FAQ: Technical Questions & Answers

 

Overview

 

Is GoodCrypto open source?

Yes.


Security software without source code isn't secure. We wouldn't trust GoodCrypto without source code, and we don't think you should either.

GoodCrypto is open source so others can help find the vulnerabilities and fix them. All our software in the ISO is already source code.

Also, the core software is on github under GPLv3. We usually update our github repositories later than the source distributed in each ISO so when you're verifying an ISO, use the source distributed with that ISO..

We haven't made a decision on the license for the rest of our ISO software, but if you need more information, please contact us.

It's possible to hide malware in open source, but it's a lot harder. When you use security software without source code you make it easy for the bad guys.

 

What are GoodCrypto's security features?


Encrypts content and metadata It's easy to understand how someone who can read your mail gains a lot of valuable information about your business deals, financial data and more. As articles in The Guardian and Wired showed, metadata (i.e., sender and recipient addresses, subjects, etc.) reveals much more private information about you than you might realize. The ex-NSA chief admitted that "We kill people based on metadata." GoodCrypto lets you protect both metadata and content.

Mixes and packetizes messages to resist both network and traffic analysis You can protect your connections with others even more by using GoodCrypto's bundling and packetization. Messages between two domains are sent in padded and encrypted bundles on a regular schedule. So no one knows which individuals in the companies are communicating, how often, or even whether messages are long or short. GoodCrypto encrypts each individual message, then periodically bundles all messages that are going to the other domain, pads the new combined message, and finally encrypts the entire bundle. If no one has a message for the other domain, GoodCrypto still sends a padded encrypted message. Snoops don't know if anyone is actually talking.

Pins keys GoodCrypto includes the sender's key in the header of every message. Whenever a message arrives from someone else using GoodCrypto, the key is verified that it matches the key in your local database. That way someone can't fake sending an encrypted message from someone else.

Blocks web malware GoodCrypto's web proxy strips images and other malware vectors so your users' computers aren't infected.

Resists user tracking Everyone's web requests can automatically be routed through Tor so it's difficult to track what sites users visit. By sharing the same Tor connection, everyone in your company's web activity is aggregated which amplifies the protection against tracking of online activity.

Your administrator runs our software on your server We strongly recommend that you install your GoodCrypto private server on a headless machine. It is fully self-contained with no SSH access. Your administrator manages your GoodCrypto private server via the web with no interface to keys, passphrases, or messages.

All encryption and decryption happens on your servers. Your administrator manages your mail just like always.

All private keys and passphrases stay on your server You don't need to trust any thirdparty. You can secure your GoodCrypto private server to meet your standards -- not rely on others.

Any government requests for encryption keys comes to your company so you'll know if the keys are no longer secure.

Easy verification that email was decrypted by your GoodCrypto private server You can click on a tag added to each decrypted message to verify the message was decrypted by your GoodCrypto private server. This ensures that someone doesn't simply add a tag to a regular message to mislead you into thinking it arrived privately.

Open source so anyone can audit code All of the source code we've written for this project is open source and included with every distribution. Plus we rely on other open source projects for the crypto (GPG and Tor) and the OS itself (Linux). We encourage anyone with the skill to audit our software and publish the results.

Warning if message signed by user other than SMTP sender GoodCrypto verifies that a signed message was signed by the SMTP sender and reports if it's not. The SMTP sender is not always the same user as the one that appears in the header of a message so if someone is trying to trick you into believing a message was signed by someone it wasn't, GoodCrypto will help you spot the attempted deception.

Sender notification when new key received or created GoodCrypto sends an email message whenever a new key from a sender is received. It also reminds you to verify the key id with the sender so you can be confident you're communicating privately with the person you think you are instead of a man-in-the-middle.

 

What is GoodCrypto's design?

Transparent protection for whole groups at a time.


Our guiding principles are:

  • Protect everyone at once

    No training. No clicks.

    Bruce Schneier points out, "If there is anything PGP has taught us, it's that one click is one click too many." Protecting one person at a time is inefficient. You have to try to train each one to protect themselves. The success rate is not high.

    Most cracked systems are user systems because ordinary people have no idea how to protect themselves online.

  • Layered protection

    For example, web access is filtered, aggregated by groups and protected by Tor. And, mail can be configured to use multiple encryption methods.

  • Use tested and trusted components, such as GPG and Tor

    We are very slow to use new protection schemes until they have been audited and their reliability proven.

  • Preconfigured distribution

    Just boot it. Preconfigured. Support. Security updates. Reproducible build.

  • Decentralized

    All your private information is on your own server. Automatic key management with no central servers. P2P public key distribution. Key pinning.

  • Integrate with existing mail and browsers

    Uses the same SMTP, IMAP, and POP servers you use now. Same mail clients and browsers. Same antispam and antivirus. Integrates at the MTA level.

  • Don't use known compromised encryption

    This may seem obvious, but some compromised crypto is standard. State sponsored standards are generally crippled so the state can crack them, which of course means others can crack them.

  • Don't trust too much

    That includes us. Encourage people to audit GoodCrypto. The goal is to be tested and trusted, not blindly trusted.

  • Virtualization to protect against embedded malware

    Ed Snowden says that VMs are "a big step up" against persistent threats. That matches our experience.

 

What is GoodCrypto's threat model?

Global passive and active attackers.


Attackers include states, businesses, and ordinary criminals.

There is at least one global passive attacker, NSA. They strive to tap and store everything.

Counters to global passive attacks include:

  • Encrypt (examples: TLS, GPG)
  • Use combinatorial explosions such as mixing (examples: groups, Tor)

NSA is also the worst active attacker, although there are many. They sabotage and crack standards, products, and services. They inject packets and infect systems with malware. They embed compromised keys and bugs in hardware, at the factory and in transit.

Counters to active attacks include:

  • Use tested and trusted products and services
  • Avoid state sponsored standards
  • Use firewalls
  • Virtualize systems

 

What is GoodCrypto's cryptography design?


Cryptography design is sometimes called security design. This leads to the mistake that once you have checked the cryptography, you have checked the security. Other security issues are covered in our Technical FAQ, especially in the threat model and design.

Simplicity

GoodCrypto's cryptography is as simple as we could safely make it. If anything distinguishes our crypto it is what we leave out.

We try to avoid writing crypto. Instead we use GPG and TLS.

We try to avoid state sponsored standards. NSA alone spends at least US$250 (two hundred fifty million dollars) every year sabotaging crypto, including crippling standards. They influence much more in government grants and contracts. From Inside the NSA's War on Internet Security:

This process of weakening encryption standards has been going on for some time. A classification guide, a document that explains how to classify certain types of secret information, labels "the fact that NSA/CSS makes cryptographic modifications to commercial or indigenous cryptographic information security devices or systems in order to make them exploitable" as Top Secret.

We don't use Elliptic curve and generally avoid DSA. They are state sponsored standards.

We also try to avoid highly centralized servers. They are obvious targets. Each customer has their own GoodCrypto server running on their hardware and managed by them.

We reduce the attack surface on the GoodCrypto server in many ways, such as omitting an ssh server.

Mail

We use GPG to encrypt and decrypt mail. GoodCrypto follows Jacob Appelbaum's GPG configuration from his duraconf project, modified to avoid key servers. Keys are RSA 4096 bits. We currently don't use public key servers because they are obvious targets and, in our experience, unreliable. If customers want them as a convenience we may add an option to use them.

GoodCrypto distributes PGP public keys P2P in email headers. The protocol is described in the whitepaper under "Step by Step". The customer's GoodCrypto server stores PGP keys. Users can verify fingerprints for stored public keys on the server's local web site.

Net

We use TLS to protect network connections. Again the keys are RSA 4096. Currently we allow fallback to TLS and DSA using SHA1. This is a vulnerability that is necessary for compatibility with other systems. It is an excellent example of why we use layered encryption, such as PGP for email. We will eliminate this fallback as soon as enough other systems are brought up to date.

 

GoodCrypto provides the tools GPG and Tor that Ed Snowden used. Why not Tails?


We use Tails almost daily. For many months it was the base Linux distro for GoodCrypto.

Snowden relied on Tails. Even though he used plain email with PGP for much of his communications, adding Tails makes you safer.

But for a server, Tails has flaws. It includes a GUI stack and many end user apps. That means it has a large attack surface. This is an unnecessary risk for a server. We removed the extra apps. But Tails is dependent on the GUI even during boot.

In our limited user testing with technical people, they found Tails very hard to use. We reported our results to the Tails team. They were already working on it. But they are a small underfunded team like us, and their resources are limited.

We finally moved to a much smaller custom distro. It was, and is, a difficult call.

 

Mail

 

Does GoodCrypto protect metadata against traffic analysis?

Yes.


GoodCrypto uses Ed Snowden's design from HOPE X to encrypt your email, both content and metadata.

Exposed metadata can be more dangerous than content. As former CIA/NSA boss Gen. Michael Hayden admitted, "We kill people based on metadata."

With a simple click, you can block both network and traffic analysis. Spies who tap your line get just one bit of data, that Group A communicates with Group B. They don't know who, what, when or even how much information an individual exchanges with someone else. What spies see is useless, because it is always the same. The same schedule, the same amount, and always encrypted, including metadata.

Of course, until other packages implement this open source protocol for metadata protection, you will need GoodCrypto on both ends.

More:

 

How does GoodCrypto protect metadata?


This overview is for IT administrators. If you prefer security details see Security focus: How does mail metadata protection work?

GoodCrypto uses Ed Snowden's design from HOPE X to protect email metadata. Very quickly, GoodCrypto :

  1. Uses GPG to encrypt from individual to individual.
  2. Periodically mixes all messages to a domain into the body of a single message.
  3. Pads and uses GPG to encrypt the mixed group message. This encrypts all end user metadata.

When GoodCrypto first boots it prepares an email address and key for your domain. This is separate from the keys for individuals. Keys are automatically exchanged the first time that two GoodCrypto mail domains connect.

On a regular schedule GoodCrypto:

  • Signs and encrypts messages going to a domain with each individual's key.
  • Attaches all the messages for that domain to one new message.
  • Pads the mixed group message to a fixed size.
  • Encrypts the group message.
Because all individual metadata is in the group message body, the metadata is encrypted. The sender, recipient, subject, and content of messages are completely hidden. Useless domain metadata is all that's visible, only showing that the two groups might be exchanging private email.

When a message arrives at the destination, GoodCrypto reverses the process and delivers individual messages

Usually both the sender and recipient have personal keys. Then their individual messages are encrypted in layers, first with the individual key and then with the metadata key.

GoodCrypto automatically exchanges keys. The administrator receives email whenever a new metadata key arrives so so it can be verified.

As both systems generate and exchange keys, GoodCrypto continuously makes your mail more secure. If you need to be sure that your first contact is safe, check that your GoodCrypto private server has a metadata key for the other domain.

Of course, until other packages implement this open source protocol for metadata protection, you will need GoodCrypto on both ends.

 

How does GoodCrypto stop traffic analysis?


GoodCrypto uses packetization, padding, and encryption to stop both network and traffic analysis. On a regular schedule it combines individual messages going to a group, pads them to a standard size, and wraps them in an extra layer of encryption that protects all the messsages and hides all individual metadata.

The default settings send a single one MB group-to-group message every hour, even when no individuals have sent mail to the other group. That allows the equivalent of one entire book of email text every hour. It adds just one GB of traffic per month per group to stop traffic analysis. The administrator can change these settings.

If the total of pending outgoing individual messages are too big for a single standard group message, unsent messages are queued for later. If a message is bigger than the group message size it is returned to the sender with an explanation.

 

Security focus: How does mail metadata protection work?


This is a quick overview for security people. You may prefer an IT administrator's viewpoint.

GoodCrypto protects email metadata in transit by using encryption, mixing, and padding. It follows Ed Snowden's recommendations to resist both network and traffic analysis.

First each message is encrypted to the recipient using GPG if we have their key. On a regular schedule, GoodCrypto mixes all the individual encrypted messages going from group to group into a single padded PGP MIME message, encrypted again with the group's GPG key. At the other end GoodCrypto reverses the process.

Mixing resists traditional network analysis. Bundling and encryption resist social network analysis. The periodic group message is padded to a fixed size. The regular schedule and fixed size resist traffic analysis. One bit is known to be leaked: The two groups might be exchanging private email.

Email is perfect for this form of protection because we already expect some delay. Few people notice a half hour average delay in email. Instant messaging doesn't work with this kind of packetization. It wouldn't be instant. Phone and video calls have the same limitation. Voice or video mail would work well, and could even be routed over email.

The default packet size is a MB, enough for an entire book of text. A MB per hour adds up to less than a GB per month for each group to group connection. At server prices one GB usually costs nothing today. Most groups don't write more than a book an hour, but if yours does you can change the defaults.

Metadata encryption is an extra GPG layer applied to the bundled messages. This is in addition to the user to user GPG encryption already provided by GoodCrypto. The inner layer protects content. The outer layer protects metadata and content.

When SMTP servers use TLS they provide yet another layer of encryption. Some people believe a single layer is enough. This is called an Eggshell Defense because it is so fragile. Encryption fails over time. We don't know when each layer will fail, but with a defense in depth we have a very good chance that at least one layer will survive long enough to fix or replace the others. When a single layer of defense fails you are completely unprotected. Multiple strong layers make a catastrophic failure very unlikely, so you are much safer.

Individual messages are encrypted and periodically mixed into a single message. The bundled message is padded and encrypted again. This provides very good metadata protection to resist both network and traffic analysis.

 

Which encryption software does GoodCrypto support?

GoodCrypto supports the most popular open source standards:


  • OpenPGP and TLS

The best part is that GoodCrypto lets you use multiple encryption apps in layers to give you even more privacy. When there is more than one encryption app installed on your system, GoodCrypto can encrypt your messages with each program in turn. That way a flaw in one encryption method doesn't expose your mail.

Learn why we don't support s/mime.

 

Are all outgoing messages encrypted?

Yes, if you both use GoodCrypto or any open PGP.


If both ends have GoodCrypto, it all happens automatically:

  • GoodCrypto generates keys for you and your contact.
  • GoodCrypto exchanges public keys P2P.

Generating and exchanging keys can take a little time. Remember your messages are not encrypted until that's done. After you both get mail reminding you to verify your contact's key, your messages are encrypted both ways.

The mail administrator also has the option of only allowing outgoing mail if it is encrypted. Of course, that means that you are requiring all recipients of email from your server use encryption, too. This is probably too restrictive for most groups.

If your contact doesn't use GoodCrypto:

Then GoodCrypto will automatically encrypt to that contact.

Make sure your mail server is configured to encrypt local traffic with TLS-SSL.

 

What is a fingerprint or key id?


A fingerprint is a short summary of an encryption key. Because full encryption keys are so long, we use the key summary to verify a key.

 

How does PGP work?

Well. It works well.


OK, you want details.

 

Why shouldn't I verify someone's key by email?


If someone slipped a fake public key into your email, they can send a fake key verification the same way.

You could think that you're communicating privately with a friend or associate while all of your messages are being intercepted, read, and then forwarded to the destination.

 

Will my email ever be sent as plaintext if there's a key for the recipient?

No, not if the GoodCrypto server has the recipient's key.


If GoodCrypto detects any error encrypting a message, then the message is automatically returned to the sender with an explanation about the error.

Additionally, the mail administrator can set a flag so no one can ever send email to specific contacts unless the mail is encrypted. This allows the administrator to add contacts who need privacy ensured before a key is ready.

 

How does GoodCrypto work when the other person doesn't have it?


Email with people who still don't have privacy software works as it always has. Messages you send them will not be private and so they -- and anyone who intercepts your messages -- can read them just like they did before you installed GoodCrypto.

People with no protection at all will get a note at the bottom of your messages reminding them of the risks of unprotected email. You'll get a note at the bottom of their messages letting you know it wasn't private. That way you always know which messages arrived at your mail server privately, and which didn't. You can also verify which messages arrived and were sent privately.

If a contact is using another PGP product, then you will have to export your key and send it to them so they can send your private messages. And, they will need to send you their key and you import it or import it from a keyserver so you can send private email to them. Don't forget to verify their fingerprint before you rely that you're exchanging private messages.

 

Can encrypted email be filtered for spam and viruses?

Yes.


GoodCrypto integrates with your existing mail server. Configure your mail server to filter inbound email after it's been decrypted.

 

What encryption is used between the user and mail server?

TLS-SSL works great.


We strongly encourage you to require TLS 1.2 connections between users' computers and your mail server. Your mail server is behind a strong firewall for best security.

 

How does GoodCrypto minimize MITM attacks on my messages?

Encryption and multifactor authentication


Encryption is a great first step. But it's only reliable with good authentication.

All authentication methods have flaws. Any one by itself may be easy to crack, but cracking multiple authentication factors for the same key is much harder. The standard form of this is called "Two factor authentication". GoodCrypto gives you more:

  • Key pinning
  • Out of band verification notice
  • Public key in header
  • Encrypts and signs
  • Standard "the recipient got my encrypted message"

Remember that no authentication factor is perfect. But combined they can work well.

Key pinning. GoodCrypto pins PGP keys. Any time GoodCrypto generates or receives a new key, it records the fingerprint in GoodCrypto's database. It sends email to let you know about the new key. If that key ever changes, you get an alert.

When a signed message is received, GoodCrypto verifies the signature matches the message's 'From' and warns if it doesn't. Further, it verifies that the fingerprint of any keys in the message header match the fingerprint in GoodCrypto's database. Again, the user is warned if there are any inconsistencies and the key is blocked.

Out of band verification notice. Whenever a new key comes in, the user gets a message strongly advising them to verify the new key's fingerprint using some method other than email. You get their fingerprint from your local GoodCrypto Server's web site. Then you need at least one more source to verify. Getting a fingerprint from somewhere else online is pretty good. A phone call is better. Face to face is best.

Public key in header. Every message a GoodCrypto user sends has their public key in the header. Anyone can check it. GoodCrypto does.

Encrypts and signs. This is standard, but essential. GoodCrypto always both encrypts and signs messages. It checks signatures for you. If you exchange encrypted mail with PGP users who don't have GoodCrypto, ask them to also sign their messages.

"The recipient got my encrypted message." This is the most common method of verification. It's weak, but users seldom do more. That's why automated authentication is essential. If your contact has GoodCrypto, they get a tag line right in the message saying whether it was encrypted, so they can tell you. If the recipient replies saying something that clearly shows they really got your encrypted message, that helps.

Public key servers. In the future, we'll likely offer options such as verifying keys against public key servers. Key servers are convenient. They make PGP easier to use. That's crucial, because crypto that is hard to use is only used by experts. But relying on a few centralized crypto servers for the whole Internet is obviously very risky.

Use multiple factors. Most authentication methods aren't very strong by themselves. Always use multiple factors. GoodCrypto does it automatically, and helps you check things for yourself.

 

Why not user-to-user PGP?


Trying to get individuals to encrypt their email has had 20 years to work. There are excellent guides from Freedom of the Press, EFF, and Free Software Foundation. But it's a lot to learn and a lot of work. Bruce Schneier says, "If PGP has taught us anything, it's that one click is one click too many." Only experts encrypt their email.

It's time to protect the rest of us.

With GoodCrypto the users themselves don't have to do anything to encrypt. GoodCrypto does it for them, in a private server connected to their mail server. For almost everyone the alternative is unencrypted mail. Another huge advantage is that people can keep using the mail software they know on any platform they want.

Without a solution like GoodCrypto almost all email is unencrypted. Anyone who taps the line can read it. We suggest you limit that risk to your own administrator. Everyone in the group gets PGP mail. The tradeoff is that your mail administrator who can already read your mail can still read your mail.

Experts can still encrypt their mail themselves. But now everyone else in the group gets encrypted mail too. Everyone is protected.

Individual users have a terrible record for using crypto, and a worse record for protecting their computers. Botnets show that mass cracking is already automated. How can you protect all those user computers?

Most people already trust servers to protect private keys for HTTPS, SSH, and more. It is possible to protect servers. Otherwise banks and stock exchanges would suddenly find their money gone.

Because blocking spam and malware requires the decrypted message, end user encryption also means users have to deal with spam and malware themselves. Some of that malware will crack their system for their keys. And businesses often need a record of all mail.

Transparent encryption works for everyone.

To stop mass surveillance we need mass encryption.

 

Why do I need PGP? Isn't TLS/SSL enough?

PGP is P2P and decentralized.


TLS/SSL itself is generally secure. But on the Internet it is dependent on public DNS and Certificate Authorities. Both of these types of centralized servers are prime targets. Just one CA has to fail.

Worse, some ISPs and organizations sabotage TLS/SSL directly.

You can exchange TLS public keys in some other way, and pin the keys. These are promising approaches, and GoodCrypto may use them.

DNSSEC may help some, but it is still very dependent on DNS and not yet widely trusted.

Many mail servers don't encrypt at all. Especially in large organizations, mail may go through multiple servers. You can't force intermediate mail servers to encrypt. SMTP doesn't require it. So there's no guarantee that messages between mail servers are encrypted.

PGP is end to end, from domain to domain or user to user, and decentralized.

The GoodCrypto mail server handles everything for you transparently. You aren't as vulnerable to TLS attacks.You don't need cooperation from intermediate mail servers.

 

Why can't I just use web mail with javascript crypto?

There are more ways it can go wrong.


Javascript PGP in the browser has the very important advantage of making PGP more usable. But it introduces so many extra vulnerabilities that security people thought you didn't need to explain it. Then Google used javascript PGP in a browser. This is a detailed explanation of why you probably shouldn't.

 

Why doesn't GoodCrypto support S/MIME?

S/MIME is more about tracking. PGP is about privacy.


PGP has a strong record of protecting users' privacy. So GoodCrypto uses PGP.

Background: In the early 1990s, the PEM group tried to develop an open standard which would protect everyone's email privacy. NSA pushed the standard so hard they offered free @nsa.gov email addresses to members. Why? PEM was an email tracking system. The PEM charter said that tracking was required, but confidentiality was optional. When the group would not accept this low standard, that group was shut down and replaced by an invitation-only group that developed S/MIME.

Additionally, S/MIME relies on centralized certificate authorities which are easy targets for mass surveillance. Certificate authorities can issue both the public and private components which also weakens security.

 

Where does a user get credentials to sign in to our GoodCrypto private server?


As each user in your company sends a message out, a login and password is automatically created. The credentials are emailed to the user. The user cannot use these credentials to access the administrator areas (i.e., managing users, contacts, options) unless the administrator changes the user's permissions. If a user tries to access the administrator areas without the correct permissions, then the sign in form simply displays again. Regular users must only try to access non-administrator areas (e.g., viewing their personal private message history) when signing in. Of course, if a user loses their credentials, then the administrator can change their password via the Users button on your GoodCrypto private server's website under the Mail menu.

 

Other

 

Why a virtual appliance?

Easier to install, use, and maintain. And safer.


A virtual appliance is ready to use. Not a pile of parts. No assembly needed. Tested.

Easy to install. Just boot it. You get all the software you need, the right versions, pre-configured.

Easy to use. No training needed.

Easy to maintain. Automatic updates and professional support.

More secure. (soon) Systems are isolated from each other so an attack on one isn't as likely to harm others.

Virtual machines are resistant to APTs, Advanced Persistent Threats. Some attacks compromise a machine at a very low level, in BIOS, driver PROMS, etc. Even reinstalling the OS doesn't help.

But a properly configured vm can be safely and automatically recreated with all data restored. This is much cheaper and easier than replacing physical machines.

 

What's wrong with DSA?

It is a state-sponsored standard


State sponsored standards are high risk. They are usually crippled so the state can crack them. We know that the US government has been spending more than $250 million per year to sabotage crypto (see New York Times, ProPublica, and Guardian articles). This results in nonsense, such as "Simply put --- larger key sizes --- more risk of compromise."

One of the earliest specifications for DSA required that keys be "exactly 1024 bits". The ssh-keygen man page still says this is still a requirement, even though some later specs were supposed to supersede the limit.

It is a very serious concern any time someone arbitrarily restricts key size. There are too many ways (think rainbow tables) that shortened keys can be compromised. It is reasonable to be deeply concerned about any standards from the same source.

RSA is a tested and trusted alternative to DSA. Why trust an algorithm that was sabotaged, from an organization that is known to be working against secure encryption?

 

Why doesn't GoodCrypto use ECC?


GoodCrypto's avoidance of elliptic curves is very controversial to some. Our biggest objection is that ECC is a state sponsored standard. You may disagree if you believe that state crypto standards are intended to protect you, and not crippled so the state can spy.

Multiple compromises of elliptic curves by NSA are now well known (RSA warning and NIST alert). In one case NSA paid $10 million dollars for a backdoor in ECC.

We agree with Bruce Schneier when he says, "I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry". As Colin Percival suggests, "You should use elliptic curves only if your name is Daniel J. Bernstein." And djb is very skeptical of ECC standards.

It's also interesting that many mathematicians have found that they can't analyze the magic ECC constants. That makes auditing a matter of "Trust me" with an implied "You're too stupid". That doesn't fly any more.

Mathematicians hate the implication that they are stupid. Many opt out of the discussion, leaving the field to elliptic curve promoters. This could be a good way to hide a backdoor.

There is no clear need for ECC. ECC is still a popular forward secrecy choice, and may be useful as an additional encryption layer for that purpose. The RSA algorithm is a tested and trusted alternative. RSA is auditable. The excuses for replacing RSA are not convincing to us.

 

Why not a small hardware box?

Good security requires source, audits and updates.


Open source hardware is almost non-existent. Auditing a computer's hardware requires countless person-years in a lab, so no one does it. The usual update procedure for a system with all the software in ROM is to buy a new one. Most people don't.

Security software without source isn't secure. Software is auditable. You can get automatic security updates.

 

Why use the python sh module instead of standard libraries?

Faster security updates.


The sh module adds the entire command line suite to the python API. Command line programs are much more tested and trusted than language libraries.

If there is a security bug in a standard program, it is found faster and fixed urgently.

For example, python did not verify ssl certs properly for years. The ssh program worked.

 

Why doesn't GoodCrypto share PCAPs?

People who want crypto don't want geolocation, etc. Anonymization is unreliable.


PCAPs are packet logs. Some things even PCAPs of encrypted sessions reveal about you:

  • Where you are
  • The sites you visit
  • Which sites are most interesting to you

These details are from IP addresses and timestamps, especially timestamp differentials. It's available even in an encrypted session.

If your session is unencrypted, PCAPs reveal everything you do online:

  • Logins
  • Passwords
  • Banking access
  • Medical details
  • What topics interest you most
  • Who you contact
  • Who contacts you
  • Every private word you speak
  • Everything others tell you

PCAPs of sessions that don't involve people are less sensitive. But even those can be traced to the people who set up the system.

Anonymization is unreliable. If NSA is storing session metadata, then anonymization of PCAPs appears to be a hard problem.