Privacy Policy

February 21, 2014

How to force everybody into using PGP. Or not writing you at all.

After NSA's leaks, it's not a big news that we are facing a brand new situation, concerning the usage of Internet and our own privacy. I'm definitely not the right person for summing up the current situation, but you can find good (and relatively short, compared to all the things that have happened) here.


If your are not already scared enough, this sentence summarizes it all:

“The moral of the story is that at this point the Internet has been completely and silently militarized without our knowledge. Figuratively, at every pathway of the Internet there is a hidden control point where anybody transiting is monitored and potentially harassed.”


As stated by Snowden, the only form of protection that prevents other people from doing your own business is encryption.
I really don't want to listen to people complaining about "I have nothing to hide" - please send me pics of you pooping (1). Schneier said something here. Also the NSA’s opinion on the Nothing-To-Hide topic is interesting.  :)


For this reason, I wrote a program to help you increase the awareness of your contacts about using encrypted communications.
The idea is simple: in case you receive an un-encrypted email, the software replies back via email with your PGP public key, asking politely to use encryption.
This proof of concept is just a request addressed to the community, to spark a discussion over this question: “PGP has existed for quite a few years, and nobody uses it. Where did we fail in spreading this technology?”
If we really wanted everybody to start using strong encryption, maybe we should think about something towards causing a sort of “Network effect”. How can we do that?

How it works


OnlyPGPlz keeps track of the last email checked using my ad-hoc IMAP label "PRCD". With a specified frequency, the software checks whether there are new mails, and in case they are not encrypted, it replies with a specified template to the sender.
This is the template I'm currently using:

Good morning:

This is an automated message.
Here is the bad news:
If you are reading this message it's because you sent an unencrypted email to me.
Since this email is not encrypted,  it has been blocked by my privacy settings and cannot be read,
at least, not by me. :)


This recepient does not accept anymore unencrypted emails. You are therefore encouraged to send this message again using PGP.
I'm really sorry for the problems this may have caused.

But here is the good news:
It EASY to set up a PGP client for your daily usage and it will protect YOUR PRIVACY.
Here you can find my public key. It’s strongly suggested that you check (using another channel, such as voice or telephone) whether the signature of this key is correct.


What can be done better?

  • If you want to tolerate some emails not in PGP (i.e. random newsletters), you can create a whitelist to skip the check.
  • The check itself is not that powerful: it's a trivial regexp that matches "BEGIN PGP MESSAGE" xD
  • The certificate of smtp.gmail.com is NOT checked.
  • It's checked only for IMAP. (but i did NOT test with a proper MITM attack. please let me know if somebody wants to try)
  • Some configuration file in which you are forced to read the comments in the code :D
  • Proper way of killing the daemon, that’s not kill -9
  • Some heavy error checking (like when the connection drops)
  • Prevent execution on closed source  OS: this is debatable, but in principle we are not supposed to know how closed source operative systems works, and (again, in principle) we are supposed to know how Open Source Operative Systems works. Please, before debating, read Reflections on Trusting Trust


Why should this work?

Because it's annoying. But in a polite way (according to the message you send :p )


In my email template I have also included my public key, some quotes from Julian A. And some motivation about my choice.

Last but not least, a few links to instructions on how to install pgp.


Code or GTFO

Here you can find the code: please feel free to add more feature


In the first lines of the code you can find the customizable parameters such as flag name, email template, verbosity of the logging...


(1)


Please DONT.