Hi and sorry if answer exists... I haven't found it.
I am using enigmail with basic defaults. Does it mean my emails are secure? Can any "expert" read and decode my emails anyway? Is it possible to encrypt over 4096 bits or above and how do I chose this in enigmail from thunderbird interface?
Thanks!
Best,
Fred
Last edit: Fred O 2014-05-04
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
To the best of public knowledge, your encrypted emails are as secure as they can be today, no expert can decrypt your mails. It is believed (but not proven) that this is also true for the NSA.
The security of your emails depends on the size of your key, which is defined upon key creation. The key size cannot be changed after it was created, you can only generate a different key with a larger size. The default settings in Enigmail are such that your key is considered sufficiently large for the next years.
If you create a new key from the OpenPGP key manager, you can choose the key size in the "avanced" tab. The current maximum key size for GnuPG is 4096 bits; some special versions of GnuPG also offer larger key sizes. But since they are not yet standard, Enigmail only supports key sizes of up to 4096 bits.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Is there any way to find a decrypted version of your mail on your computer (I mean from the time you read it clear)? I mean the decyphered message existed the time you were reading it, so is there any track left of that?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This depends on the implementation of the application. In Enigmail, decrypted emails are not stored anywhere on the disk, with one exception: decrypted attachments for inline-PGP messages (i.e. attachments with .pgp extensions) are stored on the disk.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sure, a decrypted version is always stored in memory and displayed on the screen. But not on the disk. There is no special mechanism that would prevent an attacker from reading your memory or taking screen shots, except for the features provided by the OS.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
However, I'd like to post an additional claim without being able to provide a public proof. It's up to you whether you trust me regarding this:
By now, your mail is not secure if the password is weaker than 20 characters.
Also, you should use a totally random looking password (not even parts of it should be found in any dictionary - including fancy 1337-5p3ak).
I<3pengu!ns is easily breakable within a few hours.
I suggest to make up long sentences that are easy to remember and then take, for instance, the second letter of every word to build your password and add some numbers or special characters somewhere in between for additional security.
Kermit is the greatest hero in the big little world => eshrenhiio
You get the idea.
Also, even if somebody can't break your password now, they might be able to catch and store your encrypted texts and find a way to break them later (when more computing power is available or some flaw is found).
If you want to be safe: also change keys as often as possible. If they manage to break one key they won't have access to ALL.
If you want to be really safe: use one-time-pads. These are annoyingly more complicated to handle but the only "unbreakable" thing out there.
Also keep in mind to protect your hardware, not only the software/transmission part.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi and sorry if answer exists... I haven't found it.
I am using enigmail with basic defaults. Does it mean my emails are secure? Can any "expert" read and decode my emails anyway? Is it possible to encrypt over 4096 bits or above and how do I chose this in enigmail from thunderbird interface?
Thanks!
Best,
Fred
Last edit: Fred O 2014-05-04
To the best of public knowledge, your encrypted emails are as secure as they can be today, no expert can decrypt your mails. It is believed (but not proven) that this is also true for the NSA.
The security of your emails depends on the size of your key, which is defined upon key creation. The key size cannot be changed after it was created, you can only generate a different key with a larger size. The default settings in Enigmail are such that your key is considered sufficiently large for the next years.
If you create a new key from the OpenPGP key manager, you can choose the key size in the "avanced" tab. The current maximum key size for GnuPG is 4096 bits; some special versions of GnuPG also offer larger key sizes. But since they are not yet standard, Enigmail only supports key sizes of up to 4096 bits.
Thanks a lot!
Next question then and last for this thread...
Is there any way to find a decrypted version of your mail on your computer (I mean from the time you read it clear)? I mean the decyphered message existed the time you were reading it, so is there any track left of that?
This depends on the implementation of the application. In Enigmail, decrypted emails are not stored anywhere on the disk, with one exception: decrypted attachments for inline-PGP messages (i.e. attachments with .pgp extensions) are stored on the disk.
Hi, they are stored in a sense since they are diplayed... so stored in memory, on screen etc...
Sure, a decrypted version is always stored in memory and displayed on the screen. But not on the disk. There is no special mechanism that would prevent an attacker from reading your memory or taking screen shots, except for the features provided by the OS.
Generally Patrick is right.
However, I'd like to post an additional claim without being able to provide a public proof. It's up to you whether you trust me regarding this:
By now, your mail is not secure if the password is weaker than 20 characters.
Also, you should use a totally random looking password (not even parts of it should be found in any dictionary - including fancy 1337-5p3ak).
I<3pengu!ns is easily breakable within a few hours.
I suggest to make up long sentences that are easy to remember and then take, for instance, the second letter of every word to build your password and add some numbers or special characters somewhere in between for additional security.
Kermit is the greatest hero in the big little world => eshrenhiio
You get the idea.
Also, even if somebody can't break your password now, they might be able to catch and store your encrypted texts and find a way to break them later (when more computing power is available or some flaw is found).
If you want to be safe: also change keys as often as possible. If they manage to break one key they won't have access to ALL.
If you want to be really safe: use one-time-pads. These are annoyingly more complicated to handle but the only "unbreakable" thing out there.
Also keep in mind to protect your hardware, not only the software/transmission part.