Mailvelope is available as a web browser extension for Chrome / Chromium and Firefox. It uses OpenPGP.js to add encryption and digital signature capability to any webmail service.

Enigmail is a seamlessly integrated security add-on for Mozilla Thunderbird. It allows you to use OpenPGP to encrypt and digitally sign your emails and to decrypt and verify messages you receive.

Enigmail is free software. It can be freely used, modified and distributed under the terms of the Mozilla Public License.

Cette formation conçue par Le Goût du Libre, pour le Réseau Alternatives est publiée sous licence CC-BY-SA. Elle s'adresse à toute personne voulant améliorer la sécurité de ses systèmes et processus informatiques (courriel, web, etc.) en utilisant des logiciels libres.

Parmi les sujest abordés:

• Évaluation de risques et modèles de menaces (“threat model”)
• Révision et présentation des définitions d'un glossaire en sécurité
• Bien choisir et gérer ses mots de passe
• Protection de poste personnel (laptop ou bureau)
• Protection d'appareils mobiles (téléphone ou tablette) (1h)

If you're worried that you're not paranoid enough about your communications security and want to improve your OpSec, it is actually fairly easy to go "full-Sn*wden" with hardware storage of your PGP secret keys. The Yubico Yubikey-Neo and Neo-N USB tokens are a neat (and cheap) way to keep your keys locked in a hardware device rather than stored as a file on your harddrive. The hardware tokens are compatible with the OpenPGP card protocol, which recent versions of gnupg support out-of-the-box. All of the public-key cryptography happens inside the tamper-proof device, so your secret key is never decrypted in the memory nor stored on disk of your machine.

It's possible to publish your public PGP key in the DNS. There is a really good guide at http://www.gushi.org/make-dns-cert/HOWTO.html which explains the three different methods in detail. It's really simple though, so I'll explain how I did it. I'm going to replace my email address with a fake address to avoid feeding the spambots.

People often suggest that inline PGP signatures in e-mail are somehow more compatible or more acceptable than using PGP/MIME. This is a mistake. Inline PGP signatures are prone to several failure modes, up to and including undetectable message tampering.

There's no public key encryption for Android yet, but that's an important feature for many of us. APG tries to fill that void, with new features quickly being added. Hopefully APG will grow into a fully functional OpenGPG implementation of GPG or PGP calibre.