Gwebs Cryptographer

Security issues have been at the news recently and all the time more and more things are coming up. So many people are interested about their own security, when spending time with online societies and communicating with others, but just so few people are really using any software which is offering better security. The most of these people are just waiting the easiest one to use and cheapest one to buy, the whole field of Internet security seems to be offering too many options and choices. “Do I really need this? Which one is best for me? It’s too difficult to use, isn’t it ?” These questions are common among people, who have interest but don’t know where to start.

It seems to be that the most of the people have a belief that “e-mail is pretty secured service”, and “anyway no-one is interested about my e-mails”, but in fact there are so many people who have interest for normal users’ accounts, and information. And e-mail itself, is not secured at all. Even if the user’s own computer is having anti-virus software and firewall doesn’t guarantee that outgoing or incoming messages are secured. The following table (Table 1.) shows a little comparison between postcard, e-mail, registered letter and encrypted e-mail. This kind of comparison is quite common while talking about security issues among delivering messages from person to another. In my humble opinion I think this comparison is pretty close to truth, and gives you the idea, how messages are really going “out-there”.

The following picture (Pic.1.) shows how message can change on the way and how come neither sender or receiver cannot be sure that if the message has been tampered or not, if any kind of encryption is not used. This case represents also the postcard. Posting a letter or encrypted e-mail, then the possibility that message changes on the way is decreasing significantly, it’s represented in a picture (Pic.2.).

Pic 1. Postcard / E-mail without encryption

Pic 2. Letter / E-mail with encryption

The animations above are representing the situations of sending a message via postcard and letter / or e-mail with and without encryption. In both cases sender and receiver are not aware which kind of picture the other one is seeing. They can just believe that “This is the picture the receiver will see. / This is the picture the sender wanted me to see.” So it is very difficult to prove afterwards that was the message changing on the way or not. Well, common sense says: “How about I give him/her a call and ask about this?” But are people really willing to do it after every single message? I am not. Then the whole idea about sending an email is basically useless, if it’s not sure whether the message is going through without changing on the way.

Whenever people are sending their personal information, job applications, contracts, what ever that contains any piece of personal information, like name, social security number, address, phone number, etc. Why not using encryption ? Well, at least I’m not willing to put those pieces of information to the postcard, are You ?

There was earlier a bit similar post in our blog: “The Difference Between A Stolen Mailbox and a Steel Envelope: An interview with gWebs CTO Anderson Jin.” Please check it through also!

MailCloak, Security, email, email encryption, encryption, personal comparison, email, Email Encryption, email encryption software, Email Security, encryption, letter, MailCloak, postcard

MailCloak for Mail Clients now in public beta!

MailCloak for Mail Clients, a cross-compatible cousin of MailCloak for Firefox, is the first GnuPG encryption plug-in which works in any email program, and it’s super easy to use too! You just install it on your Windows XP or Vista computer and then continue sending email with your current email client.

MailCloak supports: Outlook, Outlook Express, Thunderbird, Foxmail, Eudora, Pegasus Mail, Lotus Notes, and more (we haven’t tested all email clients, but it works with everything we’ve tested).

To start using MailCloak for Mail Clients, you don’t have change a thing, just download, install, do a key exchange, and start sending strong GnuPG encrypted emails! MailCloak even works with your existing PGP keys.

Click here to go to the MailCloak for MailClients download page.

MailCloak for Mail Clients allows users of any POP3 or SMTP email service to use MailCloak’s GnuPG email encryption. GnuPG is strong PGP encryption with up to 4096 bit public keys, and MailCloak is compatible with all other GnuPG encryption programs, so with MailCloak you can send secure email to anyone on just about any platform.

MailCloak supports Outlook, Thunderbird, Eudora, and more (we think it supports all POP3/SMTP mail clients, but we can’t test them all).  If you use webmail, like Yahoo! mail or Gmail, try MailCloak for Firefox!

We worked really hard to ensure using MailCloak for Mail Clients is easy as pie.

To use MailCloak for Mail Clients install it and fire up your mail client – which ever it may be.

At this point you should notice the MailCloak floating menu. Right click it to turn it on, and send an email. MailCloak will automatically attach your public key to this message if you don’t have the recipients public key, or encrypt the message if you do. When you are done sending encrypted messages, simply turn MailCloak off and write emails as usual.

To make MailCloak even easier, we’ve created an automated testing program called Cryptobot. Turn MailCloak on to attach your public key to all outgoing email, send Cryptobot an email, and wait for a reply to see what happens!

After you give MailCloak for Mail Clients a whirl, please tell us what you think on the MailCloak Encryption Forum. You can also use the forum to ask us your questions. We’ll do our best to answer your questions and help you through any problems you might have.

You also can find documentation on our email encryption wiki.

MailCloak, Release, Security, email, email encryption, encryption Beta, Email Encryption, email encryption software, Email Security, Release

Misguided Impressions.
A majority of the people I talk to mistakenly think that email is safe. The slightly more tech savvy among us – people who read about things like email security in Wired or Cnet or Lifehacker, believe, incorrectly, that HTTP/S encryption will protect their email from eavesdroppers. Yet only the true security aware understand that it takes “end-to-end” and “data-at-rest” encryption to truly protect an email message across its entire life cycle. These individuals also understand that whole accounts are practically impossible to protect – so they concentrate on protecting the important messages.

While it is true that “data-in-motion” encryption like SSL and HTTP/S will protect emails from internet-café wireless eavesdroppers; we should be cognizant of the fact that that’s about all they protect us from. As the notorious Sarah Palin incident so poignantly illustrates, it doesn’t matter how you connect to your webmail, using just data-in-motion encryption is not enough.

So let’s get things straight. HTTP/S, SSL and TSL protect your messages as they travel from you to your email service provider or vice versa – usually the first fraction of a second in an email’s online life. During the rest of the email life cycle, HTTP/S encrypted emails exist in plain text. Only true end-to-end encryption, encryption like MailCloak, FireGPG, Enigmail and PGP provide, can protect an important email for it’s entire life cycle.

The Email Life Cycle:
Below as an outlined the life cycle of a typical email. As you’ll see, an email passes through a lot of hands (routers) between sender and recipient – and there’s no way to tell how clean these hands are. We will use the example of you, a gmail user, sending email to your friend Alice, a Yahoo! Mail user, to make things more concrete.

1.    You write an email and click send.

2.    The email travels from your computer over your LAN to your router, it then “hops” to your ISP, and then over the Internet to Google’s nearest gmail data center. The connection between your computer and Gmail may be encrypted with HTTP/S. If so, your message will be protected across these hops (I usually count 12-15 hops on a traceroute to gmail). If you didn’t use HTTP/S, each of these routers could (and many of them do) copy and index your message – you have no way to know.

3.    The message arrives at Google, and is indexed and saved on redundantly backed up servers. You can now see your message in your “sent” mailbox.

4.    Google now sends your message across the Internet to Yahoo’s datacenter. You can’t do a traceroute from Google to Yahoo, but you can assume that the route takes at least a few hops. At this point your message is traveling in plain text, so each router between Google and Yahoo can copy and index your message. And of these routers may be located in a government surveillance center.

5.    Yahoo! receives and indexes your message, then transfers it to Alice’s inbox.

6.    Alice now connects to Yahoo! and downloads the message. Again, the message hops over a dozen or more routers or computers before reaching Alice.

7.    Alice reads the message.

8.    The message and attachment resides indefinitely on Google’s and Yahoo’s servers. Anyone who logs into either your or Alice’s account can search the account, and if they search the right keywords, they will find your message.

Protecting an Email Message Throughout its Life Cycle.
It turns out that with minimal changes to this life cycle and the user experience, a message can be permanently protected from any and all eavesdroppers. All one has to do is encrypt (cloak/scramble) the message between steps one and two (after clicking send, but before the message goes out over the network), and decrypt the message between steps six and seven (after downloading, but before reading) and the message will always be safe, because it will never be exposed to the internet in plain text. This is called end-to-end encryption because your message is only in plain text at the endpoints. It’s also called data-at-rest encryption, because the email is only stored as an encrypted message.

MailCloak and Standards-Based Encryption
MailCloak, along with a host of other OpenPGP based programs, will all help you to encrypt your messages with end-to-end encryption. When we wrote MailCloak, we chose to use GnuPG OpenPGP encryption because all OpenPGP programs can talk to each other – and there’s an OpenPGP program for just about every computing platform out there. If you have Windows XP and you use Gmail, Hotmail or Yahoo! Mail, or a standard POP3 Email Client, you can use MailCloak – MailCloak will be available for Vista and Windows 7 soon. If you have Mac or Linux we recommend FireGPG for Gmail on Firefox, Enigmail from your POP Mail.

Security, email, email encryption, encryption Email Encryption, Email Security

MailCloak Personal Edition, Email Encryption for Firefox is finally open for Beta Testers!

MailCloak is the new GPG based email encryption add-on for today’s top webmail services. MailCloak encrypts Google Gmail, Yahoo! Mail and MSN Live Hotmail with super strong 4096-bit key GPG encryption.

After you have installed MailCloak, you will be prompted to create a key pair, once that’s done you’re ready to go.

Check out our detailed quick-start guide if you want some hand-holding, otherwise go ahead and login to your web-based email account (This version supports Google’s Gmail, Yahoo! Mail and MSN Live Mail) and send someone an email. If MailCloak is turned on, your public key and an invitation to MailCloak will automatically be attached to this email. If the recipient is using GPG, PGP, or MailCloak, They will be able to send you encrypted email. When you get their key, you will be able to send them encrypted email. We’ve also created Cryptobot to make this easy to test.

Open Source Encryption, closed source connectivity.
We chose to build MailCloak on top of the industry standard, open source GNU Privacy Guard (GPG/GnuPG). GPG uses the OpenPGP standard, first written by Phil Zimmerman in 1982, OpenPGP-standard compliant encryption is used by 96 of the top fortune 100 companies, the Department of Defense, and millions of home and business users around the world.

Gwebs, Security, email, email encryption, encryption, software encryption, firefox add-on, GPG, PGP, Release

Last night I was at the Beijing Tweetup and had an interesting conversation with Rebecca MacKinnon and Andrew Lih about NGO and journalist security needs, which got me thinking this morning - NGO’s and Journalists really need an easy-to use-security tool designed to provide them with 100% fail-proof anonymity and security - and MailCloak - our new encryption tool, is perfectly positioned to help them out.

Why is MailCloak positioned to help? Because MailCloak allows you to send email from Yahoo, MSN and Gmail, and protect your messages with strong encryption. Yahoo, MSN and Gmail - are these known for anonymity? Well, maybe they aren’t known for it, but they are great tool because you can create disposable email accounts freely and easily.

Here are the steps, most of which I have previously documented:

1. Setup your proxy connection (and turn it on) to keep your IP address private when accessing services you wish to remain anonymous
2. Create a new free, disposable Gmail, Yahoo! Mail or MSN Live Hotmail account. Remember, don’t use any real personal information.
3. Download and install MailCloak on your computer, and have your contact do the same.
4. Exchange public keys and test MailCloak by sending trivial messages to make sure they go through encrypted. Only send important information after testing the encryption.

That’s it!

Security, email, email encryption, encryption, government Anonymous, email, NGO, proxy, Security

Recently, all of the big email providers in the consumer arena, including Yahoo! Mail, Gmail, and MSN Live Mail have begun to offer “security solutions”.  Google Apps, Microsoft’s Live Admin Mail, Bluetie and Rackspace also offer business security solutions for both small and large enterprises.
But what are these solutions, and how does our new product, MailCloak, differ from them?  In this blog post Sarah Yu, Global Web Security Systems’ (gWebs) marketing executive, interviews gWebs CTO and lead programmer Jin Anderson to discuss what’s happening in the email security space and how MailCloak differs from the security solutions already offered by these providers. I have translated this post from the original Chinese.

“Let’s take the metaphor of snail-mail. The username and password authentication system is a lot like the key to a mailbox. If this key is copied or stolen, all the mail inside can be stolen and read. But MailCloak is like a steel envelope. It will protect the message even if an intruder guesses or steals your login credentials.”

Read more…

Security, email encryption, encryption, interview, software Email Encryption, Email Security, gWebs Team

Well, we’ve had a working beta for several weeks now… but just working isn’t enough, so we have been adding features for the last few weeks. MailCloak now supports 11 email providers: Gmail, Hotmail, Live, MSN, Yahoo!, tom.com Sina, Sohu, 163, and more. We have updated our configuration page, got draft and attachment and message encryption working and stable, and whole lot more. We are now in the last phases of internal beta testing and, if all goes well, we will open our beta to the public some time next week.

Gwebs, Security, email, email encryption, encryption, software email encryption software, MailCloak, Update

Here at Global Web Security we have been working round the clock to bring our users a new, brighter, better, more functional and more interesting website. Our homepage has undergone a complete rewrite and redesign.

We’ve added a forum and tons of information about our MailCloak software (which provides strong encryption for webmail), as well as brief introductions for products that are in development: PassDancer our biometric authentication software, DriveCloak and DocCloak. In-depth documentation is coming soon!

Also MailCloak is now “open” for beta testing. Sign up here!

About MailCloak: MailCloak is Strong encryption software for Webmail. MailCloak utilizes GnuPG to encrypt email on Gmail, Yahoo! Mail, Hotmail and re em

Security, email, email encryption, encryption, software Email Encryption, email encryption software, Email Security, Gwebs, MailCloak 3.0, MSN Live!, Webmail Encryption, Yahoo! Mail

Here at Gwebs, the makers of the world’s easiest encryption software, we’ve been hard at work on a new, completely re-written and altogether better version of WebmailSafety. So much about this product has changed that we’re even changing the name!

Gwebs WebmailSafety, which offers email encryption for Webmail and desktop clients, is now called MailCloak, and with version 3.0 on the way webmail users are in for some great surprises.

Like what?

The world’s easiest encryption software just got even easier!

Here are the basic features:

• Free!
• Automatic protection for emails and attachments.
• Supports Internet Explorer、Firefox and Outlook.
• Supports Gmail, Hotmail, Live mail, AOL Mail, Yahoo mail, 126 mail, QQ mail and 163 mail.
• Auto-update keeps you secure with the latest features and bug-fixes installed as soon as they are available.
• Simplified backup.
• Automatic Key Management.
• No Adware, Spyware, or Malware.
• Easy invitations.
• Automatic draft encryption.
• Enable/Disable with a single click.
• Supports English, Simplified Chinese, Traditional Chinese and French.

Read more…

Security, email, email encryption, encryption, google, personal Email Encryption, Email Security

The WebmailSafety Tour!

WebmailSafety is Gwebs new encryption product for Gmail, Hotmail, Yahoo! Mail and AOL Mail and with WebmailSafety’s new 2.0 release out yesterday, it’s high time for a walkthrough!

But first, be sure to download WebmailSafety 2.0 at www.gwebs.com!

1. The First Time You Run Gwebs WebmailSafety
2. Logging into Webmail With A Secure Browser
3. Receiving Normal Email
4. Receiving Encrypted Email
5. Sending Normal Email
6. Sending Encrypted Email
7. The Invitation Process

1. The First Time You Run Gwebs WebmailSafety.
   1. Follow the wizard to create a WebmailSafety account and bind one or more email addresses to it.
   2. When you create an account, WebmailSafety automatically generates a key pair
      (a public key and a private key,)
      and binds it to your new account.
2. Logging into Webmail With A Secure Browser.
   1. Run WebmailSafety and click on a bound email address.

   

   2. WebmailSafety launches a safe version of Microsoft Internet Explorer (The plug-in is only installed when you
      launch MSIE from within WebmailSafety) and directs it to the correct domain.

   

   3. Manually login.
3. Receiving Normal Email: It Just Works!
4. Receiving Encrypted Email: It Just Works!
5. Sending Normal Email.
   1. Go to the Gwebs icon in the Windows Task Bar and select “Disable Temporarily” so that it becomes checked.*
   2. Send email as usual.

*The WebmailSafety Tray Icon should appear inside a circle with a line through it. (like this: )

6. Sending Encrypted Email.
   1. If WebmailSafety is disabled, go to the Gwebs icon in the Windows Task Bar and select “Disable Temporarily” so that it becomes unchecked.*
   2. If attaching files be sure to enter your recipient before selecting the files, so that WebmailSafety
      knows who’s key to use when encrypting the attachments.
   3. Send email as usual.**

*The WebmailSafety Tray Icon should appear normal. (like this: )

7. The Invitation Process: If you don’t have a person’s public key.
   1. WebmailSafety will notify you that you don’t have their public key.
   2. Enter a Passphrase.

   

   3. WebmailSafety uses AES-256 Symmetrical Encryption to encrypt your email with this passphrase.
   4. WebmailSafety automatically attaches your public key and a WebmailSafety download link to this email so the recipient can easily install WebmailSafety, read, and reply to this email.
   5. Call, SMS, IM, or use some other method to tell your contact this passphrase.
   6. When the recipient replies to this email, their public key will be attached to their reply
   7. Now that you have their public key, simply send them email from the safe browser and it will be encrypted.

Well, that’s it for the walk through! Hope you enjoyed it, and don’t forget to check out www.gwebs.com for more info and new downloads!

Gwebs, Security, WebmailSafety, email, email encryption, encryption, help, how to, software, walkthrough decryption, Easy To use, encryption, Gwebs, how to, Instructions, tour, Walk Through, webmail, WebmailSafety