Changes between Version 62 and Version 63 of doc/TorifyHOWTO/GnuPG


Ignore:
Timestamp:
Mar 2, 2018, 7:41:05 AM (3 months ago)
Author:
sambhav2612
Comment:

updated with grammatical errors removal

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorifyHOWTO/GnuPG

    v62 v63  
    161161<a name="wot3c-4"></a>
    162162}}}
    163    * '''3c-4.''' DNSSEC supported server can be configured to use statically defined DNSSEC/DS key for name-spaces or zones, like: ROOT, TLDs, few SLDs, etc, (by default DNS-Server gets them dynamically, in some configurations except for ROOT), even known (SLD) site's key (which you control and you are owner), can be added manually & statically inside DNS-Server configuration, then you can be sure-of that, someone in middle has not changed any codes dynamically even for a short time.  Those who will use such configuration, will have to keep their DNS-Server upto date when any of those statically/manually defined zone changes their DS DNSSEC key.  ROOT, TLDs usually do not change DNSSEC related keys, except for changing the initial test period's key.  But, if someone do able to modify somehow and targeted some specific (one or set of) DNSSEC-signed website, then massive amount of users, (an entire TLD users), will not be able to visit those targeted DNSSEC-signed sites or may even see altered web-pages or blocked.  Such never happened, even for once.
     163   * '''3c-4.''' DNSSEC supported server can be configured to use statically defined DNSSEC/DS key for name-spaces or zones, like ROOT, TLDs, few SLDs, etc, (by default DNS-Server gets them dynamically, in some configurations except for ROOT), even known (SLD) site's key (which you control and you are owner), can be added manually & statically inside DNS-Server configuration, then you can be sure of that, someone in middle has not changed any codes dynamically even for a short time.  Those who will use such configuration will have to keep their DNS-Server to date when any of those statically/manually defined zone changes their DS DNSSEC key.  ROOT, TLDs usually do not change DNSSEC related keys, except for changing the initial test period's key.  But, if someone is able to modify somehow and targeted some specific (one or set of) DNSSEC-signed website, then a massive amount of users, (an entire TLD user), will not be able to visit those targeted DNSSEC-signed sites or may even see altered web-pages or blocked.  Such never happened, even for once.
    164164{{{
    165165#!html
     
    181181<a name="wot3d-2"></a>
    182182}}}
    183    * '''3d-2.''' So if possible send snail mail (with return envelope & pre-paid postage) to sender, (better is to use sealed envelope, package or wrapper, etc), with request for sending you back : a paper printout of full gpg-key/pgp-key, (and also, which exact DNSSEC signed website has that Person's/sender's full gpg-key or full fingerprint or full key-ID, etc).  In some areas even snail-mail cannot be trusted as they are opened, tampered with, photograph taken, etc. So complete trust on snail mail carriers, is not possible for all cases or in all areas around the world.
     183   * '''3d-2.''' So if possible send snail mail (with return envelope & pre-paid postage) to sender, (better is to use sealed envelope, package or wrapper, etc), with request for sending you back : a paper printout of full gpg-key/pgp-key, (and also, which exact DNSSEC signed website has that Person's/sender's full gpg-key or full fingerprint or full key-ID, etc).  In some areas, even snail-mail cannot be trusted as they are opened, tampered with, a photograph was taken, etc. So complete trust on snail mail carriers is not possible for all cases or in all areas around the world.
    184184{{{
    185185#!html
     
    201201<a name="wot4a"></a>
    202202}}}
    203   * '''4a.''' When you've created a GPG/OpenPGP/PGP key, only for '''ANONYMITY''' or '''PSEUDONYMOUS''' related usage purpose or for mostly cyberspace usage purpose, then '''DO NOT do or use or show or tell or display or send anything that can be used to create a connection or relation with your real-life's exact real physical identity.  You MUST create email-address for such cyberspace identity also via proxy.  Again, do not use your real physical life's any identifiable item/object inside cyberspace'''.  Operating system or physical computer, which you use for daily, real-life usage purpose, have too many identifiable items & codes in each software and embedded inside each generated files & network-packets, if you send any of those to any one else, your cyberspace/anonymity will be broken. Create a VM, install all software without mentioning and without using any real-life (or real-identity) related information, then use such VM for anonymity purpose.
     203  * '''4a.''' When you've created a GPG/OpenPGP/PGP key, only for '''ANONYMITY''' or '''PSEUDONYMOUS''' related usage purpose or for mostly cyberspace usage purpose, then '''DO NOT do or use or show or tell or display or send anything that can be used to create a connection or relation with your real-life's exact real physical identity.  You MUST create email-address for such cyberspace identity also via proxy.  Again, do not use your real physical life's any identifiable item/object inside cyberspace'''.  The operating system or physical computer, which you use for daily, real-life usage purpose, have too many identifiable items & codes in each software and embedded inside each generated files & network-packets, if you send any of those to anyone else, your cyberspace/anonymity will be broken. Create a VM, install all software without mentioning and without using any real-life (or real-identity) related information, then use such VM for anonymity purpose.
    204204{{{
    205205#!html
     
    216216<a name="wot4d"></a>
    217217}}}
    218   * '''4d.''' If this Person (who you are trying to communicate) have his/her own webpage (on his/her own webserver) and that web-server do support TLS/SSL/HTTPS encrypted connection, and that server's domain-name is also using new & advanced DNS, aka DNSSEC, and this Person (server's owner) has also added the FULL hex-code of SSL/TLS cert in TLSA/DANE dns record, then, very authentic data from such webserver can be obtained very very accurately and very securely, which explained in above, goto para/section [#wot3c-2 3c-2].  One extra step you will have to do is, connect with such a remote/online DNS-Server which supports complete/full DNSSEC based DNS resolving, and supports clients to connect with server via TLS/SSL encrypted connections or via SSH encrypted tunnels.  See below, para/section [#wot7c 7c], and, also see the PublicDNSResolver torproject wiki page for such DNS-Servers.
     218  * '''4d.''' If this Person (who you are trying to communicate) have his/her own webpage (on his/her own webserver) and that web-server do support TLS/SSL/HTTPS encrypted connection, and that server's domain-name is also using new & advanced DNS, aka DNSSEC, and this Person (server's owner) has also added the FULL hex-code of SSL/TLS cert in TLSA/DANE dns record, then, very authentic data from such webserver can be obtained very very accurately and very securely, which explained in above, goto para/section [#wot3c-2 3c-2].  One extra step you will have to do is, connect with such a remote/online DNS-Server which supports complete/full DNSSEC based DNS resolving, and supports clients to connect with the server via TLS/SSL encrypted connections or via SSH encrypted tunnels.  See below, para/section [#wot7c 7c], and, also see the PublicDNSResolver torproject wiki page for such DNS-Servers.
    219219{{{
    220220#!html
    221221<a name="wot4e"></a>
    222222}}}
    223   * '''4e.''' If '''Tor software''' is further '''improved''', to include its own/built-in or internally embedded own DNSSEC-resolver, then such will help Tor users, greatly.  Tor-software also need to create & run inside its own Sandbox or Jail/Container or Memory-Space, and it need to use its own software components.  And Tor-software need to allow/give easy option for users to to choose random hops from 3 to 6, or 4 to 6, etc.  Random hops/nodes is an important aspect to become more anonymous like what happens in real world. And using random exit-nodes for TLS encrypted connections is also another important factor, Tor-software need to adopt such features.
     223  * '''4e.''' If '''Tor software''' is further '''improved''', to include its own/built-in or internally embedded own DNSSEC-resolver, then such will help Tor users, greatly.  Tor-software also needs to create & run inside its own Sandbox or Jail/Container or Memory-Space, and it needs to use its own software components.  And Tor-software needs to allow/give an easy option for users to choose random hops from 3 to 6, or 4 to 6, etc.  Random hops/nodes is an important aspect of becoming more anonymous like what happens in real world. And using random exit-nodes for TLS encrypted connections is also another important factor, Tor-software needs to adopt such features.
    224224{{{
    225225#!html
    226226<a name="wot5"></a>
    227227}}}
    228  * '''5.''' Another way to COMMUNICATE with a Person (who you are trying to communicate), (this step is '''VERY IMPORTANT for Tor PROXY USERS'''), '''''first''''' step is to get+/find+/obtain+/investigate for such Person's full public PGP/OpenPGP/GPG key from his/her own website, and get full fingerprint, or get the entire public key from a keyserver (which is physically located inside a such location/country which at-least honors & respects people's/user's Privacy Rights, does not do any Logging/Recording or MASS scale Surveillance), by using HTTPS or HKPS encrypted connection, and encrypted connection can become even better (and more secured) if DNSSEC + DANE supported & authenticated connection with the keyserver is used.  In '''''second''''' step, send a PGP/OpenPGP/GPG "Encrypted"-only email to that person's known and established email-address (using a TLS encrypted STARTTLS or SSL/TLS connection with your own email-service provider or with your own server (port 25, 587, 465), and additionally also use DNSSEC authenticated connection with your email-service provider or your email-server), paste full PGP/OpenPGP/GPG public key code (not as a file attachment) inside email's body/message area as a message, and also send him/her some secret LONG-NUMBER, and request him/her to send you back a response email with that secret long-number, and also request him/her to make sure to return a PGP/GPG/OpenPGP "Encrypted"-only email, using your public key which you have sent inside your encrypted email's body/message area.  If this person can really return a response using an Encrypted-only message including the '''''secret LONG-NUMBER''''' which you have sent, then that proves he/she have the correct private/secret key to decrypt, encrypted messages. So from then on, you two, can use "Encrypted" or "Signed" or "Encrypted+Signed" email messages.  See para/section [#wot7c 7c] on how to run your own server anonymously.
     228 * '''5.''' Another way to COMMUNICATE with a Person (who you are trying to communicate), (this step is '''VERY IMPORTANT for Tor PROXY USERS'''), '''''first''''' step is to get+/find+/obtain+/investigate for such Person's full public PGP/OpenPGP/GPG key from his/her own website, and get full fingerprint, or get the entire public key from a keyserver (which is physically located inside a such location/country which at-least honors & respects people's/user's Privacy Rights, does not do any Logging/Recording or MASS scale Surveillance), by using HTTPS or HKPS encrypted connection, and encrypted connection can become even better (and more secured) if DNSSEC + DANE supported & authenticated connection with the keyserver is used.  In '''''second''''' step, send a PGP/OpenPGP/GPG "Encrypted"-only email to that person's known and established email-address (using a TLS encrypted STARTTLS or SSL/TLS connection with your own email-service provider or with your own server (port 25, 587, 465), and additionally also use DNSSEC authenticated connection with your email-service provider or your email-server), paste full PGP/OpenPGP/GPG public key code (not as a file attachment) inside email's body/message area as a message, and also send him/her some secret LONG-NUMBER, and request him/her to send you back a response email with that secret long-number, and also request him/her to make sure to return a PGP/GPG/OpenPGP "Encrypted"-only email, using your public key which you have sent your encrypted email's body/message area.  If this person can really return a response using an Encrypted-only message including the '''''secret LONG-NUMBER''''' which you have sent, then that proves he/she have the correct private/secret key to decrypt, encrypted messages. So from then on, you two, can use "Encrypted" or "Signed" or "Encrypted+Signed" email messages.  See para/section [#wot7c 7c] on how to run your own server anonymously.
    229229{{{
    230230#!html
     
    232232}}}
    233233  * '''5a.''' For increasing your cyberspace WoT with proxy users, use the way mentioned in above paragraph [#wot5 5], then such users can be trusted with 0x11 Trust level ("I have not checked at all",)  or with 0x10 Trust level ("I will not answer"). I'm showing both & other level's RFC info, so you can decide:
    234    * '''0x10''': Generic certification of a User ID and Public-Key packet : The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the User ID.
    235    * '''0x11''': Persona certification of a User ID and Public-Key packet : The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified.
    236    * '''0x12''': Casual certification of a User ID and Public-Key packet : The issuer of this certification has done some casual verification of the claim of identity.
    237    * '''0x13''': Positive certification of a User ID and Public-Key packet : The issuer of this certification has done substantial verification of the claim of identity.[[BR]]
    238    Note: If you have at-least exchanged "encrypted" emails with another proxy user (anonymous or pseudonymous user) in the way described in paragraph [#wot5 5], then at-least email-address portion (part of "User ID" packet) and gpg-key packet, are verified, so you MAY select 0x11. Since "Name" portion of the User-ID is not verified, you cannot select 0x12.  And if you did not exchange any encrypted email the way described in para [#wot5 5], then you have not verified neither email-address nor the gpg-key, so you will have to select 0x10, IF you want to sign.
     234   * '''0x10''': Generic certification of a User ID and Public-Key packet: The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is, in fact, the person described by the User ID.
     235   * '''0x11''': Persona certification of a User ID and Public-Key packet: The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified.
     236   * '''0x12''': Casual certification of a User ID and Public-Key packet: The issuer of this certification has done some casual verification of the claim of identity.
     237   * '''0x13''': Positive certification of a User ID and Public-Key packet: The issuer of this certification has done substantial verification of the claim of identity.[[BR]]
     238   Note: If you have at-least exchanged "encrypted" emails with another proxy user (anonymous or pseudonymous user) in the way described in paragraph [#wot5 5], then at least email-address portion (part of "User ID" packet) and gpg-key packet, are verified, so you MAY select 0x11. Since "Name" portion of the User-ID is not verified, you cannot select 0x12.  And if you did not exchange any encrypted email the way described in para [#wot5 5], then you have verified neither email-address nor the gpg-key, so you will have to select 0x10 IF you want to sign.
    239239{{{
    240240#!html
    241241<a name="wot5b"></a>
    242242}}}
    243   * '''5b.''' If you want to '''communicate very securely''' with another '''ANONYMOUS USER''' then both user have to create a local onion-host (aka, Hidden Service, HS) in their own side, (connecting with a specific local server port, where a server software is running & listening/waiting for connection).  And any ONE of you, have to install & run a small '''XMPP''' or '''IRC server''' software in the local computer or inside a VirtualBox (or any other hypervisor) software based '''VM''' (Virtual Machine). Then other side can connect to it and can communicate with you in a live/instant chat/conversation.  OR, (instead of using an IRC or XMPP server), if both user side installs their own small web-server, like "'''nginx'''", and allow an onion-host to connect with that nginx server's listening port (usually port 80 or 443), then both side can display/serve/share their GnuPG/GPG/OpenPGP/PGP key from a shared webpage, so that others can view it, for sending you an "Encrypted"-only email, like the process, described in above paragraph [#wot5 5].  Make sure to use '''Chroot/Jail''' etc '''container''' for the nginx, and set all shared webpages on read-only mode, and also set their access level onto read-only mode.  Better would be to use TLS encryption and TLS supported port like 443, for sharing information with visitors over encrypted HTTPS webpages, even for a Hidden Service (onion-host) based webpages.  Then, you will have to inform, the other side user in-early, what exact SSL/TLS certificate fingerprint & domain-name, to Trust temporarily, for connecting with your onion-host / Hidden-Service.
     243  * '''5b.''' If you want to '''communicate very securely''' with another '''ANONYMOUS USER''' then both users have to create a local onion-host (aka, Hidden Service, HS) in their own side, (connecting with a specific local server port, where a server software is running & listening/waiting for a connection).  And any ONE of you, have to install & run a small '''XMPP''' or '''IRC server''' software in the local computer or inside a VirtualBox (or any other hypervisor) software based '''VM''' (Virtual Machine). Then another side can connect to it and can communicate with you in a live/instant chat/conversation.  OR, (instead of using an IRC or XMPP server), if both user side installs their own small web-server, like "'''nginx'''", and allow an onion-host to connect with that nginx server's listening port (usually port 80 or 443), then both side can display/serve/share their GnuPG/GPG/OpenPGP/PGP key from a shared webpage, so that others can view it, for sending you an "Encrypted"-only email, like the process, described in above paragraph [#wot5 5].  Make sure to use '''Chroot/Jail''' etc '''container''' for the nginx, and set all shared webpages in read-only mode, and also set their access level onto read-only mode.  Better would be to use TLS encryption and TLS supported port like 443, for sharing information with visitors over encrypted HTTPS webpages, even for a Hidden Service (onion-host) based webpages.  Then, you will have to inform, the other side user in-early, what exact SSL/TLS certificate fingerprint & domain-name, to Trust temporarily, for connecting with your onion-host / Hidden-Service.
    244244{{{
    245245#!html