I installed delta.chat on my phone, to play with, nudged by Frank’s posting. It’s a E2E encrypted chat application with a twist: it uses e-mail as infrastructure. You set it up like an e-mail client, giving it access to one of your e-mail accounts. It will then use your e-mail account to send PGP encrypted messages.

So it’s actually a tool that brings you encrypted mail without the usual hassle of PGP set-up. Because it uses mail, you can find your messages in your regular mail archive (but encrypted), and you can contact anyone from the app if you have an e-mail address. The first message you send will be unencrypted (because you nor the app knows if the receiver has delta.chat installed), afterwards it will be encrypted as the app will have exchanged public encryption keys. Using e-mail means it’s robust, it doesn’t suffer from ‘there’s noone on here’ and there’s no silo lock-in. It also doesn’t need your phone number. It does ask for access to your contacts, which I denied as it is not at all a given that people will run delta.chat with the e-mail addresses they normally use.

I’ve tied it to my gmail address for now (ton dot zijlstra at gmail, ping me on delta.chat if you use it), because I wanted to have an easy interface to check what is going on in my inbox, and I have gmail on my phone anyway (even if I don’t use it for anything). I may switch over to a dedicated e-mail address later.

Some screenshots to illustrate:


How my initial exchange with Frank looked in Delta.chat


How my message to Frank looked in my mail. As it’s the first message it was unencrypted.


How I received Frank’s reply, which has an encrypted attachment.


The encrypted attachment when opened in a text editor shows it’s PGP.

I haven’t explored whether I can export my keys from Delta.chat. If you can’t, without Delta.chat I have no way of opening them. It’s a local tool only, so I suspect I might be able to get access to the keys outside of the app.

Favorited net.wars: Dirty networks by Wendy Grossman

Wendy Grossman makes a good point. Encrypt, encrypt, encrypt as the way forward, while assuming all tech is ‘dirty’. It will nicely up the price too for dragnet surveillance, pushing the three letter outfits towards focusing on needles again, not ever larger haystacks.

In other words, the essential question is: how do you build trusted communications on an untrusted network? The Internet’s last 25 years have taught us a key piece of the solution: encrypt, encrypt, encrypt. Johnson, perhaps unintentionally, has just made the case for spreading strong, uncrackable encryption as widely as possible. To which we can only say: it’s about time.

Wendy Grossman

Bookmarked Russia blocks encrypted email provider ProtonMail

It obviously makes no sense to block the mail system if you disagree with some of the letters sent. The deceptive method of blocking used here, targeting the back-end servers so that mail traffic simply gets ignored, while Russian Protonmail users still seemingly can access the service, is another sign that they’d rather not let you know blocking goes on at all. This is an action against end-to-end encryption.

The obvious answer is to use more end-to-end encryption, and so increase the cost of surveillance and repression. Use my protonmail address as listed on the right, or use PGP using my public key on the right to contact me. Other means of reaching me with end-to-end encryption are the messaging apps Signal and Threema, as well as Keybase (listed on the right as well).

Russia has told internet providers to enforce a block against encrypted email provider ProtonMail, the company’s chief has confirmed. The block was ordered by the state Federal Security Service, formerly the KGB, according to a Russian-language blog, which obtained and published the order aft…

Techcrunch

Good to hear Protonmail, next to their own encryption, now also supports PGP.

You don’t need encryption you say? Apart from that itself being debatable (after all you do expect encryption for a wide range of your online transactions), think of it as herd immunity. If only those who need encryption to be safe (investigative journalists for instance, or dissidents) use it, that in itself makes them a visible target. The more normal it is to use encryption, the more it helps those whose lives depend on it. Don’t think that is a remote issue. In the EU for instance, journalists do get murdered when investigating corruption and fraud.

Getting a SSL/TLS-certificate for your website has always been a hassle as well as costly. However increasing the amount of default encrypted web traffic is important both in terms of website safety as well as in terms of privacy (when you submit information to websites). The cost and hassle kept most non-commercial websites from using certificates however. Until now. Because now there is Let’s Encrypt, which makes it very easy to add certificates to your website. For free.

When I started using a VPS two years ago to serve as my cloud and as a Dropbox replacement, I needed a certificate to make sure the traffic to my cloud was encrypted. The VPS originally came with one, but that expired after a year. Since then I’ve added a renewing certificate from Comodo (the largest provider at the moment), which I got for a one-time payment as a lifetime service from my VPS provider. But for a range of other domains I use, both hosted on my VPS as well as in various hosting packages with a Dutch hosting provider, I never bothered getting a https certificate, because it was too much work and too expensive to keep up. There already were free certificates available, such as through the Israeli StartCom which I used for one or two domains, but I never felt certain it was secure as a service (it turns out it’s small buth 7th globally, and has received some serious criticism).

<
Arranging and renewing certificates can be a pain, even if you’re Symantec, the world’s second certificate provider. (image Lars K. Jensen, CC-BY)

Let’s Encrypt changes all that. Because they are strongly community driven, amongst other with support by the Electronic Frontier Foundation, and because they are going the route of getting their root certificate independently recognized and be a full certificate authority. Currently they use IdenTrust’s (5th globally) existing trusted root certificates, but the Let’s Encrypt root certificate has now been recognized by Mozilla, and they’re working to get it recognized by Google, Apple, Microsoft, Oracle et al. This would increase the independency of Let’s Encrypt. Let’s Encrypt says the growth rate of https traffic has quadrupled since the end of 2015, in part through their efforts. Their certificates are used at over 8 million websites now.

I’ve added a range of my own sites to those 8 million. For the domains on my own VPS that didn’t have valid certificates yet, they were easy to install. I used SSLforFree to generate the Let’s Encrypt certificates, based on me providing proof I have full control over the domains I seek to protect. Then I added the certificates to the domains using the WHM control panel of my server. Certificates are valid for 90 days, but I can set them to auto-renew, although I haven’t done that yet.

For the domains not hosted on my VPS, such as this one for my blog, I depend on my Dutch hosting provider (as I don’t have root access to install certificates myself, although I have full control over the domains such as its DNS settings.) Luckily recently they have started offering auto-renewing Let’s Encrypt certificates (link in Dutch) as a free service for each of the domains you host with them, because they recognize the importance of secure web traffic. All it took was opening a ticket with them, listing the domains I was requesting certificates for. Within two hours eleven certificates were created and installed.

So, from now on you can get my blogpostings from https://zylstra.org/blog.

this blog now with https