PaulSpoerry.com

Ok for those who don’t know what PGP is let’s first give a brief explanation. PGP stands for Pretty Good Privacy. PGP encryption uses public-key cryptography and includes a system which binds the public keys to a user name and/or an e-mail address. Basically, PGP can be used to detect whether a message has been altered since it was completed and to determine whether it was actually sent by the person/entity claimed to be the sender (aka it’s a digital signature). In short it allows you to encrypt information, check the received information was not altered, and verify that it is in fact who it came from.

I know that sounds all complicated, so let me try to break it into lamens terms. You download PGP and create a public key and a private key. They are both called keys… but I prefer to look at it like this: Public Key = lock, Private Key = key. Your public key can be shared with anyone. They can use your public key to encrypt anything they want and send it to you. Once they encrypt it with your public key (aka the lock) nobody can open it but you with your private key (aka the key)… not even the sender.

Phil Zimmermann created the first version of PGP encryption way back in 1991. It’s gone through several revisions since then, changed hands many times, and has finally landed back in the hands of several ex-PGP team members who formed a new company, PGP Corporation. Confusingly PGP stands for both the company, and the technology. In reality their are open source (free) implementations of PGP that you can use.

When PGP first hit it scared the CRAP out of the government. The spooks wanted to control strong encryption, at the time PGP was created Cryptosystems using keys larger than 40 bits were then considered munitions by the government; PGP has never used keys smaller than 128 bits so it qualified at that time. Penalties for violation, if found guilty, were substantial. Zimmerman found a very novel approach to getting around this which you can read up on here.

I’ve been a PGP user for a LONG time. Most people don’t understand why. To be honest, I have very few people with whom I can send encypted or digitally signed emails too. And that’s a shame. Most people don’t understand that email travels around the net UNENCRYPTED. That’s right… it’s just like writing a letter and not even putting it in an envelope.

Ok so what’s this have to do with Google and Gmail? Apparently, a new Gmail feature was spotted that checks if the PGP signature attached to a message is valid. The following was spotting in Gmail recently:

So Google is playing around with public key cryptography to provide a method for employing digital signatures. Digital signatures enable the recipient of information to verify the authenticity of the information’s origin, and also verify that the information is intact. Sweet… if Google does this, digital signatures for the masses! Google has been pumping out new Labs features at a furious pace lately… hopefully we can expect to see this very soon!

To see code snippets and read more check out Google Operating System.

Gmail finally provided “offline” mode via Google Gears. So when Gears is enabled you can access your Gmail from your browser any time… even when you’re not online! Ok so that’s cool… but where does it store the data and is the data secure?

When a website attempts to interact with a gears datastore it uses uses the same origin policy as its underlying security model. In a nutshell, the policy permits scripts running on pages originating from the same site to access each other’s methods and properties with no specific restrictions — but prevents access to most methods and properties across pages on different sites. This means that a web page with a particular scheme, host, and port can only access resources with the same scheme, host, and port.

This means a site using Gears:

• Database: Can only open databases created for that site’s origin.
• LocalServer: Can only capture URLs and use manifests from the site’s origin.

The data is stored locally using a SQLite database. The downer is that your data within this database is NOT encrypted. Gears data files are protected with the user’s operating system login credentials. Users with separate login names cannot access each other’s Gears data files… but this is only enforced by the operating system.

If two users are sharing the same login to the operating system they could theoretically access each other’s Gears data files, just as they could access any other file on the machine.

Read the rest of this entry »

There’s a little known feature in GMail that can help ensure you account is not being hacked called Account Activity.

Recent activity includes any times that your mail was accessed, using a regular web browser, through a POP client, from a mobile device, etc. You’ll see a list of the IP address from which the access was made, as well as the time and date.

Here’s a screenshot from my GMail account:

(FYI… the reason my GMail is in grey is because I’m using the Better GMail 2 FireFox Extension, which adds all kinds of cool functionality (including some cool themes to GMail)

Clicking the Details link next to the Last account activity line at the bottom of any Gmail page shows information about recent activity in your mail.

The sweetness is that if at some point while you’re logged in someone else logs into your account the bottom line will change to something like:

This account is open in 1 other location at this IP (xx.xx.xxx.xx)

Again, clicking the detals link will provide a much more granualar level of detail about when, where, and how your account has been accessed.

Here are 3 things you should pay attention to:

1. IP Address – If you usually signin to Gmail using a single computer then your IP address should be the same. Or at least have identical first two sets of numbers (ex. 212.10.xx.xx).

2. Access Type – This column displays the way your account was accessed. For instance if you read your email ONLY from browser (Firefox, IE, Safari etc.) but one of the entries showing POP or IMAP access, there is a good chance your account is compromised.

3. Concurrent Sessions – If your mail is currently being accessed from another location, you’ll see it here.

In the example above you can see that I have Browser, Atom, and IMAP. The IMAP access is Outlook connecting to GMail, Browser is…well FireFox access it. Atom may look strange but that’s my GMail Counter Vista Sidebar gadget.

If you’re concerned about any concurrent access, you can sign out all sessions other than your current session by clicking Sign out all other sessions.