Another short blog-entry which isn’t really for software producers, but aimed at everyday software users: I found it more difficult then necessary to setup encryption. Here is what I did, maybe this can help somebody.
Encryption is a really big deal. If you already do this and worry about real classified stuff, don’t read on. You already know how to handle encryption and these simple instructions may be useless for you.
If you simply load your security certificates into your browser and are happy, you can also stop wasting your time reading this blog. That is probably good enough for many users.
People inbetween (like me) just think the standard processes to use encryption are too complex. The system may be foolproof, but it for sure fails to convince me that the stuff I’m sending around doesn’t contain my private keys. I may have an ultra secure certificate, but why should I think my computer keeps it really secret? Some unknown code in my browser somehow uses a certificate, paints nicely closed locks on the monitor and what not. But I know my normal desktop computer is not safe. I know my virus checking program does safely catch about 60% of the simpler viruses (and secretly deletes binaries of tamper-proofed test program which it usually assumes to be malicious.)
Getting concrete: a few programs which are really simple to use, so simple you might avoid making mistakes of your own. So simple that their code is self contained and far away from most malware already having attacked your computer.
1) Encrypting or decrypting any file. That program creates a window. You give it the password and simply drag and drop files into it.
http://spi.dod.mil/ewizard.htm In the middle of the page it says “Download EW-Public”. Unzip the file you download and create a directory. No installation is required. The directory contains simple instructions.
2) To encrypt or decrypt just lines of text, e.g. within an email message. The recommended program creates a window with a form-field for the password. To use that program, use drag and drop as with the other program, only this time use lines of text, instead of complete files.
http://www.fourmilab.ch/javascrypt/ Use what they call the “Lean” version. The simpler a program is, the less chances you have of making errors. You can make a local copy. No installation is required. The directory contains the full program and simple instructions.
3) When security really matters, there exists a program which can be used to make an otherwise unsafe computer safe. How? Use is simple: you reboot your computer into that program. You get a “desktop” which is safe and completely separated from your file system. Among other security tools, this program already contains both encryption applications mentioned above.
http://spi.dod.mil/lipose.htm Get one of the “LPS-Public ISO Images”.
And now for the grand finale: Watch the short movie: “Signs that your software needs better protection.”
http://spi.dod.mil/docs/Top_Ten_640x360.wmv