FAQ: Technical Questions & Answers
What are GoodCrypto's security features?
Encrypts content and metadata It's easy to understand how someone who can read your mail gains a lot of valuable information about your business deals, financial data and more. As articles in The Guardian and Wired showed, metadata (i.e., sender and recipient addresses, subjects, etc.) reveals much more private information about you than you might realize. The ex-NSA chief admitted that "We kill people based on metadata." GoodCrypto lets you protect both metadata and content.
Mixes and packetizes messages to resist both network and traffic analysis You can protect your connections with others even more by using GoodCrypto's bundling and packetization. Messages between two domains are sent in padded and encrypted bundles on a regular schedule. So no one knows which individuals in the companies are communicating, how often, or even whether messages are long or short. GoodCrypto encrypts each individual message, then periodically bundles all messages that are going to the other domain, pads the new combined message, and finally encrypts the entire bundle. If no one has a message for the other domain, GoodCrypto still sends a padded encrypted message. Snoops don't know if anyone is actually talking.
Pins keys GoodCrypto includes the sender's key in the header of every message. Whenever a message arrives from someone else using GoodCrypto, the key is verified that it matches the key in your local database. That way someone can't fake sending an encrypted message from someone else.
Blocks web malware GoodCrypto's web proxy strips images and other malware vectors so your users' computers aren't infected.
Resists user tracking Everyone's web requests can automatically be routed through Tor so it's difficult to track what sites users visit. By sharing the same Tor connection, everyone in your company's web activity is aggregated which amplifies the protection against tracking of online activity.
Your administrator runs our software on your server We strongly recommend that you install your GoodCrypto private server on a headless machine. It is fully self-contained with no SSH access. Your administrator manages your GoodCrypto private server via the web with no interface to keys, passphrases, or messages.
All encryption and decryption happens on your servers. Your administrator manages your mail just like always.
All private keys and passphrases stay on your server You don't need to trust any thirdparty. You can secure your GoodCrypto private server to meet your standards -- not rely on others.
Any government requests for encryption keys comes to your company so you'll know if the keys are no longer secure.
Easy verification that email was decrypted by your GoodCrypto private server You can click on a tag added to each decrypted message to verify the message was decrypted by your GoodCrypto private server. This ensures that someone doesn't simply add a tag to a regular message to mislead you into thinking it arrived privately.
Open source so anyone can audit code All of the source code we've written for this project is open source and included with every distribution. Plus we rely on other open source projects for the crypto (GPG and Tor) and the OS itself (Linux). We encourage anyone with the skill to audit our software and publish the results.
Warning if message signed by user other than SMTP sender GoodCrypto verifies that a signed message was signed by the SMTP sender and reports if it's not. The SMTP sender is not always the same user as the one that appears in the header of a message so if someone is trying to trick you into believing a message was signed by someone it wasn't, GoodCrypto will help you spot the attempted deception.
Sender notification when new key received or created GoodCrypto sends an email message whenever a new key from a sender is received. It also reminds you to verify the key id with the sender so you can be confident you're communicating privately with the person you think you are instead of a man-in-the-middle.