Message Encryption

There is a lot of talk lately about encrypted messaging services. Moxie Marlinspike is talking about making one, John McAfee is talking about it. And most importantly the federal government is serving subpoenas to get a piece of the pie as well. Now I believe these individuals and many others are capable of developing a secure encrypted messaging service, but if you have a message you don't want others seeing, you best not rely on third party applications to do the dirty work for you.

In a perfect world the people who made and host the messaging service could not possibly read the plain text messages. If the service can't read them, then even if they were subpoenaed or compromised then your messages would not be exposed. Well it is not a perfect world and can you really afford to trust that is the case? Maybe if you were using the services purely for novelty purposes this wouldn't bother you, but that accomplishes nothing more than wasting your time.

Amidst all the finger pointing there exists a perfectly viable solution. One that, at the time of writing, cannot be compromised and that can be implemented into the accounts and services you already use. It is called OpenPGP. You can grab the software, GPG, from the website GnuPG. To begin sending and receiving encrypted messages you only need to generate a public and private key pair. The public key you share, like this one Ben's Key. Then to send me an encrypted message you just need to tell the GPG software to encrypt a plaintext message using my public key, once this is done it cannot be decrypted except by my private key. I can then send a response to your public key.

Through this method we can both be assured that the only messages exposed to our service providers are encrypted, if someone other than the intended recipient got a hold of them they would be useless. No need to root out which secure message provider is vulnerable, you only have to do the encrypting yourself. Given a true need and not just novelty, I don't know why anyone does it any other way, and hell even for novelty value OpenPGP is a lot more interesting than some application that hides all the back end work.

You may be thinking this is all too difficult, "I don't want to jump through any hoops to send Bob my secret message!" My only response to that is that if you truly want the message to remain secret this is a small price to pay. If you want to leave the dirty work to someone else, then its no skin off my back, but don't be surprised when the secret message isn't so secret. In fact it really isn't even that much work to implement this for your email messages, you can get a Thunderbird plugin that makes it all a point and click process. Sending text messages you only have to go through the extra step of encrypting the message before you send it, I'm sure there are applications available that can seamlessly do this like the Thunderbird plugin.

The most important thing to keep in mind is that the application is using public key encryption and is encrypting the message before it sends. Don't just take claims at face value, investigate and see is it actually doing what they say it is? If you can't answer that definitively you are better safe than sorry by sticking to the tried and true method of doing it yourself.