Personally, I'm a public kind of guy. Almost everything I do to communicate through the internet is open and unencrypted unless a temporary job I do requires it. If you just a normal person, what should you have to hide? But then again, what defines normal these days anyway? Lets assume you work at a store or some service industry, you have a family, and have Internet at home. Unless you have something to hide, or believe your family communication among themselves should be private, then Point to Point encryption should do just fine.
Point to Point encryption
Point to point encryption means you encrypt your message, prior already composed and ready to send, on your own laptop. This can be a text message, email, chat session, or even VOIP. How it is sent is not important here, but the important facts are, it is encrypted, and only the person or persons with the right key or keys are going to decrypt it. It can be stored anywhere; As a file, or an incoming email message, but without the key, recovering it's original contents is going to be very difficult. But how difficult exactly? That depends on the size of the key you "generate", I'll talk about that later, but as far as keys go, SIZE MATTERS. The larger the key, the more computer power is required to break it. It also depends on the algorithm used.
There are so many encryption programs to choose from, but let me be your guide. People sell these programs and services to make money. Usually the algorithms are kept secret, but that doesn't make me feel better, because how do I know some "weakness" isn't deliberately inserted into the algorithm and used by the NSA to "break" it. Or worse, in the case of closed-source "black box" software, you have no way of knowing who is listening in, when, or where.
In the early 90's, Phil Zimmerman was working with his european colleagues to release an "open source" encryption method that was "Pretty good". So good in fact, that is has the government very interested in stopping it's proliferation. This was a time when our government imposes export restrictions on Cryptography, but there was one problem. PGP was not developed in the USA, so our government had no jurisdiction to prevent it's proliferation. But using a 4096 bit key, it's all about allocating the big-budget supercomputing resources to decrypt the message in question. So why would the NSA want to snoop in your families business? They wouldn't, unless you got on their radar somehow. But if you have relatives in Iran, North Korea, or some other place on the NSA "Watch list", this might be enough to get their attention.
I have a friend in Iran I communicate with all the time. He is an IT manager for a local publisher of fashion magazine. My communication with him is in the open. I have no secrets to keep with him, but I suspect that if I started encrypting communications with him, I might get that "Knock on the door", or be on some watch list.
Getting back to Point to Point encryption, I feel the "GPG", or "GNU Privacy Guard," formerly PGP (Pretty good privacy), using a 4096 bit key, should be enough to discourage our local NSA office from bothering us. Sure, they can probably break it, but how long will it take them? A million years? and how many super computer arrays will it take? A billion? all of IBM Seqoia? Even the NSA is strapped for resources these days, and priorities have to be given. The NSA has other ways of getting your plaintext messages by pressuring the corporations like FaceBook, Google, Apple, and others, to turn over your messages. So, the morel of the story, is not to use these social networks for anything but social networking, and do not trust FaceBook Private messages. Of course, you can use it for point to point encryption. if you are encrypting your text inside your browser with a plugin such as WebPG or FireGPG, which I will discuss shortly.
GPG is Open Source. That means anyone can examine the code. Knowing the programming code is not going to help a cryptanalysis expert break your encryption. The code can be examined, and with the right expertise, if any weaknesses are embedded in the code, it would come out. So, with thousands having access to the code, it has been gone through with a fine tooth comb, and can be trusted.
Depending on what you intend to encrypt, there are many versions of GPG. There are browser plugins, that can be installed on your browser, Gmail, or other web based apps. Other versions can install in your mail program, making it a lot easier to use.
http://getfiregpg.org/s/home - This link will take you to a site where you can install a FireFox plugin for encrypting and decrypting web mail like Gmail, or Yahoo.
https://chrome.google.com/webstore/detail/webpg/hhaopbphlojhnmbomffjcbnllcenbnih?hl=en - For General Chrome browser, not for just Gmail, but for anything browser related, like Facebook, Twitter, and other social media, but if you post encrypted messages to your Facebook wall for your friends, then each one most also have to install this plugin in order to use it, and each user will have to generate a set of keys.
Keys are generated in pairs. A secret key you use to decrypt a message sent to you, but was encrypted by your public key. I have to have my friend's Public key, which I use to encrypt a message that only HE can read using his "Secret" key. Key pairs should be created as large as possible. 4096 bit keys are the most secure. Try to be aware of when you may be under an attack called a "man-in-the-middle." If a key's signature does not match, it may be a duped or spoofed key.
Securing text, voice, or video communication
Skype used to be a pretty good secure way of communicating before Microsoft got their hands on it. It's anybody's guess what 3-letter agency nudged some fat stacks to M$ to buy up the sold-out Skype. But even before then, the NSA was frustrated because Skype was developed off shore in another country, and they were very secretive on their protocol, and it was closed source.
Sometime around June 7th, 2011, Skype suffered an outage, caused in most part by Microsoft pushing an update to millions of its users. After the update, Skype servers got hammered as millions of users were hitting their servers at the same time, as their computers tried logging into Skype after their update. Their servers couldn't handle this load and crashed. It is further speculated, our government pressured Skype to install a back door before people were allowed to upload a new and working copy.
So, before Skype was brought online, they did something to "break" people's old Skype, forcing people to download a new version. From this point, IMHO, Skype is no longer trustable. It is speculated that Skype installed a "back door", enabling our government to "tap into" Skype calls and listen in on Audio, Video, and Text communications. Shortly after that, Microsoft bought Skype, and there went the neighborhood.
Fortunately, as early as 1999, and 2000, Jeremie Miller began working on "Jabber" technology. Also, using open source crypto, it became very popular in Google talk, Adium, and other open source Chat software with an encryption layer added on. Go tohttp://jabber.org for more details on Jabber, but if you have an account on a Jabber server (there are many), you can also use it in conjunction with another program called Jitsi. You can go to http://Jitsi.org and download a copy for free for your platform. Mac, Windows, or Linux.
Jitsi has all of the features of Skype, text, screen sharing, video conferencing, etc. Although the audio appears to sound a bit "scratchy", it is certainly acceptable, and the nice thing, your communication is encrypted point to point, and there is no place in the communication link where the communication remains unencrypted. Some users even report that Jitsi's video is smoother than Skype (perhaps since nobody is snooping in on the conversation!)
And finally…
It is possible, assuming you have a web hosting service, to encrypt every byte of information leaving your house, and having it go through a hosting service via an encrypted tunnel. This may be an overly paranoid mindset, but is possible. Here's how!
One can get such a "tunnel" from a host of web hosting services like GoDaddy, InvioHosting (cheapest - but offers little support), or better yet, owning your own computer installed at a co-location facility.
Usually, these offer CPanel access, a web based GUI for setting up your own SSH accounts. If you know where to look, there are alsoplaces where one can get free shell accounts on-line. (Hint: shells.red-pill.eu)
To open up an encrypted tunnel to your hosting service, First, you have to open up the Mac Terminal program. It's in the Applications/Utilities folder. Drag and drop it in the Application bar in your Finder window. Then type…
ssh -D 9999 -g username@somehost.com <--- note, the "9999" is the port number.
pw: <enter your SSH password here>
NOTE: "SSH" is a secure shell program. This connects to the host computer via a "shell" or terminal, and from it, you can type in Linux or UNIX commands.
Since I have an Apple Laptop, instructions for Mac is here, but you are on your own for setting up
your network settings for SOX Proxy, but the instructions are here. Perhaps someone could send me instructions for Windows or Linux and I can add those instructions later in the comments section of the article.
2) Go Apple -->Preferences->network-->advanced
3) Pick "Proxies" tab.
4) Click on "Sox proxy"
5) In SOCKS proxy server field: localhost 9999 <---- the "9999" port number, must be the same as above.
Note: leave user/pw fields blank.
6) in bypass proxy settings text area… add: *.local, 169.254/16
7) Make sure that 'hosts' file as Localhost entry…. IE:
127.0.0.1 <tab> localhost
If you don't know what a hosts file is, or where to find one on your computer, Don't Google it! Google uses cookies to log your IP address and what you've searched for. Not only that, but also Google has historically yielded to FBI subpoenas for Gmail e-mail records (re: Jacob Applebaum). Instead, use an alternative search engine such as DuckDuckGo.
On the Mac, go to Finder, in the "Go" menu, select "Go to folder…", and type "/etc/hosts". NOTE, to edit this file, you will need your password. This is above the skill level of an average Mac User. But it is highly likely, the entry exists, see below.
$ sudo cat /etc/hosts
Password: <same password you used to log into your Mac>
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
As you see, it's in there. but now you know how to check. :-)
8) Check to enable. Then hit "Apply"
9) your IP address will change to your hosting service IP address, to verify….
10) go to browser, search for "Whats my IP" to verify it changed.
NOTE: do NOT close your SSH terminal window, just leave it open, or minimize it.
Now, every single byte of information going from your computer to the hosting service is encrypted. Including Skype calls, web site visits, virtually EVERYTHING….
If you are overseas, you can also deploy this method to make it look like you are in USA, much the same as a VPN (Virtual Private Network). Bypassing Skype and NetFlix restrictions, great firewall of China, although I'm told they have somehow managed to control this as well.
Also, your SSH connection to the hosting service might time out if inactivity is sensed for a period of time, so always be sure to activate some services where there is constant activity, like chats, Skype, or other services.
====
And last but not least, is CryptoCat (http://crypto.cat), a stand-alone chat client and browser plugin allowing text chat between users, but since it uses JavaScript, a "man in the middle" attack might be possible against your browser, especially if your computer has been infected with some 3-letter's black-budget virus.
And finally, Ken Soona maintains a site http://prism-break.org, a one-stop resource on free and trusted Crypto, designed to get the NSA someadditional work and additional headaches. Tax dollars, ahoy! Keep our shores safe. :)