[guardian-dev] An email service that requires GPG/PGP?

Tom Ritter tom at ritter.vg
Wed Aug 14 19:12:24 EDT 2013


On 14 August 2013 18:01, Richard <rz at linux-m68k.org> wrote:
> On the other end of the paranoia scale I would like to remind folks of the
> the mixmaster remailer chaining technique which does much more than plain
> encryption - as far as I can see it is theoretically completely untraceable.

That statement is not correct.  Mix networks require more effort to
trace than normal packets or Onion Routing, but are not even close to
"theoretically completely untraceable".  I'll point to Syverson's
papers (Why I'm not an entropist, and Sleeping dogs lie in a bed of
onions) and Serjantov's "From a Trickle to a Flood."



On 14 August 2013 10:17, Ralph Holz <holz at net.in.tum.de> wrote:
> Hi Tom
>
>> Aside from StartCom (free) most CAs have roughly the same price and
>> service.  Since service is equivalent, you're free to choose a CA
>> based on your political opinion, and not worry about missing out on
>> 'features'. It's basically like voting in an election - elections are
>> won by tens or hundreds of thousands of votes, so it seems like one
>> vote doesn't matter.  But it can add up.
>
> Not sure if you know this one, but this article paints a somewhat more
> complex picture of the HTTPS economics. In particular, companies buy
> from the big players because, alas and behold, they're too big to fail
> and will never be removed from root stores:
>
> @INPROCEEDINGS{Asghari2013,
>   author = {Asghari, Hadi and van Eeten, Michel J. G. and Arnbak, Axel
> M. and van Eijk, Nico A. N. M.},
>   year = {2013},
>   month = {March},
>   title = {Security Economics in the {HTTPS} value chain},
>   location = {Washington, D.C., USA},
>   booktitle = {Proc. 12th Ann. Workshop on the Economics of Information
> Security (WEIS 2013)},
> }


I had not seen that paper, that's cool thanks.  However, it seems
they're observing data (EFF Observatory and Market Prices) and drawing
conclusions about why companies make decisions.  It would be easier
and more reliable to just... ask the companies why they do what they
do.  They seem to omit that somewhat important step to support their
conclusions.

-tom


More information about the Guardian-dev mailing list