[tor-talk] "Confidant Mail"

[Mike Ingle]

SSL: I get it, a lot of people think I should have SSL support on the 
website. I will look into it.
Until then (and even after) check the sigs. Nuff said.

 >Back to Confidant Mail: interesting project, kind of reminds me of
 >BitMessage, though it seems to be more usable (by far).

I looked at those and they look like pure "privacy nerd toys." Which is fine
for what it's worth. I am trying to walk the line between serious 
business tool
(replacement for dropbox and various commercial secure email) and 
privacy toy.

That is why I have things like server pairing for high availability, and 
DNS key lookup.
You can also forward a message with the signature, and the recipient of the
forward just clicks a button to verify the original sender's signature.

 >Might be interesting to see how it might be linked to something like
 >Syncthing[1]
 >
 >Just one thought: as it uses UDP, *traffic* won't go through Tor, right?

The UDP is used for server to server peer to peer network, mostly for 
key distribution. Keys can
also be distributed via DNS without any need for peer to peer.

The client to server communication is TLS encrypted TCP and that will 
definitely go over Tor or I2P.
Support for both is built in. The server to server communication also 
works over Tor or I2P.
Several models are possible:

client -> Tor -> hidden service -> public server
client -> Tor -> exit node -> public server
client -> private server -> Tor -> public server (hidden or exit)

You can do true peer to peer mail by hosting your own server (even on 
your laptop.)
Entangled (peer to peer) accounts have limited message size. Server 
accounts can email large videos, DVD images, etc.
There is a blocking protocol like Bittorrent. Biggest thing I have 
tested was 10 GB. Took a while but worked fine.

Suppose a non tech reporter wants to interview an anonymous source. The 
reporter who has no Tor client can send a message via her commercial 
service provider. Her provider's server sends through a Tor hidden 
service to some other server, which the anonymous source accesses via 
his own Tor client. This protocol lets "normal people" and anonymous 
techies freely communicate for the first time.

Once there are commercial service providers up, anyone will be able to 
pay a few bucks and get online immediately.
At the moment there is one free service provider (mine) which you can 
also join immediately and start testing.

Mike


On 2/3/2015 9:58 PM, CJ wrote:
> On 02/04/2015 06:19 AM, Seth wrote:
>   
>> On Tue, 03 Feb 2015 20:01:36 -0800, Andrew Roffey <andrew at roffey.org>
>> wrote:
>>     
>>>  - there is a cost of obtaining HTTPS signatures.
>>>       
>> Not certain if the deal is still being offered, but for quite a while
>> you could get a free TLS/SSL certificate good for one year when
>> registering or transferring a domain to namecheap.com
>>
>> Then if you needed to renew it, or just buy more, you could pick them up
>> for $2/yr just by purchasing another qualifying product, such a year of
>> whoisguard for $2.88.
>>
>> Point being, the cost of certificates can be negligible if you know
>> where to look.
>>     
>
>
> not to mention StartSSL and their free certificates… Well, ok, maybe not
> the cleanest and trustworthy thing, but you can still provide the CSR,
> meaning you own the key. And they support 4096b with sha2…
>
> Back to Confidant Mail: interesting project, kind of reminds me of
> BitMessage, though it seems to be more usable (by far).
>
> Might be interesting to see how it might be linked to something like
> Syncthing[1]
>
> Just one thought: as it uses UDP, *traffic* won't go through Tor, right?
>
>
> [1] http://syncthing.net/
>