Mailing List Archive

Kirill Peskov wrote:

> First of all...
>
> On 05.05.19 12:12, Stefan Claas wrote:
> > Hi all,
> >
> > appologies for posting this, but I think it could
> > be of interest for GnuPG users, because ProtoMail
> > uses the OpenPGP protocol too.
>
> It uses OpenPGP protocol, but quite a twisted way. And they're not
> OpenPGP-compliant, because they're not able to encrypt mails leaving
> their domain. Any webmail by itself cannot be secure, because provider
> can always send you 'modified' browser applet and steal your private
> key and some day ? the passphrase.
>
> Real anonymous email services are out there in .onion domain, but
> they're neither stable nor trusted by non-onion recipients...

Correct and also .onion domains come and go.

The only IMHO reliable anonymous email services are if you
use Anonymous Remailers (with a Nym account) or Bitmessage
(with an additional Mailchuck email gateway address).

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mirimir wrote:

> And do you have working onion URLs for
> nymservers and news servers?

Here we go, it is from a.p.a-s:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are the free Onion SMTP Servers that I am aware of that are
working as of April 29, 2019

gbhpq7eihle4btsn.onion:25
sopoccfrkrpuiin5.onion:2525
nyt7rlpjogd24qx7.onion:587(TLS)
nyt7rlpjogd24qx7.onion:25
nyt7rlpjogd24qx7.onion:2525
nyt7rlpjogd24qx7.onion:465
bshc44ac76q3kskw.onion:25
oc6bguylwowxvs62.onion:2525

Frell must be the first remailer in your remailer chain when using
bshc44ac76q3kskw.onion.

Here are the free Onion NNTP Servers that I am aware of that are
working as of April 29, 2019

ruxuklsvo4pk74m5.onion:119
neodomea5yrhcabc.onion:119
asq5mo52aghemn2i.onion:119

I will try to update this on a weekly basis going forward and if
there are others that are working please update this thread.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlzHSkgACgkQrrtSX34nv6ZyFgCg44BedGUs4jzYz204e6GlKp/9
E/cAoNa6V2YQzz9Tkb6CyyM0BOl/IRK9
=2Cfr
-----END PGP SIGNATURE-----

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 06/09/2019 01:20 AM, Stefan Claas wrote:
> Mirimir wrote:
>
>> Some years ago, I got Quicksilver Lite working in Debian with Wine.
>> But even then, it hadn't been updated for years. And now I find that
>> https://www.quicksilvermail.net isn't loading. Are people still using
>> nymservers with mixmaster? And do you have working onion URLs for
>> nymservers and news servers?
>
> I visited the Quicksilver site a couple of days ago and it was working.
>
> I may ping Richard to let him know that it is not working.

Thanks. Any chance of a native Linux port of Quicksilver? I asked, some
years ago, and got that it wasn't feasible.

> Regarding Nymservers, you communicate not directly with them, so
> no .onion needed. What you need to do is set up Mixmaster with
> Tor, socat and stunnel and then send the config Nym message to
> the registration email address. There are hover .onion relays
> available for Mixmaster Remailers, but I do not have them because
> I use YAMN nowadays.
>
> With News Servers I used them in the past also with Tor, socat and
> stunnel. I may ask a friend if he has .onion addresses for them.
> I currently don't need them because I have no more a nym to pull
> messages from a.a.m.. And yes, people still using Mixmaster (and now
> YAMN) with Usenet or email. :-)
>
> Regards
> Stefan
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mirimir wrote:

> Thanks. Any chance of a native Linux port of Quicksilver? I asked,
> some years ago, and got that it wasn't feasible.

You're welcome!

What I would do under Linux, wishing to run Mixmaster (latest
Version with 4k keys support) and using a Nym:

Check the docs here, they are for Remailers, but should help
you to compile Mixmaster under Debian.

https://inwtx.net/remailer.html

Mixmaster has also a nice ncurses Interface.

Then to handroll a Nym account with GnuPG:

http://mixnym.net/

And finally to fetch messages from a.a.m.:

https://github.com/crooks/aam2mail

If you need help with setting up Tor, socat and stunnel
let me know.

Hope this helps!

Regards
Stefan





_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Hope this helps!

And you probably want an up to date allpingers.txt:

# A L L P I N G E R S' I N D E X
#
# Updated: 09 June 2019
# This list was last updated by SEC3
# Please email corrections to: pinger-admin@sec3.net

[apricot]
base = https://apricot.fruiti.org/echolot/
rlist = https://apricot.fruiti.org/echolot/rlist.txt
mlist = https://apricot.fruiti.org/echolot/mlist.txt
rlist2 = https://apricot.fruiti.org/echolot/rlist2.txt
mlist2 = https://apricot.fruiti.org/echolot/mlist2.txt
rlist_html = https://apricot.fruiti.org/echolot/rlist.html
mlist_html = https://apricot.fruiti.org/echolot/mlist.html
rlist2_html = https://apricot.fruiti.org/echolot/rlist2.html
mlist2_html = https://apricot.fruiti.org/echolot/mlist2.html
pgpring = https://apricot.fruiti.org/echolot/pgp-all.asc
pgpring_rsa = https://apricot.fruiti.org/echolot/pgp-rsa.asc
mixring = https://apricot.fruiti.org/echolot/pubring.mix
type2list = https://apricot.fruiti.org/echolot/type2.list

[austria]
base = https://www.tahina.priv.at/~cm/stats/
rlist = https://www.tahina.priv.at/~cm/stats/rlist.txt
mlist = https://www.tahina.priv.at/~cm/stats/mlist.txt
rlist2 = https://www.tahina.priv.at/~cm/stats/rlist2.txt
mlist2 = https://www.tahina.priv.at/~cm/stats/mlist2.txt
rlist_html = https://www.tahina.priv.at/~cm/stats/rlist.html
mlist_html = https://www.tahina.priv.at/~cm/stats/mlist.html
rlist2_html = https://www.tahina.priv.at/~cm/stats/rlist2.html
mlist2_html = https://www.tahina.priv.at/~cm/stats/mlist2.html
pgpring = https://www.tahina.priv.at/~cm/stats/pgp-all.asc
pgpring_rsa = https://www.tahina.priv.at/~cm/stats/pgp-rsa.asc
mixring = https://www.tahina.priv.at/~cm/stats/pubring.mix
type2list = https://www.tahina.priv.at/~cm/stats/type2.list

[deuxpi]
base = https://www.deuxpi.ca/echolot/
rlist = https://www.deuxpi.ca/echolot/rlist.txt
mlist = https://www.deuxpi.ca/echolot/mlist.txt
rlist2 = https://www.deuxpi.ca/echolot/rlist2.txt
mlist2 = https://www.deuxpi.ca/echolot/mlist2.txt
rlist_html = https://www.deuxpi.ca/echolot/rlist.html
mlist_html = https://www.deuxpi.ca/echolot/mlist.html
rlist2_html = https://www.deuxpi.ca/echolot/rlist2.html
mlist2_html = https://www.deuxpi.ca/echolot/mlist2.html
pgpring = https://www.deuxpi.ca/echolot/pgp-all.asc
pgpring_rsa = https://www.deuxpi.ca/echolot/pgp-rsa.asc
mixring = https://www.deuxpi.ca/echolot/pubring.mix
type2list = https://www.deuxpi.ca/echolot/type2.list

[eurovibes]
base = http://www.eurovibes.org/echolot/
rlist = http://www.eurovibes.org/echolot/rlist.txt
mlist = http://www.eurovibes.org/echolot/mlist.txt
rlist2 = http://www.eurovibes.org/echolot/rlist2.txt
mlist2 = http://www.eurovibes.org/echolot/mlist2.txt
rlist_html = http://www.eurovibes.org/echolot/rlist.html
mlist_html = http://www.eurovibes.org/echolot/mlist.html
rlist2_html = http://www.eurovibes.org/echolot/rlist2.html
mlist2_html = http://www.eurovibes.org/echolot/mlist2.html
pgpring = http://www.eurovibes.org/echolot/pgp-all.asc
pgpring_rsa = http://www.eurovibes.org/echolot/pgp-rsa.asc
mixring = http://www.eurovibes.org/echolot/pubring.mix
type2list = http://www.eurovibes.org/echolot/type2.list

[frell]
base = https://echolot.theremailer.net/
rlist = https://echolot.theremailer.net/rlist.txt
mlist = https://echolot.theremailer.net/mlist.txt
rlist2 = https://echolot.theremailer.net/rlist2.txt
mlist2 = https://echolot.theremailer.net/mlist2.txt
rlist_html = https://echolot.theremailer.net/rlist.html
mlist_html = https://echolot.theremailer.net/mlist.html
rlist2_html = https://echolot.theremailer.net/rlist2.html
mlist2_html = https://echolot.theremailer.net/mlist2.html
pgpring = https://echolot.theremailer.net/pgp-all.asc
pgpring_rsa = https://echolot.theremailer.net/pgp-rsa.asc
mixring = https://echolot.theremailer.net/pubring.mix
type2list = https://echolot.theremailer.net/type2.list

[kroken]
base = https://rlist.uni-boeblingen.de/
rlist = https://rlist.uni-boeblingen.de/rlist.txt
mlist = https://rlist.uni-boeblingen.de/mlist.txt
rlist2 = https://rlist.uni-boeblingen.de/rlist2.txt
mlist2 = https://rlist.uni-boeblingen.de/mlist2.txt
rlist_html = https://rlist.uni-boeblingen.de/rlist.html
mlist_html = https://rlist.uni-boeblingen.de/mlist.html
rlist2_html = https://rlist.uni-boeblingen.de/rlist2.html
mlist2_html = https://rlist.uni-boeblingen.de/mlist2.html
pgpring = https://rlist.uni-boeblingen.de/pgp-all.asc
pgpring_rsa = https://rlist.uni-boeblingen.de/pgp-rsa.asc
mixring = https://rlist.uni-boeblingen.de/pubring.mix
type2list = https://rlist.uni-boeblingen.de/type2.list

[mixmin]
base = https://www.mixmin.net/echolot/
rlist = https://www.mixmin.net/echolot/rlist.txt
mlist = https://www.mixmin.net/echolot/mlist.txt
rlist2 = https://www.mixmin.net/echolot/rlist2.txt
mlist2 = https://www.mixmin.net/echolot/mlist2.txt
rlist_html = https://www.mixmin.net/echolot/rlist.html
mlist_html = https://www.mixmin.net/echolot/mlist.html
rlist2_html = https://www.mixmin.net/echolot/rlist2.html
mlist2_html = https://www.mixmin.net/echolot/mlist2.html
pgpring = https://www.mixmin.net/echolot/pgp-all.asc
pgpring_rsa = https://www.mixmin.net/echolot/pgp-rsa.asc
mixring = https://www.mixmin.net/echolot/pubring.mix
type2list = https://www.mixmin.net/echolot/type2.list

[paranoia]
base = https://remailer.paranoici.org/stats/echolot.html
rlist = https://remailer.paranoici.org/stats/rlist.txt
mlist = https://remailer.paranoici.org/stats/mlist.txt
rlist2 = https://remailer.paranoici.org/stats/rlist2.txt
mlist2 = https://remailer.paranoici.org/stats/mlist2.txt
rlist_html = https://remailer.paranoici.org/stats/rlist.html
mlist_html = https://remailer.paranoici.org/stats/mlist.html
rlist2_html = https://remailer.paranoici.org/stats/rlist2.html
mlist2_html = https://remailer.paranoici.org/stats/mlist2.html
pgpring = https://remailer.paranoici.org/stats/pgp-all.asc
pgpring_rsa = https://remailer.paranoici.org/stats/pgp-rsa.asc
mixring = https://remailer.paranoici.org/stats/pubring.mix
type2list = https://remailer.paranoici.org/stats/type2.list

[sec3]
base = https://sec3.net/echolot/
rlist = https://sec3.net/echolot/rlist.txt
mlist = https://sec3.net/echolot/mlist.txt
rlist2 = https://sec3.net/echolot/rlist2.txt
mlist2 = https://sec3.net/echolot/mlist2.txt
rlist_html = https://sec3.net/echolot/rlist.html
mlist_html = https://sec3.net/echolot/mlist.html
rlist2_html = https://sec3.net/echolot/rlist2.html
mlist2_html = https://sec3.net/echolot/mlist2.html
pgpring = https://sec3.net/echolot/pgp-all.asc
pgpring_rsa = https://sec3.net/echolot/pgp-rsa.asc
mixring = https://sec3.net/echolot/pubring.mix
type2list = https://sec3.net/echolot/type2.list

[senshi]
base = http://senshiweb.webhop.net
rlist2 = http://senshiweb.webhop.net/rlist2.txt
rlist_html = http://senshiweb.webhop.net/rlist.html
mlist2 = http://senshiweb.webhop.net/mlist2.txt
mlist_html = http://senshiweb.webhop.net/mlist.html
mixring = http://senshiweb.webhop.net/pubring.mix
type2list = http://senshiweb.webhop.net/type2.list

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> I visited the Quicksilver site a couple of days ago and it was
> working.
>
> I may ping Richard to let him know that it is not working.

O.k. his site is up and running, but his LE cert is expired.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Am Mon, 6 May 2019 08:53:14 -0400
> schrieb Jeff Allen <jrallen@runbox.com>:
>
>
> > People who don't trust ProtonMail shouldn't use it.
>
> Absolutely! But I think it does not hurt to post
> such things to educate PGP users how different
> services or software applications etc. handle such
> privacy related things, especially when using the
> word anonymous.

Also interesting.

https://eprint.iacr.org/2018/1121.pdf

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello Stefan,

On 01/09/2019 14:14, Stefan Claas via Gnupg-users wrote:
> Also interesting.
>
> https://eprint.iacr.org/2018/1121.pdf

If you post URL's to this mailing list, could you please provide a short
description of what can be found at the URL? This prevents the situation
that people should visit the URL to know if they want to visit the URL,
and helps a lot when searching the archives.

In this case, since it's a scientific paper, I think the following would
be a good way to share it (I used the BibTeX citation to quickly get all
the relevant fields). But at least include a short description, please.

Here:

A scientific paper by Nadim Kobeissi published in 2018 in the Cryptology
ePrint Archive, titled "An Analysis of the ProtonMail Cryptographic
Architecture":

https://eprint.iacr.org/2018/1121

Abstract:
ProtonMail is an online email service that claims to offer end-to-end
encryption such that "even [ProtonMail] cannot read and decrypt [user]
emails." The service, based in Switzerland, offers email access via
webmail and smartphone applications to over five million users as of
November 2018. In this work, we provide the first independent analysis
of ProtonMail's cryptographic architecture. We find that for the
majority of ProtonMail users, no end-to-end encryption guarantees have
ever been provided by the ProtonMail service and that the
"Zero-Knowledge Password Proofs" are negated by the service itself. We
also find and document weaknesses in ProtonMail's "Encrypt-to-Outside"
feature. We justify our findings against well-defined security goals and
conclude with recommendations.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

On 2019-09-01 15:18, Peter Lebbing wrote:
Hi Peter,

> Hello Stefan,
>
> On 01/09/2019 14:14, Stefan Claas via Gnupg-users wrote:
>> Also interesting.
>>
>> https://eprint.iacr.org/2018/1121.pdf
>
> If you post URL's to this mailing list, could you please provide a short
> description of what can be found at the URL? This prevents the situation
> that people should visit the URL to know if they want to visit the URL,
> and helps a lot when searching the archives.
>
> In this case, since it's a scientific paper, I think the following would
> be a good way to share it (I used the BibTeX citation to quickly get all
> the relevant fields). But at least include a short description, please.

O.k., sorry, next time I will do so.

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

??????? Original Message ???????
On Sunday, September 1, 2019 12:14 PM, Stefan Claas via Gnupg-users <gnupg-users@gnupg.org> wrote:

> Stefan Claas wrote:
>
> > Am Mon, 6 May 2019 08:53:14 -0400
> > schrieb Jeff Allen jrallen@runbox.com:
> >
> > > People who don't trust ProtonMail shouldn't use it.
> >
> > Absolutely! But I think it does not hurt to post
> > such things to educate PGP users how different
> > services or software applications etc. handle such
> > privacy related things, especially when using the
> > word anonymous.
>
> Also interesting.
>
> https://eprint.iacr.org/2018/1121.pdf
>
> Regards
> Stefan
>
> ---------------------------------------------------------------------------
>
> box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
> certified OpenPGP key blocks available on keybase.io/stefan_claas
>
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

The paper overstated protonmail security weaknesses. The paper does not point to possible or actual attacks, nor reviews code. It merely boils down to two analytical (hypothetical thinking) conclusions: 1) protonmail server can be compromised, verified smartphone app is more reliable in this aspect 2) for outside encryption protonmail allows to use weak passwords.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users