Search options

You don't need to add support for symmetric encryption to FireGPG. In reality, you ARE using symmetric encryption within any asymmetrically encrypted message.  Here is how it happens:

1. gpg generates a random hash key based on the preferences of the recipient(s).  It normally uses SHA1, since that is the lowest common denominator that will work with everybody.  There ARE some exceptions but most of you are using SHA1 as Digest Algorithm anyway.

2. gpg encrypts that key using the other person's public key (meaning only they  can get the key back).  If you have multiple recipients it makes little difference whether you used either the same key or a different one since each recipient gets their own encryption of the hash key.

3. gpg then symmetrically encrypts the message itself using the hash key.  It makes as many copies as there are users, since each user has their own symmetric cipher preference.

4. gpg then gloms all this together and gives it to the email program which in turn sends if off.

Now on the receiving end ...

1. gpg extracts both that person's asymmetrically encrypted key and that recipients copy of the encrypted message based on what key they are using for that email address.

2. gpg asks the user for their public / private key pass-phrase.

3. gpg uses the pass-phrase to decrypt the asymmetrically encrypted key that was randomly created (which is why the OpenPGP people CONSTANTLY caution you NOT to use the same random seed).

4. Using that key gpg asymmetrically decrypted, gpg then uses that key to decrypt the message itself.

In short, you don't need symmetric encryption within FireGPG.  If on the other hand somebody wants to use one of the symmetric ciphers to encrypt a file then they can do that via various means and send that as an attachment.  But symmetric encryption itself other than what is going on under the hood is NOT needed in FireGPG.  It also is *NOT* provide by ANY of the POP email programs, nor should it be.

One of the benefits of asymmetric encryption is that once I have encrypted something for somebody else, even *I* cannot decrypt it.  IMHO, symmetric encryption is *NOT* needed in FireGPG.  What is needed is to hash (pun intended) why signing isn't working.  INLINE encryption works great with ALL of my tests - NONE of the encryption tests have failed yet.

First, I am NOT one of the authors of FireGPG. Were you asking about OpenPGP/MIME signing or just signing period?  Pull down the following file and look at some of my tests of the signing (all INLINE):

http://www.securemecca.com/FireGPG.zip

The results are pretty dismal.  I imagine my huge digest algorithm doesn't help (SHA-512). On the other hand INLINE encrypting / decryping works well and sometimes OpenPGP/MIME *decrypting* works.  But I was only able to do that ONCE.

WebMail puts sever constraints on what you can do, and INLINE is the only thing that they have a chance of doing anything with regularity.  It is just that the only bundled POP / IMAP MUA program with Ubuntu Linux is Evolution and unless it has become better, it only accomodates OpenPGP/MIME.  Thunderbird is NOT bundled with Ubuntu Linux. Apple's Mail App is the same way - it only handles OpenPGP/MIME.

What I was trying to get the authors to do was just say that FireGPG does INLINE so people don't get confused.  Initially that one successful decrypt for a OpenPGP/MIME encrypted message was what made me wonder what was happening.  Since then, I haven't been able to get OpenPGP/MIME decrypting to work (sending from myself to myself).

I went over and read what they said about Rich Text.  Please enlighten me because the only options I see for the WebMail services are the following:

Gmail:
Choice of default (assume plain text) and UTF-8

Hotmail:
I can't find any choices so the default is probably plain text.

Yahoo:
plain text or color & graphics.  I assume putting it in the color & graphics mode allows you to embed graphics and thus it becomes HTML format.  Since plain text is safer, that is what I use.

AOL / Netscape:
I can't see any choice, but since I didn't want to set it to not view or compose all email messages in separate windows, I abandoned it.  At the time I wanted to use the Tools -> FireGPG for every message check because I was uncertain whether the GMail buttons were causing the problems. I will check it again in a few days now that I have it set not to open Window for every message read or composed to see if that makes a difference.  I am intentionally using the web mail services in the way most people use them - with the defaults.  Those are the defaults, and I didn't want to contend with a right click screwing up the results.

I do need to say that I have done EXHAUSTIVE tests with the first three Webmail services and one POP mail account using Thunderbird (it is the only MUA I use that has support for INLINE).  The signing results have been dismally poor at best.  You can all download the results of the test by pointing the browser to:

http://www.securemecca.com/FireGPG.zip

This file is HIDDEN.  In other words almost everything at those web pages are hidden, so don't go the host itself and expect to maneuver around and find the file.  I haven't got around to building the web site yet.

I was ready to say that it must be a browser thing, but if it is, then why are ALL of my tests of encryption okay?  I must admit that I am signing with a SHA-512 digest, and the encryption may be using only SHA1, but lots of other people are having problems signing using SHA1.  Even worse, there are times that the verify fails or succeeds with FireGPG, and it does the converse (succeeds or fails, respectively) when I copy the mail message into a file and verify it from the command line (gpg --verify).  That does NOT instill confidence.  I am working from Fedora Linux, so the RTF (I assume you mean Rich Text Format - now if you mean UTF-8 that may mean something else) is almost meaningless.  You can't count on sending your messages to your POP or IMAP mail friends and have them do anything with them. There should be no difference between CR+LF versus just LF either since in making a check sum, gpg skips both of those characters.  Look at my tests in detail and maybe you can deduce something from it.  I am still searching for a pattern, and you have ALL of the short sign test email messages (I edited off the headers saved out by Thunderbird) to look at to make up your own mind.  I took the liberty of converting all LF -> CR+LF for the Windows users.  EMail sends with CR+LF anyway, not with LF.

I am NOT going to change my digest algorithm choices.  Further, All I know is that signing is OUT for FireGPG for now.  I can't even verify over 75% of my messages.  Even worse is what happens when I select the text and paste it into a file.  That becomes baffling when what verified in FireGPG doesn't verify from the command line, or what didn't verify in FireGPG does verify on the Command Line.

Asking for RTF is out of the question.  There is no native RTF (do you mean UTF-8?) support on Linux.  I don't want fancy messages verified.  Plain text is fine.  More to the point, since ALL of my encryption tests passed with flying colors, it makes the incosistent results of the sign tests even more baffiling.  I will do a few more tests with my AOL/Netscape webmail account (private UID addition to my keys) in the next few days and make it available at the same web site as AOL_FireGPG_SignTest.zip.

I really the FireGPG authors do need to make it plainly apparent that you should use INLINE signing at least, and preferably INLINE encryption (although web mail does handle OpenPGP/MIME encryption okay - the OpenPGP/MIME signing ends up with results that are all over the wall.  By that I mean one email service makes attached files, others embed things, etcetera. That makes OpenPGP/MIME impossible to use.  I figured it would.  Something needs to be said to users that they are primarily using INLINE (which I have no problem with even if I am using Evolution or Mac's mail app since I can save them out to a file and verify manually if I need to).

Be back in a few days ...

I think the main thing you need to say is that FireGPG does only INLINE, although I believe I was able to decrypt one OpenPGP/MIME encrypted message sent from a POP mail account.  I have not been able to repeat that feat though.  Maybe I confused the Thunderbird window with the Firefox window (they do look very similar) because at the time I was VERY tired. I have four WebMail accounts (for testing various things) and two pop mail accounts and have been testing this plug-in extensivle using only my own key.  I really do think you need to say you are using INLINE.  It took me a while to deduce that.

Other than that, I don't feel any burning need for documentation, and I must confess I can't understand you saying that Yahoo and HotMail aren't supported.  Just because there isn't a button, all people need to do is select the text and use the Tools -> FireGPG options of encrypt  or verify in going through those two WebMail programs.  AOL will NOT work with FireGPG.  They bring up that panel / window making it impossible to get to the menus. But if somebody is using Evolution for their POP mail account (it is the default MUA for IMAP & POP mail on Ubuntu Linux), they won't know why the two won't interoperate.  People need to be told that the POP person will need to use INLINE.  But I do feel that your major thrust needs to be for Windows.  One person told me that they needed WinPT.  I don't think that is necessary, but it is necessary to tell them how to add the ";%ProgramFiles\GNU\GnuPG" folder to the path to be sure gpg.exe can execute.

Good JOB!