Apparently there are security issues with GPGSuite beyond keeping track of users’ IP addresses with an auto-updater.[/caption] The leading OpenPGP client for Mac OS X has recently pushed a security update due to a bug that allows a local user to execute shell commands with root privileges. As if it weren’t enough, by default, GPG Suite regularly contacts gpgtools.org to check for updates. So not only does gpgtools.org keep tabs on the IP addresses you use without explicitly getting permission, a carrier or state level entity could easily compile a list of GPG Suite users by monitoring requests to the gpgtools.org upgrade server (here and here). It doesn’t matter they are using SSL/TLS because the private information is your IP address. Think about it, after a few months, your upstream carrier (or whomever has access to their logs) could compile a list of every IP users of GPG Suite use. My opinion of GPG Suite users notwithstanding, I am sure they have more interesting data stored on their computers than the average person. NouveauPG is sandboxed, so it is entitled only to access files selected by the user using the system open and save dialog box. Absolutely no network access allowed. (The only autoupdate mechanism is through the App Store version, which is the same one used for OS X autoupdate. There is no way for a third-party other than Apple to know exactly what is being updated, and tracking IP’s to the Apple update servers will only give you a list of Macintosh users.) [caption id="attachment_186" align="aligncenter" width="1824"] Activity monitor showing all the unsandboxed processes from a GPG Suite installation.[/caption] [caption id="attachment_185" align="aligncenter" width="1824"] Activity monitor showing the single sandboxed process for NouveauPG.[/caption]]]>
import their certificate into NouveauPG. [caption id="attachment_132" align="alignnone" width="1642"] You can import public key certificates from either the clipboard or a file.[/caption] Before using a certificate, be sure it’s valid. NouveauPG will warn before performing encryption with an invalid certificate. Click on Compose Message to write a new message for the recipient. You can either type a message or choose a file to encrypt. At this time, NouveauPG will only encrypt plain text files. (UTF-8 supported) You can export your encrypted message by copying to the clipboard, or save as a text file. If you wish to receive encrypted messages from another party, you must first create a new identity. Press the add button on the lower left hand corner of the window. An identity looks a lot like the public key certificate but you have two more options: Decrypt Message and Private Keystore The two new options are protected by the password you chose while creating the account. To decrypt a message, either paste the encrypted message in the space provided or load an encrypted message from a file. You should use the Private Keystore feature to backup your identity. Make sure your keystore is saved on an encrypted volume. To restore an identity, or move it to a new computer, simply import the private key block. The number one issue that people have brought up (which I mention in numerous places is that you cannot export your private key to a different PGP program) There is a good reason for this, it’s very technical but it’s the reason NouveauPG has such a simpler interface than any other competitors.]]>
The New Icon[/caption] After taking into account feedback from the beta last year, and taking a “break” to develop NouveauPG for iOS, I am now pleased to announce the first GA release of NouveauPG for OS X. Functionally, not much has changed from the beta, however many bugs have been removed and the interface is polished to the degree expected in the Apple App Stores. [caption id="attachment_107" align="aligncenter" width="1624"] Screenshot[/caption]]]>
deprecated, use version 1.5]]]>
NOTE: this post pertains to v1.10 OpenPGP allows you to pass secure data across an insecure channel such websites, forums, and even private e-mail. To decrypt messages, you first must generate a key pair before anyone can encrypt messages for you. The key pair has a public part and a private part. Often the public part is called a public key certificate. If you only want to send encrypted messages to another party using OpenPGP, you do not need to generate a key. You need to get the public key certificate of the intended recipient. [caption id="attachment_22" align="alignnone" width="1321"] Copy the public key certificate to the clipboard[/caption] Copy the public key certificate to your clipboard. [caption id="attachment_23" align="alignnone" width="1301"] A public key certificate has been validated and can be imported into NouveauPG, Note this is from an older version, but the popup is the same[/caption] Import the public key certificate from your clipboard. Make sure it is selected as your current recipient. Press encrypt. Your encrypted message will pop up, where you can copy the message to the clipboard or save to a file. It is practically impossible to decrypt the message without the private key, so you can post the message anywhere without worrying about anyone else reading it.]]>
Fixed some bugs.