×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Ciphire, A Transparent, Easy PGP Alternative

timothy posted more than 8 years ago | from the not-just-translucent dept.

Encryption 345

mixter writes "Hi. I'd like to point your attention to Ciphire, a fully free and soon-to-be-audited-OpenSource 'Global PKI' project I've been working on for the last three years. As the first three or four thousand geeks started using Ciphire and seem happy, with some tech articles written, I guess the /. community might find this interesting, too. Ciphire hopes to have solved the problems that prevented PGP from a broader deployment, with even higher security standards - as already confirmed by crypto experts Housley & Ferguson. More useful information, e.g. in Wired or in the Nerd^H^H^H^Hexperts FAQ."

Sorry! There are no comments related to the filter you selected.

Hygiene and Linux (0, Offtopic)

repruhsent (672799) | more than 8 years ago | (#11447798)

It started about a week ago. I'm a computer science major at a local university so I decided to give Linux a try. Up until now, I had been happy running Microsoft Windows XP Professional on my desktop, an x86 machine. I proceeded to gentoo.org and downloaded the newest release, burned it (a live CD), popped it in and rebooted my computer.

After a short boot, the system came up to a bash prompt. I started following the directions on the Gentoo site to compile the operating system from scratch. Hours passed; days, even. I ate, breathed and slept Linux these days. My system was finally back up and running, with the newest kernel and all the trimmings.

As time went by, I began to like Linux much more. However, I did begin to notice a disturbing trend; I began to skip showers. It wasn't that I didn't want to retain my hygiene; I just didn't have the time. Between recompiling my kernel to support keyboard input and recompiling X to display video output on two screens at once, I did not have time to take a shower. Not only that, but I didn't want to take showers.

After a month lacking a shower, I started to wonder, are there other Linux "enthusiasts" who have forsaken hygiene for their operating system? I found a local LUG to find out. Coincidentally, that night I stepped into a talk being given by Rob "CmdrTaco" Malda and Jon "CowboyNeal" Pater, with a special guest being Linus Torvaulds, the author of Linux.

I asked them, when you began to run Linux full-time, what happened to your showering habits? They all responded to me in turn. Rob said that, being an ugly, zit-faced nerd all of his life, he never saw much of a point to taking showers. He said that they were "usless" and that "people in Europe didn't take them anyway, which is where Linus is from so it's all good."

Pater just stared at me blankly; apparently he did not understand the question. I began to think he might be having a medical problem of some sort when he quickly flipped out a hamburger from between his stomach rolls and chomped down on it, complaining about how difficult it was to fit his obese body in a shower stall.

Linus, however, had the most interesting answer. He told me about his childhood in Switzerland, the country of his origin. He said how it was a custom in Switzerland to not take showers; everyone was filthy in his home country. He watched people on television taking showers and wondered what it was all about, so he took one once on a weekend trip to Spain with his boyfriend at the time. He found it revolting; without the fumes caused by body odor, he could think clearly and not in his Swiss cheese induced haze. He began to hate those with proper hygiene and wondered, how could he stop it? How could he prevent the automaton of cleanliness from dominating the country?

His solution was simple. He was somewhat gifted on his feet and had a quick mind, and he had somewhat of an ability with programming and computers. He bought a plane ticket bound for Salt Lake City, Utah, in the United States. There, he infiltrated SCO's world headquarters and stole the source code to UNIX, SCO's operating system crown jewel. Back in Switzerland on holiday with his boyfriend, he changed a few variable names and repackaged it as Linux. But, in an effort to further his means, he took the features out of the operating system that were useful and replaced them with convoluted Makefiles and ncurses-based interfaces. These diversions were put in for one reason alone; to take up so much time that no one could run Linux and maintain the proper hygiene from showers.

Through an amazing amount of luck, Linux has permeated the Internet; but, its use does not come without a cost. Specifically, when we run Linux, we can't take showers. We can't brush our teeth. We can't comb our hair.

Why, you ask? Simple - because Linux is an operating system for people who don't take showers by people who don't take showers.

MOD PARENT UP (-1, Troll)

Anonymous Coward | more than 8 years ago | (#11447825)

Parent speaks the truth. Lunix users smell like shit!

GPG? (5, Insightful)

Anonymous Coward | more than 8 years ago | (#11447803)

What's wrong with the GNU Privacy Guard?

Re:GPG? (4, Insightful)

digitalchinky (650880) | more than 8 years ago | (#11447978)

Absoulutely nothing. Ciphire might be 'the good guys' but how can you tell? Sure, they are 'going' to release their code, but what's in it right now?

Re:GPG? (1)

harky77 (852564) | more than 8 years ago | (#11448044)

that I couldn't get any chicks to use it;)

Re:GPG? (0)

Anonymous Coward | more than 8 years ago | (#11448048)

kmail has gpg integrated in to the program. unless you build your program in to kmail, I will not use it..

In order for mass usage you need to build a plugin for every mail program otherwise I'll just use gpg.

Re:GPG? (1, Interesting)

Anonymous Coward | more than 8 years ago | (#11448084)

learn to READ, it works with ANY email program, it is a proxy.

Very cool. (0)

Anonymous Coward | more than 8 years ago | (#11447806)

Good work man! I hope this all pulls through!

Commissioned review? (0)

Anonymous Coward | more than 8 years ago | (#11447811)

Or?

yeah right... (4, Insightful)

lordkuri (514498) | more than 8 years ago | (#11447812)

Ciphire hopes to have solved the problems that prevented PGP from a broader deployment

so how exactly are you getting it installed and turned on by default in Outlook and Outlook Express?

tell me I'm wrong if you want, but that's the only way you'll get Jane and Joe 6pack to use it.

Re:yeah right... (5, Funny)

dq5 studios (682179) | more than 8 years ago | (#11447820)

so how exactly are you getting it installed and turned on by default in Outlook and Outlook Express?


A new e-mail worm?

Re:yeah right... (1)

Ed_1024 (744566) | more than 8 years ago | (#11448107)

And does it help you if either the sender or receiver are using compromised systems? If this software can slip itself in between your client & services, who is to say some malware hasn't done this already... I know this is outside the scope of the project but I feel (no stats to back this up) that a large %age of REAL (not imagined) security problems lie inside the user's domain. You will get a warm, fuzzy secure feeling but has it actually improved matters much?

Re:yeah right... (1)

diegocgteleline.es (653730) | more than 8 years ago | (#11447838)

Outlook, does it really matters?

Hotmail is the problem, and can't be fixed.

Re:yeah right... (3, Interesting)

anaradad (199058) | more than 8 years ago | (#11447909)

Of course it matters. Outlook is the "approved" mail client at my work and throughout the business and educational world. If this program isn't installed by the Exchange admin or desktop support, it won't be used. Even if I wanted to use it at work, I couldn't.

Re:yeah right... (2, Interesting)

dmancity (852553) | more than 8 years ago | (#11447959)

all the more reason not to use either and instead to enhance your own security.

all computers should be sold with hardware and software firewalls, and pgp or a pgp like app built in. i wondered where phil zimmerman was (creator of pgp) and its good to see he's still around. here's a quote from his homepage where he's asked about backdoors in pgp:

"Q: Are there any back doors in PGP? Come on, you can tell me, I won't tell anyone.

A: No. There never have been, and never will be, at least as long as I am associated with the product. I didn't go through all this trouble just to see my product become corrupted. Besides, we publish the source code, so you can check it yourself. "

http://www.philzimmermann.com/EN/faq/index.html [philzimmermann.com]

i knew there was a reason i trusted phil when i used pgp. and am glad to see he's still at it, and urge anyone whos not using it, to start.

Re:yeah right... (0)

Anonymous Coward | more than 8 years ago | (#11448178)

Why did NAI not publish the source of Version 7 was always the big question and that is when Phil was not anyomre with them...

a better question (1)

foreverdisillusioned (763799) | more than 8 years ago | (#11447948)

What does Jane and Joe sixpack need with PGP encryption?

I mean yeah, I'd like to see other people take privacy more seriously--if nothing else, it helps protect those of us who already take it seriously (it's a needle in a haystack sort of thing)--but people would rather read their mail instantly than have to bother remembering yet another password.

Re:a better question (1)

airConditionedGypsy (703864) | more than 8 years ago | (#11447999)

read their mail instantly than have to bother remembering yet another password

A valid point. However, the gain may be worth the extra headache -- and since most POP clients already store your login password on disk and 'remember' it for you, storing a PGP passphrase would be no great trouble. If everyone had their own user account and this on-disk password was adequately protected, no big deal.

The point is to protect the communication in transit: consider someone emailing legal documents to their lawyer and other such scenarios. Or someone who is about to get canned from the company and wants to export evidence about bad practices or job discrimination. Sure they could use SFTP, but how many users actually have servers they can send stuff to? It is far easier to encrypt it and mail it to your home account, and the employer really can't detect that as abnormal.

So yes, encrypted email does have uses for joe and jane 30-pack. And I'd bet it's even more useful with things like the Patriot Act in existence.

Re:a better question (4, Insightful)

DrSkwid (118965) | more than 8 years ago | (#11448009)

ever heard the expression "secure by default"

encrypted email stands out from unencrypted email

Iif the bulk of email was encrypted then it is harder to determined that which is encrypted for a reason and that which isn't. This adds value to the use of encryption.

I don't really need to ssh between servers on my LAN or run my vnc sessions though an ssh tunnel or use scp when I could use Samba but I do, partly because it means I am using best practices so when I am in a situation where it is desirable I am familiar with the operation and am familar with the tools I will need and not be sat there saying "bugger, I forgot to select 'use secure connection'".

I don't really need to lock my car every time I walk 10 yards from it to the cashpoint but I do because it is best practice.

Re:a better question (2, Insightful)

Alsee (515537) | more than 8 years ago | (#11448155)

Well one benefit is that if you get your social circle to adopt it as well you have a spamblocker. Any uncyphered mail can be flushed down the spambucket. And even if spammers started cyphering messages they can't forge the source, so ultimately you can flush any unapproved cypher source address the spambucket.

-

Re:a better question (1)

harky77 (852564) | more than 8 years ago | (#11448190)

just found that on ciphire's forum, seems like a good reason: http://www.securityfocus.com/news/10271 [securityfocus.com]

Re:yeah right... (0)

Anonymous Coward | more than 8 years ago | (#11447977)

so how exactly are you getting it installed and turned on by default in Outlook and Outlook Express? tell me I'm wrong if you want, but that's the only way you'll get Jane and Joe 6pack to use it.

I really don't care if I get email, and I don't send email to, Jane and/or Joe 6-Pack.

Most, if not all of them, top-post replies, send email in HTML, and are general idiots. They can call me on my cellphone or use a letter and a stamp. I only use email with people with at least moderate computer skills. F the rest of them.

If someone is too lazy or stupid to use PGP, then they are worth the bits on my hard drive. There are plenty of people I correspond with who do take them time to "do it right", so I ain't missing out on these lamers that won't/can't.

Re:yeah right... (4, Informative)

WebCrapper (667046) | more than 8 years ago | (#11447980)

Its actually pretty simple. I figured it out just reading the "automatically" but I'll break it down for you. Directly from their website:

"The Ciphire Mail client resides on the user's computer between the email client and the email server, intercepting, encrypting, decrypting, signing, and authenticating email communication. During normal operation, all operations are performed in the background, making it very easy to use even for non-technical users."

I shouldn't have to explain it any further than that here on Slashdot. Thats in the first paragraph of the Technical Explanation of how it works. Later on it lists:

"The Ciphire Mail client consists of three parts: the core client, a graphical configuration interface, and mail connector modules (redirector). Supported email protocols include SMTP, POP3, and IMAP4. The STARTTLS and direct SSL/TLS variants of these protocols are supported as well."

For anyone that didn't get the gist - it basically redirects your mail to its own "server process" sitting on your computer then sends it out to the normal SMTP server. This is using the same technology that the current Mail virus scanners use (Think Symantec), not new technology, just used in a different way.

On the reverse end, the "server" checks the mail and hands it to the email client making everything secure in between.

Pretty simple way of getting Jane and Jon Doe with OE to use it if you ask me. Granted, it needs to be installed by Admin on proper machines, but that shouldn't be too much of an issue for any company that would like to secure their email - especially if you explain and show your network admins that email is USUALLY a plain text security nightmare.

But will people use it? (2, Insightful)

Prophetic_Truth (822032) | more than 8 years ago | (#11447814)

I mean I know folks here on /. will find this cool and may acutally use it for mail. But, when a portion of net users have a hard time remembering thier email username and password, will this really take off? I mean PGP took off to a certain extent, but if you mention it to the average net user they look puzzled.

Re:But will people use it? (1)

Tim C (15259) | more than 8 years ago | (#11447896)

Why the hell was this modded flamebait? My father can't remember his *email address* half the time, let alone the password. There is absolutely zero chance he would ever use this, unless I could set it up for him such that he didn't have to do anything.

If he has to do anything extra at all, it just won't happen. True, he's not typical of PC users (he's in his 60s), but most are similarly mystified by such things. They don't want to have to jump through hoops to send and receive email - just click, type, click. If it's not that easy, it won't be used.

Re:But will people use it? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#11447981)

My main problem with PGP was that I was never able to get anybody to use it, if this is really that easy, then I can finally tell my friends who don't want to know about my public key and their public key, to use it too. So now I go to their site and check it out. At least the site hasn't been slasdotted yet....

Shit (-1, Troll)

Anonymous Coward | more than 8 years ago | (#11447817)

Slashdot is gay

Why not just use enigmail with Thunderbird? (3, Insightful)

FyRE666 (263011) | more than 8 years ago | (#11447829)

The main problem this project will encounter will be gaining momentum. PGP already has a huge userbase and infrastructure. It's not that difficult to use for anyone technically minded, and you can already buy "idiot proof" versions to plug into Outlook (I believe). For anyone using Thunderbird, the enigmail plugin offers PGP for free, which works great.

Maybe I'm missing something?

Re:Why not just use enigmail with Thunderbird? (4, Insightful)

NoMoreNicksLeft (516230) | more than 8 years ago | (#11447857)

I agree, but I wish enigmail would be included in thunderbird by default. The thunderbird/firefox philosophy is to include only the essentials, right? Anything else should be a plugin/extension. Well, for email, I would think that pgp is an essential, and they need to consider it such.

Re:Why not just use enigmail with Thunderbird? (1)

gonzo-wireless (847083) | more than 8 years ago | (#11448111)

The plugin is the easy bit to install. It's the MINGW32 GPG code that's a hassle to set up; then you have the joys of creating keys with the command line. This will be too much for the average user, even if they find the enigmail plugin easy to install.

Re:Why not just use enigmail with Thunderbird? (1)

NoMoreNicksLeft (516230) | more than 8 years ago | (#11448201)

The enigmail gui allows you to create the keys. And I'm sorry, I just assumed we were talking thunderbird on linux.

Re:Why not just use enigmail with Thunderbird? (2, Informative)

Noksagt (69097) | more than 8 years ago | (#11448210)

For the windows impaired, there is WinPT [sourceforge.net] , which is both easy to install & has a GUI for key management.

Re:Why not just use enigmail with Thunderbird? (0)

Anonymous Coward | more than 8 years ago | (#11448232)

In fact, they could buy an add in the NYTimes:

Introducing for the first time: Secure, SPAM-free email

You know, Apple style

Useless... (5, Insightful)

gst (76126) | more than 8 years ago | (#11447836)

And what are the advantages? We already have the OpenPGP standard which is implemented by GnuPG and PGP. People who prefer free software are able to use GnuPG which is licensed under the GPL. If someone prefers commercial software he can use PGP - it even comes with a nice GUI if you use it on Windows. So let's look at your product: Non-free, No-source code, not standards complient, binaries only available for a limit number of platforms. So - in your posting you say "OpenSource" - on the webpage you write that you may publish the source in the future, but that it will only be free for non-commercial users. This is NOT OpenSource - see http://www.opensource.org/docs/definition.php for the definition what OpenSource means. Anyway, are there ANY advantages why I should even bother do download your product? Ah - don't mind - I just noticed that there aren't any LinuxPPC binaries, so I can't use it.

Re:Useless... (2, Interesting)

tomstdenis (446163) | more than 8 years ago | (#11447864)

Hold on there. Some valid complaints

- no source code
- no free

But the others

- not standards compliant
- GNUPG exists

are not really valid. First off, tell me. Which standards does PGP [or SSH and SSL for that matter] follow? They ALL started off as homebrew projects.

Maybe this format/protocol has improvements over PGP. [probably doesn't ... but who knows].

As for the fact that PGP/GNUPG exists... PGP is really just bloat ware and have you seen the GNUPG source code? It's really a nightmare and the maintainers [... Koch] are close minded little SOBs. They don't want to make the code more readable or maintainable. So long as it runs who cares right?

Tom

Re:Useless... (3, Insightful)

TedCheshireAcad (311748) | more than 8 years ago | (#11447890)

PGP is a known secure cryptosystem. Fact of the matter, there is no need for new cryptosystems. We already have PGP, RSA, and Rijndael. All are known secure to the limits of computability. What work really needs to be done is protocol analysis.

Re:Useless... (2, Insightful)

tomstdenis (446163) | more than 8 years ago | (#11447922)

PGP is a cryptosystem that implements the OpenPGP protocol. This program is taking things like AES and RSA and making a new protocol. It's not a new cipher design.

Though I too question some of their choices (2 layer encryption for instance...) the idea of a new system isn't a bad one.

Let's not forget that SSL, SSH, PGP were HOMEBREW!!! Who knows, someone may invent a system simpler, smaller, faster, more secure, more able, etc, in the future.

For instance, for what SSL does the standard is very complicated. I mean it verifies a cert, does key handshaking then encrypt/mac data. That's not complicated. why does it require a 70 page [non-programer friendly] RFC to describe it?

I do agree that making something new for the sake of making something new isn't smart. And if that's what they did shame on them. But the fact is "new things" is what drives us anyways.

Tom

Re:Useless... (2, Insightful)

ckaminski (82854) | more than 8 years ago | (#11448029)

Because when 99% of the Internet infrastructure needs to be able to properly handle SSL, you leave nothing to chance; you spell EVERYTHING out. You'd think the TCP/IP Protocol would be fairly simple too, no?

Re:Useless... (4, Insightful)

khrtt (701691) | more than 8 years ago | (#11448005)

1. There is no such thing as a "known secure cryptosystem". "Thought to be secure" is not the same thing, as people have proven many times over.

2. PGP is not a cryptosystem - it's an application program. "Cryptosystem" means algorithm. It's the same thing as "cipher", essentially.

Re:Useless... (3, Insightful)

gst (76126) | more than 8 years ago | (#11447907)

RFC 2440 and RFC 3156 looks pretty much like an IETF standard to me. See http://www.ietf.org/html.charters/openpgp-charter. html for further information.

As for the GNUPG point. As user I really don't care how the source code looks as long as it works. Further GNUPG seems more or less secure to me - there weren't that many security advisories yet.

And if you don't want it you can use PGP - there's a freeware version of it too.

So WHAT are the advantages of Ciphire?

Re:Useless... (1)

tomstdenis (446163) | more than 8 years ago | (#11447950)

"As for the GNUPG point. As user I really don't care how the source code looks as long as it works. Further GNUPG seems more or less secure to me - there weren't that many security advisories yet."

How many people have really audited it? I know of dozens of crypto/network/etc/hacker types [met at CodeCon] and I bet not a one of them actually has read a line of GNUPG source code.

Anyone who has talked with Koch would probably do the same thing I did and basically say "fuck you" and walk away.

The source code being messy [and incomplete] is just a symptom of a larger problem, that is, lazy developers.

When you have #defines [for instance] for AES_128 mode and they use constants in the code [instead of the defines] that's just an example of poor thinking. When they lack test vectors for the hashes and they don't force the check at startup [of the program] that's just more examples of shotty thought process.

Sure GNUPG works and it's probably safe. So what? Fixing the code [as I did a while back in the series of patches I sent them] took three fucking hours. Whoopy. So you clean up the code and move on.

No, instead "it works" so they just leave it at that.

As for what Ciphire has in advantages? I don't know. I barely use the web-of-trust in PGP anyways [just to talk with my boss]. Chances are it's just another random design by someone thinking they're "smart".

Tom

Re:Useless... (1)

harky77 (852564) | more than 8 years ago | (#11448102)

and the security vulnerability that they found in GnuPG, where the maintainer had screwed up El-Gamal signing in there for years, was ONLY found in a COMMERCIAL AUDIT!!!

MOD PARENT DOWN! (0)

Anonymous Coward | more than 8 years ago | (#11447956)

Parent is a known canuck troll!

Re:Useless... (3, Informative)

justins (80659) | more than 8 years ago | (#11448035)

First off, tell me. Which standards does PGP [or SSH and SSL for that matter] follow?

http://www.ietf.org/rfc/rfc2440.txt

Re:Useless... (0)

Anonymous Coward | more than 8 years ago | (#11448060)

Which standards does PGP [or SSH and SSL for that matter] follow?

A number of RFCs have been published - 1991, 2246 and 3156 to name a few.

Maybe this format/protocol has improvements over PGP.

I just looked, and there don't seem to be any. The main gist of their website is that it is better than PGP, but they don't say how. In fact, they fail to mention that it has at least one major shortcoming, it doesn't implement a web of trust. The fact that it's binary only and not Free leads me to believe it's just somebody trying to hock their own proprietary application rather than somebody building a cryptosystem that anybody can use. That alone means I'm going to prefer PGP over their system.

Re:Useless... (1)

harky77 (852564) | more than 8 years ago | (#11448069)

If anybody were able to read the whitepaper, they would see the new thing, they build a CA/PKI which they cannot compromise themselves. Apparently the Russ guy, some IETF security are director, as they say, reviewed their protocols and he says that they are better then the existing ones. I don't think he would say that if it weren't true, now where are the specs?

Re:Useless... (1)

digitalchinky (650880) | more than 8 years ago | (#11448088)

Why should encryption schemes follow a standard?

If it's harder to exploit, then it must be better. If it breaks backward compatibility, well, that's the price of encryption. It's not meant to be easy, people that bitch about passwords being too complicated, are the very people that are the easiest targets.

They might think they have nothing to hide, but who are they to judge the value of their perceived insignificance.

U wasted my time Ciphire /. Eds u failed miserably (0, Troll)

gd23ka (324741) | more than 8 years ago | (#11447985)

License it under an OSI license and release the source code or quit wasting my time. If I can't get it free with source without "non-commerical use only" crap then get lost.

Slashdot editors: You failed your job miserably.

I find your ideas intriguing... (1, Funny)

MightyTribble (126109) | more than 8 years ago | (#11447844)

...and wish to subscribe to your newsletter! /Homer

Seriously - I don't like how my first encounter with your site is when it tries to set a passel of cookies. Get on that, would ya?

Re:I find your ideas intriguing... (0)

Anonymous Coward | more than 8 years ago | (#11447953)

bad cookies, evil cookies, go away you cookies...

Methodology for open sourcing it (2, Interesting)

vladd_rom (809133) | more than 8 years ago | (#11447848)

From https://www.ciphirebeta.com/about/facts.html :

Q: Are you going to publish your source code?
A: Yes. Once the code is stable and we've had independent code audits, we'll publish the source code.

Hmm, I wonder if this practice is popular among wanna-be open-source security projects. For a regular software project, I'd expect the normal cycle to be: open source it, gather feedback, improve it, and then repeat the cycle.

However, they seem to do it in another order. Is this due to the fact that it's a security product? I don't see why they would do things differently, because as far as I understand it's still an "under construction" project for "testing purposes" without any implied guarantees. More eyes on the source earlier means sooner quality product delivery.

Re:Methodology for open sourcing it (3, Insightful)

Daniel Ellard (799842) | more than 8 years ago | (#11447939)

This is a common problem for protocol-oriented tools of this type, at least if I correctly guess what they're thinking...

Such tools are useful iff their interface is rigidly defined. If it starts diverging into a dozen things that look similar but aren't entirely compatible, nobody will use any of them. If, on the other hand, the system is reasonably good at the start, the probability of major forks is reduced. So sometimes it's useful to keep such projects "closed" until it's stable and complete.

At least, I have heard such arguments made in the past. The other alternative is that the code is such an embarassing mess that they don't want anyone to see it -- I've heard that argument made as well (heck, I've got code I plan to release someday myself, as soon as I get around to adequately commenting it...).

not really excited (3, Insightful)

l3v1 (787564) | more than 8 years ago | (#11447851)

I mean, get lost, telling us this is better than GPG won't make us run and start use this stuff. Easier to use for joesixpacks ? You mean taking GPG-key-control out of their hands and doing it in the background with some mail application ? No thanks. I know GPG, I trust GPG, I use it with many OSes and with many different applications, very easily, for both signing and encrypting. As many thousand of other people do. So you'd better think some really better arguments there, than in those linked articles.

OpenPGP? (0)

slavemowgli (585321) | more than 8 years ago | (#11447853)

Is it OpenPGP-compliant? If yes, what are the advantages it has over established solutions like GnuPG? And if not, why should we use it at all?

Try it out on management... (1)

Trull (95206) | more than 8 years ago | (#11447862)

I'll inflict erm install this on management PCs and see how long it lasts.

Ease of use is the prime and only consideration.

Torc

How is it free or open source? (5, Informative)

art6217 (757847) | more than 8 years ago | (#11447871)

From their pages: "Ciphire Mail will always be free for private users, non-profit organizations, educational institutions, and the press".

Re:How is it free or open source? (0)

Anonymous Coward | more than 8 years ago | (#11447920)

Read the https://www.ciphirebeta.com/about/facts.html [ciphirebeta.com] stupid.

Re:How is it free or open source? (1)

art6217 (757847) | more than 8 years ago | (#11448219)

This is exactly tha page with that citation. Your comment seems to be disinformative in a way similar to that of the story text. Perhaps you'd need to read the Open Source Definition [opensource.org] .

Nerd, huh? (1)

Tim C (15259) | more than 8 years ago | (#11447873)

Yet not nerdy enough to use ^W?

Re:Nerd, huh? (0)

Anonymous Coward | more than 8 years ago | (#11447912)

He's probably a Windows user. In that case he should've put 'Click and drag over "Nerd", right-click, left-click delete'.

Re:Nerd, huh? (1)

DrSkwid (118965) | more than 8 years ago | (#11448043)

xchat changed their key bindings to the windows versions for xchat2

^w closed the channel instead of deleting the word

soon sorted that

su
pkg_delete xchat2

Does it have? (2, Informative)

Anonymous Coward | more than 8 years ago | (#11447875)

Whole disk SECTOR encryption? Virtual Volumes that we can mount as an NTFS folder?

PGP Whole Disk and PGP Disk functionality is a MUST. Without it, your alternative is not an alternative at all. NEXT PLEASE.

Is it GPG/PGP compatible? (1)

DoktorTomoe (643004) | more than 8 years ago | (#11447878)

I did not RTFA, but if not, I cannot tell my customers to use it no matter how easy to use it is - simply because I am not going to switch.

I'll stick to GPG and SSH protocols, thank you. (5, Interesting)

Spicerun (551375) | more than 8 years ago | (#11447887)

Gee, why I'm not enthralled with Ciphire protocols:

1) Another 'works perfectly program with WinXp, WinXX, etc.' that claims it will also support Linux/xBSD with no catches....where have I heard that one before?

2) Another Certificates laden protocol in the footsteps of SSL. (ie - you can have security if you pay us the megabucks for that 3 month term Certificate, but ignore those Certificates easily faked, etc.) I wish SSL would die instead of being a Certificate money making machine.

3) Another program that promises it will do everything SSH already does without the certificates....just buy a certificate to make Ciphire work.

snake oil (0)

Anonymous Coward | more than 8 years ago | (#11447888)

This is just snake oil by clueless security wannabes... Telltale sign: they dismiss OpenPGP as not being able to support the great security features they support, without elaborating on them. And how could you trust email security system that exchanges messages with central server? Come on!

Not OpenPGP Compliant and no Good reason (5, Insightful)

Equinox11 (712426) | more than 8 years ago | (#11447889)

I think this product would of been great if they would of made it OpenPGP compliant, and have a method of signing your keys for a particular email address(verify email address, send a web link, click on link and you're done) If they would of implemented all the automatic sender email matching, automatic decryption, automatic signing, etc. with the current(OpenPGP) standards it would be great.. You would already have a compatible userbase & everything. But as of now I have to support two standards S/MIME and OpenPGP when communicating with people.. Why would I want to recommend to a less technical friend a 3rd one? I'll just set them up with Thunderbird/Mozilla and Enigmail(http://enigmail.mozdev.org) If you havent looked at enigmail check it out.. I'm very impressed with it, and it works fine under windos too.

who wants to be an early adopter?!?!!? (1)

justins (80659) | more than 8 years ago | (#11447892)

Okay, "soon to be audited" and "I've been working on for the last three years" in the same sentence don't really inspire confidence.

What a crock. (0)

Anonymous Coward | more than 8 years ago | (#11447895)

This doesn't solve any problems that exist in PGP, and it ties you into this company and their database of certs. I'll stick to something free, and not involving you having all the power.

choice of algos.... (2, Insightful)

tomstdenis (446163) | more than 8 years ago | (#11447903)

First off, encryption is done in two layers. With a 2048bit RSA and ElGamal key [both of which can be solved with GNFS ... in a shitload of time]. They
encrypt the data with AES in CBC-HMAC mode (??? HMAC is not an encryption algo) then Twofish in CCM mode. ... WTF???

First off, you MAC the ciphertext since it's gonna be exposed anyways. Second... CCM mode? WTF? CTR mode is simpler.

It's like they went out of their way to overly complicate the process.

Tom

Re:choice of algos.... (0)

Anonymous Coward | more than 8 years ago | (#11448234)

cbc-hmac and ccm are not really algos, granted,
call it 'thingies' or whatever that encrypt and sym. authenticate

CTR does not sym. authenticate

encryption does not make sense without authentication,
as proven various times

This is it. (0, Offtopic)

A beautiful mind (821714) | more than 8 years ago | (#11447923)

I'm planning for a while now to make a website about slashdot's articles. To list stories that gets marked as lie/misinformation/slashvertising/dupe/tripe in the first few posts on a page with possible user action to mark them, etc. I might even code a dupecheck.pl. Any ideas/suggestions/solutions are welcome or an url which points me to an already existing site like this. I'm fedup with the poor editorial work and i want to back up my reasoning with statistics. You could even see on the long run who posts the most dupes, or even implement a game to guess who's the next dupe poster :) This is all fantasy yet, if i get positive feedback im going to definately do this.

Re:This is it. (0)

Anonymous Coward | more than 8 years ago | (#11447986)

Positive Feedback

Re:This is it. (0)

Anonymous Coward | more than 8 years ago | (#11448013)

Cyberarmy? AHAHAHAHAHAHA. Yet another one of those hanger-on groups of losers attempting to identify themselves as some sort of "revolutionaries."

Exactly how much has your "army" done for the Internet lately?

Re:This is it. (0)

Anonymous Coward | more than 8 years ago | (#11448113)

You are a... [wikipedia.org]

The way I see it (2, Insightful)

Dorsai65 (804760) | more than 8 years ago | (#11447924)

it's another way to get signed/encrypted email into the hands of more people - whether they're geeks, or not. If it gets a few more people using some kind of authentication for email, then it's another strike against spammers/VXers; surely, it can't be all that bad, then, can it?

Sure, it isn't GPG, PGP, or any of the more "traditional" encryption programs. But then, how many Joe/Jane Sixpacks do you know that use those, either? From reading the article, it seems to greatly simplify the process of installing and using email signing/encryption, and that's something that I've run into trying to get people to use GPG/PGP: "It's too complicated; I have to remember too much stuff".

It looks like the security of it is being vetted, even if the source isn't as open as some would like (yet). Fine, it isn't "perfect" from a geek point of view, and it still has a way to go before it'll work on more email clients - but it's a start at de-geeking email crypto, which is something that can only help.

Re:The way I see it (1)

lachlan76 (770870) | more than 8 years ago | (#11447976)

Remember what? Just a passphrase...

But can anyone make webmail more secure? (0)

Anonymous Coward | more than 8 years ago | (#11447935)

Most people I know use Yahoo, Hotmail, Gmail, or some other webmail program as their main email client. on a server and accessed through an insecure connection. You can always cut-n-paste GPG/PGP encrypted text into the message form and send that, but it's a hassle.

Ciphire is another feasible solution for people who use desktop email clients. But it doesn't change the big picture. The problem with widespread acceptance of encryption? Most web users don't use email clients. Right now I'd guess that public-key encryption is only going to become standard would be if Google finds a way to implement it in Gmail.

Re:But can anyone make webmail more secure? (1)

NotoriousQ (457789) | more than 8 years ago | (#11448205)

Implement a firefox extension that will replace a text in a textarea with PGP encrypted / signed text before it is submitted.

Decrypting sounds even easier as long as the messages are not modified by the html renderer.

Sounds like a nice project for the enigmail folks.

Only one question needs to be asked: (1)

Simon Garlick (104721) | more than 8 years ago | (#11447993)

Is the source available? If not, it's snake oil.

Transparent? Easy? (3, Insightful)

Kickasso (210195) | more than 8 years ago | (#11448018)

Fuggedaboutit. There's a central server with an account for each user. There's a new GUI mail client (!) There's no compatibility with existing formats like S-MIME or PGP/GPG. Thanks, but no thanks.

Corporate Support (1)

GarfBond (565331) | more than 8 years ago | (#11448055)

This looks quite interesting... It makes the whole "here's my public key, now you give me mine" process much more simplified and transparent, which is really the big problem with PGP. Although pgp keyservers make this a little simplified (especially the new PGP beta server, it looks slick https://keyserver-beta.pgp.com/), the end user still has to actively search out public keys for their contacts.

However, as with all things, corporate acceptance is probably going to be pivotal for this, especially as corporations are probably much more concerned about security than the average user. I haven't downloaded a build yet, but make it possible for corporations to set up their own internal key servers, and allow the software to specify which keyservers it should upload/negotiate with first. Although I'm sure setting up a keyserver is possible, I still don't know how I would be able to set one up for, say my school, if I wanted to. You might even be able to sell a license for the keyserver and keep the basic software free, though you would probably get bonus points if the whole thing was OSS.

Doesn't sound good yet (1)

color of static (16129) | more than 8 years ago | (#11448066)

Looks like it uses a Ca approach, so it is secure as long as you trust them. They go to great lengths to talk about their paranoia, but it doesn't all sound right (why talk about wooden blocks?).
They use RSA with a 2k key, and DSA with a 2k key. If they are that worried about DSA why not worry the same about RSA (1K DSA is probably stronger then 2k RSA). They use Elgamal, but don't talk about how they avoid the ciphers weaknesses (a problem the PGP community has struggled with for a long time).
Sounds like engineering towards executive summaries to me. They need to provide the protocol for public review before I spend any time using it.

Re:Doesn't sound good yet (0)

Anonymous Coward | more than 8 years ago | (#11448119)

Did you read their review, it seems they have very good reasons, me is still fumbling with this strange fingerprintlist, though.

Re:Doesn't sound good yet (0)

Anonymous Coward | more than 8 years ago | (#11448172)

if you don't trust SHA1 - you wont trust std. DSA

don't put a single bit of guessable plaintext into
ElGamal and you are basically down to a DH
- and, don't sign with ElGamal

S/MIME, anyone? (1)

andrew71 (134546) | more than 8 years ago | (#11448067)


(Disclaimer: I admit I just gave a quick look)

Don't compare this solution to GPG/PGP since the key distribution and trust models are different.

But how is this different from working with S/MIME and a (supposedly free) CA?

-----BEGIN PGP MESSAGE----- (3, Funny)

Anne_Nonymous (313852) | more than 8 years ago | (#11448079)

-----BEGIN PGP MESSAGE-----
Version: PGPfreeware for non-commercial use

qANQR1DBwk4D5F2YKoTmerkQC/0Tl5MChitPajOOAZQRLXqp BY RByr6Gf01kVLY2
kB0kz4N9lx8Wh2LLMVaAtBmB+WcFbvTG1/ U1/lCK6icJn0ZPBi S8VzfG1Ia+lmhx
O+QcYB5xKwrQwAUNx7xkh/jQ2bQ5K/wDpd YVz7EHgwxuSp5gWF GIBlErO+Qx+KR9
svMDLPIDhn2g/4crV3Ny4Zqcd6NiuBtTpR lVr5SxrHIU7PdvCf LEdqEV2SThvHHm
WpFuVl4Mt5L2KEYlZWWPoD8TbP1e4S40il HN45+56NUjC9bJGO 2SNuVYMxzo44fd
V6TZRjEKyoVnp7+R2DEPR1U2ylTHtIB87N Nx8wVglD4A98K+Wv wrbvHscbdvS2Sb
DaxqDxsAAjFy9KKgLx+M/3ylOCnXRRlE5t 8zfbIZbUusjqlfjM WEpnh4xrV4l4K9
7ZRCbcukRSMuPqXqyKkbtakrY1ZMOC9gzQ nvZndgNSp70h6hpb L24sMfvVPUZfF9
YphC/ufrr9yrOGiqz9FHbDoe8JAMAKRKby /GTYmfQcCCYrp1G2 SS1XWVjk5cbWsX
aj1Py2c3Uv5rT3qRIta+8terQPBMplIqKc Rh3LMr+lAyPPRAvT RKkw8FT+msDVhL
Nd5pwJL5HEjAVE5GeU9dxPZhZp8X9I4o3W 4C9Zh1AGqeYMOU2Q mTN/yffpoqFHi+
VLC+ocxj4lIzFPVH1ag7MRe+OMay25A7bI 5n7RvKRGCauUoEmo zn6o8xpFdDxDl7
7lXc5zTuhNGYtlhnFR7Cy/PRs+af4Q97v7 Smvvv6GmlBX9qsnY RFwLNt7bI8PdTe
oBms31MZdLEu9ryUOQGzNwnz8VAe8uWYR8 rt2wN59J8lLnKzaI ZdW3mOc+TjmTrf
zEQLmRFppwb7ALFkFY6dkrbyKi0kMCEg3T EDBNLiUARhBzJu/S ssWERg5tZHJ9NL
1Tr0efYiD0hJ7OAwOcruelss6a7Qtsagc2 ihlyXgwj4mFuY53Z DHL5xAnRNKMxmo
Mzf1P8wluS+FkWXQZLCcv5grFLw9xskm+9 yh/r629B9VuYW7Wr RDVaP7rdyNP7F5
JfG97nO97bo+cpyxsrg=
=hcA2
----- END PGP MESSAGE-----

Translation (1)

ggvaidya (747058) | more than 8 years ago | (#11448112)

FRIST POST!

naah, not really ... anyone?

Re:-----BEGIN PGP MESSAGE----- (0)

Anonymous Coward | more than 8 years ago | (#11448132)

Yes.

Why does this even make the front page ? (1)

Tetard (202140) | more than 8 years ago | (#11448099)

Every month, Bruce Schneier's CryptGram reviews security products, events, and technologies. There are tons of people out there who claim to have invented better, easier to use crypto.

But as it has been mentioned already, until the source code is available, there is no incentive for people to try a closed source application in order to review how solid it really is, especially when dealing with data encryption. At best, it will help the vendor improve their useability (which seems to be their target anyway).

And even when the source code does get released (under what license!), it'll still have to deal with S/MIME and OpenPGP standards...

Why? (1)

Tethys_was_taken (813654) | more than 8 years ago | (#11448106)

Why is there so much negativity here?

I understand that PGP, RSA et al are sufficient for current encryption, but this might prove to be different and advantageous. Slashdotters in general like diversity, right? IMO it shouldn't be any different for this.

Of course, there may be problems, but many new technologies have those. I see no reason to trash it like most of these posts seem to be doing :(

PS: This may sound like a plug, but i'm not affiliated in any way.

Re:Why? (1)

Spicerun (551375) | more than 8 years ago | (#11448156)

"Of course, there may be problems, but many new technologies have those."
What new technologies are in Ciphire? I haven't seen any new technologies mentioned in it.

Standards are still good. (0)

Anonymous Coward | more than 8 years ago | (#11448179)

This requires you to sign up to an account with them, and they maintain control of certs for everyone. You can only communicate securely with other people who also sign up with them. This is plenty of reason for hostility. There was no reason at all not to be openpgp compliant, and I think people would welcome an alternative implimentation of an open standard like that. But trying to convince people to use a centralized scheme where some company hsa full control is not a good plan.

free as in "free beer"? (5, Informative)

g2ek (852570) | more than 8 years ago | (#11448116)

2. LICENSE GRANT

(a) Subject to all of the terms and conditions set forth in this Agreement, Licensor grants to Licensee a non-exclusive, personal, non-transferable, non-sublicensable right, during the term of this Agreement, to use the Software, and the Services solely for Licensee's own Personal Use and in accordance with the applicable documentation and instructions made available by Licensor.

(b) In no event shall Licensee distribute, display, or otherwise make available to any third party, the Software (including any copy, portion, extract, or derivative thereof).

(c) Licensee shall not, and shall not assist, enable or otherwise permit or allow any third party to, (i) alter, adapt, modify, translate, create derivative works of, (ii) except to the extent expressly permitted by mandatory applicable law notwithstanding an agreement to the contrary, decompile, disassemble or otherwise reverse engineer or attempt to derive the source code of, or any technical data, know-how, trade secrets, processes, techniques, specifications, protocols, Key and data-formats, methods, algorithms, interfaces, ideas, solutions, structures or other information embedded or used in, (iii) rent, lend, loan, lease, sell, distribute or sublicense, or (iv) remove, alter or obscure any proprietary or restrictive notices affixed to or contained in, the Software or any copy, portion, extract or derivative thereof. In addition, Licensee shall not provide, disclose or otherwise make available the Software or any copy, portion, extract or derivative thereof, or permit use of any of the foregoing by or for the benefit of any third party (including, without limitation, on a hosting, service-bureau, time-sharing or subscription service basis).

(d) The Software is licensed as a single product package and Licensee shall not, and shall not assist, enable or otherwise permit or allow any third party to, separate the Software, or use any component parts thereof other than as part of the Software as and in the form provided by Licensor.

(e) Licensee shall not use the Software other than in connection with the Key-Data and the Services provided by Licensor under this Agreement.

https://www.ciphirebeta.com/about/eula.html

Concerns -- answers please (1)

blahbooboo (839709) | more than 8 years ago | (#11448118)

Two concerns that I have now:
1) This is beta. The license is for beta. It is to be for OpenSource(?) But, what if everybody installs and uses it only to find later that there is a fee? (No big deal, I say.)

2) Privacy. The license agreement clearly spells out that they can collect and use "personally identifiable information" as they wish. (NOT good.)

Call me paranoid (1, Interesting)

Anonymous Coward | more than 8 years ago | (#11448147)

"Q: How are you financed?
A: By some very unusual business angels. For the time being they wish to sit in the background."


and "Our commitment is to publish the source before the end of 2005, hopefully sooner than later."

I'd like to know if the "business angels" are, in fact, certain agencies of the government. That would be clever. Let everybody use the so-called encryption that only they can break, and then, after they've caught all the "subversives", they never release the source code. Gotcha!

After the source is released, and after everybody has had a chance to see it, then I might think about using it.

Perhaps I'm paranoid but (1, Insightful)

Anonymous Coward | more than 8 years ago | (#11448195)

I'm always suspicious when a technical review plays misleading word games. Here's an excerpt from their expert review pdf (page 18) :

"With encryption solutions using PGP or S/MIME, an unsigned email message allows an attacker to forge the originator s identity even if the message is encrypted. The recipient cannot easily detect the change in the originator. However, in the Ciphire system, encryption includes authentication information. The session key used to encrypt the email message is digitally signed by the sender for every layer of encryption."

Although a technically accurate statement, it is highly misleading by comparing signed verses unsigned functions and implying a deficiency in GPG where none exists. GPG/PGP supports the same signing ability.

Example of Freedomware and Open Source (0)

Anonymous Coward | more than 8 years ago | (#11448207)

There's nothing like free advertising for an unFree product on /. 3 cheers to /. editors.

If a project tries to hide its license (not in front page, nor in FAQ,) there's a good chance it's a non Free EULA. It's funny you call it Open Source when no source are available, and your "2. LICENSE GRANT" should be changed to "2. LICENSE RESTRICTION".

Freedomware license example, and it's easy to read and understand:

Copyright (C) 2005 Freedomware. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the project nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Open Source example - difficult to read and requires knowledge of law to understand:

http://www.gnu.org/licenses/gpl.html

FingerPrintList (1)

harky77 (852564) | more than 8 years ago | (#11448213)

Did anyone read the part about the Ciphire fingerprints? That is somehow supposed to make their CA/PKI uncompromisable. Or am I seeing something wrong? It's in that review and they also say that they have invented the first PKI that they themselves cannot efficiently compromise. So what is that darn Ciphire Fingerprint system? Anybody care to explain?

Big Giant Red Flag (1)

Speare (84249) | more than 8 years ago | (#11448224)

Is it just me, or does anyone else have 140 dB klaxons going off in their head when they read "soon to be audited" and "working on this for years" with regards to a cryptography project? Nobody should be insular when they're developing crypto. Ask for feedback regularly and work with the community from day one.

Web Mail (0)

Anonymous Coward | more than 8 years ago | (#11448238)

It seems to me that so many mainstream people these days are using webmail, and checking their mail from all over the place - not just their own computers. So, if I can only sign my mail from my own computer, it's not going to be very effective (would people ignore my mail when it's not verified?) Until we have some type of easy, dongle-based mechanisms, I don't see how this can be very effective.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?