Today I held a talk about »Technical defense against surveillance« on an event with rather non-technical visitors.
I noticed that we still really have a lot of problems when providing easy-to-use security.
Things like "yes, you can do gpg with jabber, but only with a few clients, there's also another thing called otr, that's better from a cryptographic point of view but it is not based on the gpg-key-infrastructure and it's also only supported by some (other) clients" are really horrible to say if you always fear that nobody understands you.
A short list of things that came me to mind:
- I found no easy way on encrypting partitions with linux. Maybe I missed something, but I googled for it, tried it in ubuntu, found nothing. Had to tell them "there are some console-apps, dm-crypt, cryptsetup, etc.".
- Apps should enable ssl by default. Servers should forbid login without ssl. No more pop3, smtp, imap, jabber, webmail, whatever-web-login without ssl-encryption.
- Jabber should have a standard for encryption, based on gpg, with the cryptographic features of otr.
- We need to get rid of all unsecure algorithms (MD5, SHA1, RSA/DSA/ElGamal with 1024 bit) by default (yes, I know I said this hundred times before). GPG still creates 1024bit DSA-keys.
- Things like tor could be integrated into distributions, to be enabled by a click or similar.
Just some random ideas. It is possible to create much more secure systems. We just need to do it.
(And to not only cry, I hope I'll find some time and motivation to push some of the things I suggested in the near future)
