A Three-Minute Guide to Online Security

3 m

How do we avoid surveillance and keep our private information private? Read on for a quick guide.

Email Encryption

Start by encrypting your messages. Email is an inherently insecure medium, and any email you do not encrypt can and will be read by a third party.

The standard encryption method used for text-based communication is public-key encryption, which uses a public key to encrypt a message and a secret key to decrypt the encrypted message. A public key, as the name implies, can be shared freely online, as a public key alone cannot decrypt an encrypted message. We need a secret key corresponding to the public key used to encrypt a message for decryption.

The main point: given a public key, there is only one secret key that decrypts the messages encrypted with the public key in question. Secure communication, in this context, means keeping your secret key stored away safely, and publishing your public key so that people can use it to send you encrypted messages that can be decrypted only with your secret key.

The most popular public-key encryption technology is Pretty Good Privacy (PGP). A PGP tool takes plaintext such as

Hello, world!

and spits out encrypted text:

-----BEGIN PGP MESSAGE-----
Version: Keybase OpenPGP v2.0.62
Comment: https://keybase.io/crypto

wcFMA52wsjxOtCGBARAApdD08LjlChvHpvMHmRv016nbYGjgGOCJA2SoU3rXAClq
XkEisaK3q6fG0Ul+nxXdgPgWeycXQ48PRrB1jlQZL+WNYHCTRp62RsFAEIbAwceE
5svPIdsd42fJAPr93EwuUnQz+U4Hw1c66P/yYVtA77fPW+ovnNjjQp2UuubBpQlW
2v1mqtQ4TMxmqXjDfVJkNS6HKMbrHsgBY+4NliMPrYsvcxOypGHo+jnVf1oqana1
N7nNsdQnAzPd3n/q2blgjG7NkpVuOPMKwlmbPXflOD4GAxO4AWVyNbzMRlmEYfQE
wwkO7uI+awwiorHeIKQJokY8y2Z14P2glhzitT6k6YZxzlxJuV4hBqi1164fzUIO
J1ysK7SA8Me0RQ0zdFWEfWof3k4qlxDwo9dVaHTOjKmzdZOW+//KaGiTWmzym2nA
vTWTw/8PPXD7hJljMOEF39GtO+CEcVkxONNTMkIAkUnNPmJzv5C0or2uHosCR0St
KaiUt0C4bFxLNrNThaDCcPeD0pHcHUQ2q7AHWcPrMha60WUKlwicasOcAJbumVYo
7nz22CCDo3E4u3Z3wXn6qzJR098Pq1iDDtWad+/xd6LZQ0xLQC5HRCiwGqbJCAlg
7eONBEmzUKSjd0FegUSdoP+GYahVRlSHiNAzPVxFtvgz4e9drm35qXSMyZbtouzS
SQHqNeB1WcF031KfemPucbEF5336EctMU/CTCrPkQ7pmGIX+sUMe1Hz742/wFkB8
P9E//G39GLPAuXUi17jheVsRqilXi5BnXCY=
=56TE
-----END PGP MESSAGE-----

The encrypted text can then be copy-and-pasted on to your email platform of choice, and the recipient can use their private key to decrypt the text.

Keybase offers a nice platform for maintaining PGP keys, as well as a simple tool for encrypting and decrypting text-based messages. If you would prefer to have a desktop application, try out GnuPG.

Instant Messages with End-to-End Encryption

Now, copy-and-pasting PGP-encrypted messages might be too much of a hassle for instant messaging. It is convenient to use an instant messaging platform with built-in encryption capabilities.

The buzzword to look for here is end-to-end encryption. The most accessible instant messaging platform with end-to-end encryption capabilities is Facebook Messenger, but the encryption feature on Facebook Messenger has to be turned on manually for each conversation. A popular encrypted-by-default messaging platform is WhatsApp, which, incidentally, is also owned by Facebook.

If you don’t think you can trust Facebook to keep your messages safe, try the mobile messenger from Open Whisper Systems, the developers of the popular Signal encryption protocol that Facebook Messenger, WhatsApp, Google Allo, etc. use.

Secure Passwords and Password Managers

All this effort at encryption is wasted if you can’t keep your passwords safe.

Don’t log into a messaging platform on devices you cannot trust. Keylogging, the act of recording and stealing what you type on to a computer, is easy and widespread.

Install HTTPS Everywhere, and do not use messaging platforms that fails to play nicely with it. Plain HTTP is insecure and should not be used to send passwords and other sensitive information.

Get a password manager, a tool that generates difficult passwords and keeps them securely stored, so you don’t have to remember them. Use the longest password each messaging platform allows, and change your passwords regularly with your password manager’s randomly-generated passwords.

My favorite password manager is pass. It is free and open source, but not exactly the most user-friendly application. Popular commercial passwrd managers include LastPass and 1Password.

Further Reading