Ciphire, A Transparent, Easy PGP Alternative

mixter writes "Hi. I'd like to point your attention to Ciphire, a fully free and soon-to-be-audited-OpenSource 'Global PKI' project I've been working on for the last three years. As the first three or four thousand geeks started using Ciphire and seem happy, with some tech articles written, I guess the /. community might find this interesting, too. Ciphire hopes to have solved the problems that prevented PGP from a broader deployment, with even higher security standards - as already confirmed by crypto experts Housley & Ferguson. More useful information, e.g. in Wired or in the Nerd^H^H^H^Hexperts FAQ."

How is it free or open source?

[art6217]

From their pages: "Ciphire Mail will always be free for private users, non-profit organizations, educational institutions, and the press".

Does it have?

[Anonymous Coward]

Whole disk SECTOR encryption? Virtual Volumes that we can mount as an NTFS folder?

PGP Whole Disk and PGP Disk functionality is a MUST. Without it, your alternative is not an alternative at all. NEXT PLEASE.

Re:yeah right...

[WebCrapper]

Its actually pretty simple. I figured it out just reading the "automatically" but I'll break it down for you. Directly from their website:

"The Ciphire Mail client resides on the user's computer between the email client and the email server, intercepting, encrypting, decrypting, signing, and authenticating email communication. During normal operation, all operations are performed in the background, making it very easy to use even for non-technical users."

I shouldn't have to explain it any further than that here on Slashdot. Thats in the first paragraph of the Technical Explanation of how it works. Later on it lists:

"The Ciphire Mail client consists of three parts: the core client, a graphical configuration interface, and mail connector modules (redirector). Supported email protocols include SMTP, POP3, and IMAP4. The STARTTLS and direct SSL/TLS variants of these protocols are supported as well."

For anyone that didn't get the gist - it basically redirects your mail to its own "server process" sitting on your computer then sends it out to the normal SMTP server. This is using the same technology that the current Mail virus scanners use (Think Symantec), not new technology, just used in a different way.

On the reverse end, the "server" checks the mail and hands it to the email client making everything secure in between.

Pretty simple way of getting Jane and Jon Doe with OE to use it if you ask me. Granted, it needs to be installed by Admin on proper machines, but that shouldn't be too much of an issue for any company that would like to secure their email - especially if you explain and show your network admins that email is USUALLY a plain text security nightmare.

Re:Useless...

[justins]

First off, tell me. Which standards does PGP [or SSH and SSL for that matter] follow?

http://www.ietf.org/rfc/rfc2440.txt

free as in "free beer"?

[g2ek]

2. LICENSE GRANT

(a) Subject to all of the terms and conditions set forth in this Agreement, Licensor grants to Licensee a non-exclusive, personal, non-transferable, non-sublicensable right, during the term of this Agreement, to use the Software, and the Services solely for Licensee's own Personal Use and in accordance with the applicable documentation and instructions made available by Licensor.

(b) In no event shall Licensee distribute, display, or otherwise make available to any third party, the Software (including any copy, portion, extract, or derivative thereof).

(c) Licensee shall not, and shall not assist, enable or otherwise permit or allow any third party to, (i) alter, adapt, modify, translate, create derivative works of, (ii) except to the extent expressly permitted by mandatory applicable law notwithstanding an agreement to the contrary, decompile, disassemble or otherwise reverse engineer or attempt to derive the source code of, or any technical data, know-how, trade secrets, processes, techniques, specifications, protocols, Key and data-formats, methods, algorithms, interfaces, ideas, solutions, structures or other information embedded or used in, (iii) rent, lend, loan, lease, sell, distribute or sublicense, or (iv) remove, alter or obscure any proprietary or restrictive notices affixed to or contained in, the Software or any copy, portion, extract or derivative thereof. In addition, Licensee shall not provide, disclose or otherwise make available the Software or any copy, portion, extract or derivative thereof, or permit use of any of the foregoing by or for the benefit of any third party (including, without limitation, on a hosting, service-bureau, time-sharing or subscription service basis).

(d) The Software is licensed as a single product package and Licensee shall not, and shall not assist, enable or otherwise permit or allow any third party to, separate the Software, or use any component parts thereof other than as part of the Software as and in the form provided by Licensor.

(e) Licensee shall not use the Software other than in connection with the Key-Data and the Services provided by Licensor under this Agreement.

https://www.ciphirebeta.com/about/eula.html

Re:Why not just use enigmail with Thunderbird?

[Noksagt]

For the windows impaired, there is WinPT [sourceforge.net], which is both easy to install & has a GUI for key management.

Re:Why not just use enigmail with Thunderbird?

[Beryllium Sphere(tm)]

>you can already buy "idiot proof" versions to plug into Outlook (I believe)

I've been on the pgp-users mailing list for a long time and the Outlook plugin has been a chronic source of problems for users and developers. Apparently email client plugin interfaces are nonstandard, change with each release, and all too often buggy. The default advice to people running PGP with their mail client evolved into "use the Encrypt Current Window function", which sacrificed integration between key selection and email addressing.

If I understood what the developers said, they wanted to do PGP Universal because they couldn't stand the plugin hassles. PGP Universal and Ciphire may signal a trend toward putting the crypto downstream of the email program.

Don't underestimate usability problems as a barrier to adoption. CMU did a usability study on PGP 5.0 and the results were alarming.

Re:GPG?

[Jsprat23]

"Getting GPG to work on windows requires Cygwin, which is a pain in the ass. If it doesn't work *transparently* on Windows, there'll never be a critical mass of people using it."

This is patently untrue. I downloaded the windows binaries from gnupg.org and followed the directions on enigmail.mozdev.org and had my dad encrypting email in about 15 mins. No cygwin required.

The biggest problem we encountered was his windows clock wasn't sync'd to a time server, and I had to wait to import his key because it had been created in "the future".

Ciphire compared to PGP and S/MIME

[davids-world.com]

I've posted a high-level overview and commentary [davids-world.com] a couple of days ago.

The verdict: Ciphire is a good idea in general and a fine solution for internal security in companies (across different sites), but difficult to justify as a standard due to its closed nature.

Re:Web Mail

[rivercityrandom]

Yeah, maybe someone should come up with a webmail client that seamlessly incorporates SSL and PGP crypto--oh, wait, it's been done [hushmail.com].

Re:Careful: not very secure, not very trustworthy

[A Naughty Moose]

I hope its not homegrown hash;

Well, according to their cryptographic functions [ciphirebeta.com] page, they are using SHA-256 and Whirlpool-512 hashing.