Sunday, March 25, 2012

GPG Encryption - Attention in the details

I was working the other day, after setting up a new computer. When I noticed a strange item on the mailserver...the unencrypted copy of an encrypted message I had sent.

I realized later that it was the setting inside the mail client that had set "fcc_clear" option set. There was a simple option to deactivate it. Let me explain a bit the logic.

The reason you might wish to store a clear, plain text copy of your outgoing encrypted email, is that if the message is encrypted to a key that is _not_ yours, you won't be able to decrypt it later. So to be able to see, what you wrote in your last encrypted message to someone else, it saves a copy in the clear.

The problem then enters the room. When your message is actually being saved to a network server, it is just as subject to compromise by the forces of evil as the corporate monster. So, my point being, that you should be vigilant about the software you are using and suspicious of any new or unknown computer system.

I've personally gone to signing all of my emails with gpg both personal and professional as a point of guarantee of origin. Mobile is possible, but I'm working on the easiest/best way to manage that. I would HIGHLY recommend that everyone look to make it a part of their email life. If we get a critical mass of real people signing emails, we can start making that a receipt condition and watch the spam just stop.


No comments: