On Monday 30 April 2018 07:07:47 deloptes wrote:
> William Morder wrote:
> > The point is that not even the admins on ProtonMail can read the content
> > of emails, or anything stored on their servers.
> >
> > This is unlike Gmail (for example), who also use SSL and TLS, but
> > obviously they have some kind of automated way to read the content of our
> > emails and know who are all our correspondents.
>
> so let us take this important argument: when server sends mail, you
> automatically know where it goes to - how would this happen if you don't
> know the correspondents.
> It would be enough to use a server under your control, so that only you
> know where it goes. I am not aware that there is a way to send to
> recipient, without knowing who the recipient is.
> Perhaps imagine the standard post system - you put the address on the
> envelope. Google as a postman is a b*tch that opens and reads your mail,
> but if it is encrypted, they still will not be able to read it without your
> or the recipients private key.
>
> I still do not get the point here.
>
> > And I don't imagine that my Zoho account (or any other) is much better in
> > that regard. Zoho is better only in that they do not bother me with
> > useless hoops to keep jumping through; whereas in the case of Gmail, I
> > kept getting shut out of my own accounts, merely because I sometimes
> > logged in from different locations.
>
> A domain costs 10-20 US$/year - a dedicated service for this domain about
> 100, so if it is important to you to have secure communication channel, you
> simply pay it and use it. If it is for free, then it comes on much higher
> cost - because you sell your data.
>
> >> This is the point. When you really want to trust someone, you probably
> >> would meet him/her and exchange keys face to face.
> >
> > This is super-paranoid, yet also correct. I have various tricks for
> > communicating, which do not depend on anything to do with computers or
> > networks, but rather use items in the real physical world. (This is just
> > for communicating in case of an emergency, when other means are not
> > trusted.)
> >
> > I just want to be sure that some of my friends, who live in places that
> > are more dangerous than the US, UK or EU, do not suddenly disappear. What
> > may seem perfectly innocent here is not necessarily perceived in the same
> > way where they live.
>
> So you think US, UK, EU is more secure? I doubt it - it is everywhere the
> same. The participated illusion of safety is higher, but nothing else.

No, I believe that US, UK and EU generally use more surveillance of their 
citizens than many other nations. However, I can make innocent statements 
here on a wide range of subjects that (I hope) will not get me arrested, 
tortured, or "disappeared". 

My friends who live in Africa, the Middle East, Russia, India, Pakistan, 
Singapore, etc., sometimes get upset when I speak a little too freely about 
what seem like trivial matters to me. 

I am more concerned with their safety. Not that I don't worry about who reads 
my emails here in the US, but I am also somewhat more aware of how not to 
sound totally batshit crazy. 

> > Well, at least your email came through here as an encrypted message. But
> > yes, it makes no sense to use encryption for the mailing list (except for
> > testing purposes, which is what I meant). All our messages here are
> > published online, for anybody anywhere to read.
>
> not encrypted, but signed - there is a difference ;-)

Yes, sorry. It is hard to read for me (yellow highlighting, and I use yellow 
text on dark background); but I get that message for signatures or encrypted 
messages. 

> > I have generated my key, but somehow or other Kmail doesn't want to send
> > when it is signed and/or encrypted.
>
> I don't get it - this has no will on it's own. You need to configure knode
> - it took me a while to get it. Not the general config, but for the
> specific account - under identity - when you set your key there, it should
> work.
I just generated a new key (it automatically used Kleopatra), then saved it to 
a file. I'm not sure how it works for Kmail, but I was assuming it would be 
similar to, for example, using a key for something like Keypass. I use a 
password and a key file; I was guessing I could use my saved key to encrypt 
the email. I was hoping to test it first by sending emails to myself at 
alternate accounts. 

> In kmail it is under security and it is only for mail. I am also not sure
> if Slavek released the kgpg with gnupg2, or it is still somewhere in
> development, but we cleaned up a bit there as well.
> Anyway I was looking recently into this knode/kmail because I noticed that
> knode does not process messages when they are composed as mime
> encrypted/signed the same way as it does, when they are p/gpg signed, but
> kmail does process such messages. It was quite of an adventure. It smells
> like development work to do.

A whole range of choices to sort through. 

Bill