Comments for usability | security | freedom

Comment on Stop Google recording your chats by apapadop

apapadop — Sat, 05 May 2012 10:40:00 +0000

Quick answer: No and no. Longer answer: I'm not a cryptographer, but the protocol description and the levels of trust I have for the people who designed the protocol compel me to answer "no, that first exchange was not the key used for encryption" (since OTR uses Diffie/Hellman aka asymmetric aka public-key cryptography for key exchange). See http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html for a high-level description of the steps taken for the Authenticated Key Exchange (AKE) and https://en.wikipedia.org/wiki/Off-the-Record_Messaging#Implementation for an overview of the protection you get with OTR. It's not just public crypto - it also provides deniability (i.e. your messages are not digitally signed by you) and perfect forward secrecy (i.e. even successful cryptanalysis of one of your messages does not compromise your other messages). OTR is pretty serious crypto, with a solid theoretical background and well-respected people implementing and improving the protocol and implementations. UPDATE: See a more official response from the horse's mouth: http://lists.cypherpunks.ca/pipermail/otr-users/2012-May/002006.html

Comment on Stop Google recording your chats by U

Fri, 04 May 2012 18:58:37 +0000

So I used Adium for one of my google accounts and Gibberbot with another account. I added the accounts on each other and initiated OTR chat.

But I noticed on the chat history in browser that even before the first encrypted message is sent, the accounts exchanged some random large string of text and numbers. Much like the subsequent encrypted chats.

My question is: was the first exchange the key used for encryption? Because Google has that text, can they decrypt the chats?

Comment on Google 2-step verification – a usability note by fox

fox — Thu, 05 Apr 2012 12:09:24 +0000

I found a workaround that actually works:

Allow Chrome to save all cookies.
Install CCleaner and go to:

Options–>Settings
and check “Run CCleaner when computer starts” (unfortunately there is no option to delete cookies on shutdown…)

Options–>Cookies
Drag and drop the cookies you want to keep to the corresponding table on the right-hand side. For example: mail.google.com

This will do until someone found a better solution.
Hope it helps…

Please feel free to post this comment to other forums…

Regards,
fox

Comment on Google 2-step verification – a usability note by fox

fox — Thu, 05 Apr 2012 11:43:46 +0000

This is really weird.
All the google cookies are still there. So the exception rule seems to work. However, 2-step verification still asks for the password every single time. So I was thinking that it must be one of my apps/extensions. I checked them but they do not delete any browser data. Then I played around with the Chrome options:

If one unchecks the “delete cookies when Browser is closed” option, the 2-step verification indeed saves the code, i.e. the problem is clearly not related to apps/estensions, but to the workaround using [*.]google.com: The cookies are not being deleted. However, there must be one single entry within a cookie that gets erased…

Any ideas?
Thanks,
fox

Comment on Google 2-step verification – a usability note by apapadop

apapadop — Thu, 05 Apr 2012 11:03:51 +0000

Try setting your homepage to “blank”, then close Chrome, then launch it again.

Now look at your cookies – if there is nothing there, the Google accounts cookie is being deleted and that’s why you’re asked for 2-step verification again. You’ll have to figure out what deletes that cookie.

Do post back with results!

Comment on Google 2-step verification – a usability note by fox

fox — Thu, 05 Apr 2012 10:05:53 +0000

Thanks for the good hint!

I am using Google Chrome and do have the same problem. However, even when I allow the google account cookies to be stored via the exception option, I will have to log in using 2-step verification every single time…
Any idea why this still doesn’t work?

Thanks,
fox

Comment on Tor relays in the Amazon cloud: usage charges by apapadop

apapadop — Thu, 05 Apr 2012 00:15:36 +0000

Not sure either but (a) I don’t see why not and (b) assume Tor people have done their homework.

Comment on Tor relays in the Amazon cloud: usage charges by Blah

Blah — Wed, 04 Apr 2012 00:05:12 +0000

Not familiar, but do the terms of service for AWS allow Tor?

Comment on Tell websites you do not want to be tracked by Manish

Manish — Wed, 28 Mar 2012 21:59:22 +0000

quite informative! Didnt know about DNT… the referenced articles n blogs are quite interesting too… !

Comment on How I managed to donate to OpenStreetMap by Harry Wood

Harry Wood — Sun, 11 Dec 2011 11:42:36 +0000

Geez. Maybe you should’ve just installed ubuntu on the machine itself to blow away all the malware …and windows

Thanks for the donation, and all the effort it involved! We’re getting towards two-thirds of the target amount now.

Good travels!