g9RY
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 05/08/2019 03:41 PM, Tony Lane wrote:
> Or you could just use qmail+GPG with the -R option.

Seriously, you're recommending that people run their own mail servers?

> Or heck, just post it the clearnet on some *chan. Isn't the whole point of GPG to hide the content or who it's intended to?
> GPG is perfect for this imo

Sure. Or pastebin. But that's not email.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Wed, 8 May 2019 22:08:22 +0200
schrieb Christopher W. Richardson <cwr@cwrichardson.com>:

> > On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de
> > <mailto:sac@300baud.de>> wrote:
> >
> > ProtonMail's procedure is not anonymous like
> > real anonymous email services
>
> What are some such “real” anonymous email services?

Sceptic, eh? :-)

No, seriously ... I will not reveal my knowledge here
publicity on the ML, for good reasons.

However, as soon as time permits I will create a little
.pdf dokument showing the required and reliable resources,
on how power user Bob communicates and how Mac Dummie Alice
communicates, securely and anonymously.

In order to obtain this document you or anybody else
will have to follow some guidelines, which I will
outline here, once the document is available.

I will challenge every GnuPG user, regardless of skill
level to try it out so that they can see that this is a
prooven and reliable method in anonymity circles. Toys
like Enigmail/Thunderbird etc. are not used. You will
need to be comfortable with GnuPG in command line mode.

Regards
Stefan



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Wed, 8 May 2019 18:41:13 -0400
schrieb Tony Lane <codeguro@gmail.com>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Isn't the whole point of GPG to hide the content or who it's intended
> to?

Well, yes to hide the content, that is true, but the recipient is known
and GnuPG produces the encrypted and armored content in an IMHO
non-optimal way.

In case Werner is reading this thread ..., I kindly request that you
implement for future generations of GnuPG users message padding
and and stealth mode, we had in PGP, back in the mid 90's, so
that procmail and Co. have it more difficult to filter PGP messages.

It could be implemented in gpg.conf, like:

--stealth-mode = true
--padding = integer (like minimum 1024, or 2048 etc.)

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 5/9/19 10:44 AM, Stefan Claas wrote:
> Am Wed, 8 May 2019 18:41:13 -0400
> schrieb Tony Lane <codeguro@gmail.com>:
>
>> Isn't the whole point of GPG to hide the content or who it's intended
>> to?
>
> Well, yes to hide the content, that is true, but the recipient is known
> and GnuPG produces the encrypted and armored content in an IMHO
> non-optimal way.

Uhh... no.
You can absolutely hide the recipient with the '-R' option in Gnupg.
-----BEGIN PGP SIGNATURE-----

iLgEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXNR/ZAAKCRDo8fj9gx4T
02bCAgkB+2W+DwtY34g6PJdFbESABim2/WOYir+P9hm+24oN6GuwgiQcMGObS539
hjAhi+B1lejvGbltx2xLODj7TPAlQ64CCNSs2F4eYbc9ZRmoKVGeveDd6lMxxdBZ
TBxFKVOmcFB+ug9ocGMXJ5IWC3mA7ksTxqFnGz6w6np5rn+bzLCshjvh
=kFa/
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Thu, 9 May 2019 15:28:36 -0400
schrieb Tony Lane <codeguro@gmail.com>:

> Uhh... no.
> You can absolutely hide the recipient with the '-R' option in Gnupg.
> -----BEGIN PGP SIGNATURE-----


Sorry for my bad wording! I was refering to the email recipient, when
using a standard MUA which sends to a regular single email address.

Of course the -R option allows to send to someone and when the mail
arrives the message can then be handed over to the real recipient. ;-)

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 05/09/2019 01:03 PM, Stefan Claas wrote:
> Am Thu, 9 May 2019 15:28:36 -0400
> schrieb Tony Lane <codeguro@gmail.com>:
>
>> Uhh... no.
>> You can absolutely hide the recipient with the '-R' option in Gnupg.
>> -----BEGIN PGP SIGNATURE-----
>
>
> Sorry for my bad wording! I was refering to the email recipient, when
> using a standard MUA which sends to a regular single email address.
>
> Of course the -R option allows to send to someone and when the mail
> arrives the message can then be handed over to the real recipient. ;-)
>
> Regards
> Stefan

Or one can send to alt.anonymous.messages, or wherever. And recipient(s)
can periodically download everything, and simply try decrypting each
message. I don't recall now whether remailer nyms worked exactly that
way. Maybe client apps depended on seeing recipient IDs. Or maybe hashes
of recipient IDs. It's interesting, but doesn't scale well.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 9 May 2019, at 22:34, Stefan Claas <sac@300baud.de> wrote:
>
> Am Wed, 8 May 2019 22:08:22 +0200
> schrieb Christopher W. Richardson <cwr@cwrichardson.com>:
>
>>> On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de
>>> <mailto:sac@300baud.de>> wrote:
>>>
>>> ProtonMail's procedure is not anonymous like
>>> real anonymous email services
>>
>> What are some such “real” anonymous email services?
>
> Sceptic, eh? :-)
>
> However, as soon as time permits I will create a little
> .pdf dokument showing the required and reliable resources
>
> In order to obtain this document you or anybody else
> will have to follow some guidelines, which I will
> outline here, once the document is available.

I shall patiently await :)
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am 09.05.2019 um 16:44 schrieb Stefan Claas:


> implement for future generations of GnuPG users message padding

> and and stealth mode, we had in PGP, back in the mid 90's, so

> that procmail and Co. have it more difficult to filter PGP messages.

Maybe an interesting read.

https://web.archive.org/web/20130513043502/http://finney.org/~hal/stealth_pgp.html

Regards

Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Christopher W. Richardson wrote:

>
>
> > On 9 May 2019, at 22:34, Stefan Claas <sac@300baud.de> wrote:
> >
> > Am Wed, 8 May 2019 22:08:22 +0200
> > schrieb Christopher W. Richardson <cwr@cwrichardson.com>:
> >
> >>> On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de
> >>> <mailto:sac@300baud.de>> wrote:
> >>>
> >>> ProtonMail's procedure is not anonymous like
> >>> real anonymous email services
> >>
> >> What are some such “real” anonymous email services?
> >
> > Sceptic, eh? :-)
> >
> > However, as soon as time permits I will create a little
> > .pdf dokument showing the required and reliable resources
> >
> > In order to obtain this document you or anybody else
> > will have to follow some guidelines, which I will
> > outline here, once the document is available.
>
> I shall patiently await :)

Sorry for the late reply, I am still busy with some projects.

Anyways, I decided to post now some keywords, which you or
anybody else can Google up.

OmniMix, QuickSilver Lite, YAMN (check github), Mixmaster4096
(check github), Bitmessage, ZeroNet and for anonymous file
transfer Onionshare. Those tools can be all used with Tor.

There are probably many more tools available to communicate
anonymously, but those are reliable ones used in anonymous
circles.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 06/08/2019 01:25 AM, Stefan Claas wrote:
> Christopher W. Richardson wrote:
>
>>
>>
>>> On 9 May 2019, at 22:34, Stefan Claas <sac@300baud.de> wrote:
>>>
>>> Am Wed, 8 May 2019 22:08:22 +0200
>>> schrieb Christopher W. Richardson <cwr@cwrichardson.com>:
>>>
>>>>> On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de
>>>>> <mailto:sac@300baud.de>> wrote:
>>>>>
>>>>> ProtonMail's procedure is not anonymous like
>>>>> real anonymous email services
>>>>
>>>> What are some such “real” anonymous email services?
>>>
>>> Sceptic, eh? :-)
>>>
>>> However, as soon as time permits I will create a little
>>> .pdf dokument showing the required and reliable resources
>>>
>>> In order to obtain this document you or anybody else
>>> will have to follow some guidelines, which I will
>>> outline here, once the document is available.
>>
>> I shall patiently await :)

Yeah, I'd also like to see that :)

> Sorry for the late reply, I am still busy with some projects.
>
> Anyways, I decided to post now some keywords, which you or
> anybody else can Google up.
>
> OmniMix, QuickSilver Lite, YAMN (check github), Mixmaster4096
> (check github), Bitmessage, ZeroNet and for anonymous file
> transfer Onionshare. Those tools can be all used with Tor.

Some years ago, I got Quicksilver Lite working in Debian with Wine. But
even then, it hadn't been updated for years. And now I find that
https://www.quicksilvermail.net isn't loading. Are people still using
nymservers with mixmaster? And do you have working onion URLs for
nymservers and news servers?

> There are probably many more tools available to communicate
> anonymously, but those are reliable ones used in anonymous
> circles.
>
> Regards
> Stefan
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

First of all...

On 05.05.19 12:12, Stefan Claas wrote:
> Hi all,
>
> appologies for posting this, but I think it could
> be of interest for GnuPG users, because ProtoMail
> uses the OpenPGP protocol too.

It uses OpenPGP protocol, but quite a twisted way. And they're not
OpenPGP-compliant, because they're not able to encrypt mails leaving
their domain. Any webmail by itself cannot be secure, because provider
can always send you 'modified' browser applet and steal your private key
and some day ? the passphrase.

Real anonymous email services are out there in .onion domain, but
they're neither stable nor trusted by non-onion recipients...

Cheers,

Kirill

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mirimir wrote:

> Some years ago, I got Quicksilver Lite working in Debian with Wine.
> But even then, it hadn't been updated for years. And now I find that
> https://www.quicksilvermail.net isn't loading. Are people still using
> nymservers with mixmaster? And do you have working onion URLs for
> nymservers and news servers?

I visited the Quicksilver site a couple of days ago and it was working.

I may ping Richard to let him know that it is not working.

Regarding Nymservers, you communicate not directly with them, so
no .onion needed. What you need to do is set up Mixmaster with
Tor, socat and stunnel and then send the config Nym message to
the registration email address. There are hover .onion relays
available for Mixmaster Remailers, but I do not have them because
I use YAMN nowadays.

With News Servers I used them in the past also with Tor, socat and
stunnel. I may ask a friend if he has .onion addresses for them.
I currently don't need them because I have no more a nym to pull
messages from a.a.m.. And yes, people still using Mixmaster (and now
YAMN) with Usenet or email. :-)

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi Kirill,

On 09.06.2019 08:57, Kirill Peskov wrote:
> It uses OpenPGP protocol, but quite a twisted way. And they're not
> OpenPGP-compliant, because they're not able to encrypt mails leaving
> their domain.

What do you mean by that? There is an option to add OpenPGP key of a
"foreign" contact and send to other e-mail providers just like any oter
OpenPGP mail.

From what I've seen on OpenPGP mailing list they're also planning to
have Web Key Directory key discovery so that I'll be easier to encrypt
to people outside ProtonMail

> Any webmail by itself cannot be secure, because provider
> can always send you 'modified' browser applet and steal your private key
> and some day ? the passphrase.

Yes, that's a problem. Still, who would discover a compromised Enigmail
plugin (that autoupdates too), or even GnuPG? As the code is quite
complex and in some cases there are many intermediaries (distro
maintainers) it's not quite obvious what code are you running exactly.

As for webpages there is also this interesting plugin:
https://stosb.com/blog/signed-web-pages/

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users