Where do you want to go next?here's for you :)about homeopathyassorted rantsVB and subclassingVB, screensavers and security concernsLet the Skriptkiddiots play...VB and pointersVB and the Windows shellVB and multitaskingVisual Basiclibrariessnakeoil and blatant liesZoneAlarmeSafefirewall basicsabout harmful codeIn Commerce' Service - sniffersabout spywarecookie jarabout PGPabout privacymain page

PGP has always been one of the most powerful tools in protecting your privacy. It's not perfect, but it makes snooping you quite difficult.


In order to understand fully what PGP does, you'd better RTFM ;) The one that comes with PGP, that is. I never saw a better one.


PGP works with the public-key encryption system. While you can encrypt any mail to a person with her public key, only the holder of the secret key can read it. Read this again carefully and you'll see the problems.


If you receive a key via email, you'll never be sure, whether the email has not been interrupted and the key belongs to somebody else. This can be quite easily ensured: PGP generates a so-called "fingerprint" of every key. Just confirm the fingerprint on a second line: Call the sender on phone or let her send the fingerprint per smail.


I've seen this fingerprint written on calling cards, personally I include it in my .sig(nature). You needn't be secretive with it, since it can be generated out of your key. Every person with your key can easily check the fingerprint of the key against the one on your calling card.


In the later versions of PGP the fingerprint can be shown as a sequence of words, making comparing it all the easier.


Another way to confirm the key would be to ask some other person. Maybe a friend whom you trust has the same person's key and will stand for it. After this it's but a question how much you trust your friend.


When signing a key you confirm the identity of the keyholder and that the key belongs to her. So don't throw your signature around.


Even after confirming the key the safety of such a conversation might be corrupted. If somebody gets hold of your keyrings, you'd better revoke your key immediatly. Your keyrings are protected by a password and no password is so good that it can't be broken by educated guesses or brute force. This is indeed the weakest link in the chain, so try to find a good password.


Good passwords constist of both alphanumeric (letters) and numeric (numbers) characters. Throw in a bunch of extras, such as the occasional "!!"§$@§$=)%( and your password should present some difficulties to a cracker. NEVER use passwords that are found in a dictionary!


If you can't think of a good password, try a sentence you can easily remember and mix it with "1337-5p34|<". Don't know what that is? Have a look at DigitalOverdrive's excellent site.


Don't leave your keys where someone can get at them. It's best to keep them with you all the time, just like you do with the keys to your home.


Don't store the keys on a device you can't take with you in case of need. If you leave them on your harddrive in the office, you either trust your workmates with your life - or aren't very smart. Of course, most workmates won't break your privacy. But are you as sure of the janitor, every visitor or the nightwatch?


Some companies and even some public authorities offer to sign your key if you but move over with it. Do this, if you have time. They won't copy your key :) You pass them a disk with your public (not your secret) key on it and prove yourself to be the owner with your identity-card or something like it. That's all. Won't hurt a bit, but somebody who is widely trusted signed your key and saved you some stamps.


Recently PGP-net has been added to the freeware version of PGP. As far as I know not many servers established it, but I would certainly hope for it. It means preventing anybody from sniffing at your packages or impersonating you.