Gail Menius //
- My husband set me up with GPG and Thunderbird and it was too hard.
- Ethan said it was cool.
- Lots of people gave it good reviews.
- It’s open source.
- John thought a blog post about mailvelope would be a good idea.
1. My husband set me up with GPG and Thunderbird and it was too hard to use.
When I first started working for BHIS, I told my husband that I needed a key or something for email and I also needed to encrypt my hard drive. Here is the explanation he gave me…
“Give me your computer and I’ll fix it.”
I was like, “Ok, Thanks!”
Because, to be quite honest, I was too busy to learn. So then, I continued in ignorance for a while…..
He set me up with something called firebird (no, that’s a ballet)….Thunderfox (nope, that’s literally nothing I’ve ever heard of before)… Firefox, nope, that’s a browser. UUUUm, it was a mail application that uses keys… if you want it to. Ugh, he just previewed my blog and said he did something with Enigmail because something nerdy nerd nerd doesn’t support a blah blah firebird!!!!
And then I knew that sometimes people were sending me things that were encrypted and I knew I needed their key and… I was scared to ask because I didn’t know if it was automatically sent to me or I should just know where it was…. I was so scared! Why why why didn’t I know how to encrypt email?
2. Ethan said it was cool.
But then Ethan came to visit the Rapid City office. He is such a neat guy! He taught me how to use Mailvelope. (And use email filters… oooooooooh email filters). I’m not sure why, but Mailvelope just seemed intuitive. I used it on my gmail. I thought I would show you how to do it on your gmail. Hold your horses, it’s at the END of the post.
3. Lots of people gave it good reviews.
There are over 200,000 users. It got an average of 4.55 stars out of 5. People love it. But when I went to download the extension, something scary happened.
It asked me if I wanted to let Mailvelope read and change all my data on the websites I visit. WHAT DOES THAT MEAN???!?!?!?! SO I clicked “view details.”
OOOH NOOOOO!!! NOW it gets complicated. How am i going to tell if I can trust this thing? Do I trust it just because Ethan says so? DO I read reviews? Do I know anyone who is a subject matter expert? I’ll tell you what I learned.
Mailvelope is based on this thing called PGP, pretty good privacy, and a guy almost got in trouble for developing PGP. Are you down with PGP? Because Phil Zimmerman is. And he’s a fellow… something important about law and Stanford.
4. It’s open source.
I also learned that it is OPEN SOURCE and you can see the code on GITHUB. (I can explain what that means too. I only really know because my husband chatters about open source all the time. ALL THE TIME). Apparently it’s super nice to write open source code. It’s code that you can see how it works, see all the lines in it. You can also make it your own, alter it to suit your needs. It helps the community. Check out how this blog on Creative Commons about how government code should always be open source. Ohhh, wouldn’t that be cool if our tax dollars paid for code we could use for free?
Some people say you can’t send secure attachments using Mailvelope. But I usually just hear of people using box or sending things using encrypted zip, so I wasn’t too concerned with that, so Mailvelope was looking good.
5. John thought a blog post about mailvelope would be a good idea.
Everyone at BHIS contributes to the blog. It’s important to cultivate a culture or sharing. When I mentioned that I was going to do a blog post on Mailvelope, he thought it was a good idea. What he didn’t know was that now Heather and I can send secret messages about him using our work email.
Gail thinks Mailvelope is cool because she can send super secret messages with it to Heather that no one else can read. Which is super cool because John has the ability to read everyone’s email at BHIS and sometimes She doesn’t want him to do that. (Not that he’s nosy or that she has any secrets.) ***Please ignore the fact that she and Heather could have used personal email accounts.
- Go to Mailvelope. And download the extension for Chrome.
- This is the extension icon on Chrome once you’ve downloaded it.
- An electronic menu slides down from the extension bar. See “options” in blue? I know it’s small, but you can see it on your own browser.
- The menu on the left helps lead you to a page you can use to “Generate” your own “key.” (You’ll need one if you want to send Heather secret messages.)
- It WILL ASK YOU FOR A PASSPHRASE. Remember it. Don’t write it down. Don’t even joke about taping it to the back of your keyboard. (It may let you generate a blank key… don’t do that either.)
- Then you freak out because you’ve generated a key but you don’t know where it is. Lucky for me, it was just hiding under “key pairs” in “Display keys.”
- Import your friends’ keys so you can whisper email secrets to them! You have to copy and paste the text of their keys. But if you have txt files, you can upload them instead.
- Send a super secret email! When you go to your gmail, you can see this weird floating email box looking thing. Click that and start writing your secrets. It’ll ask you who you want to encrypt the message for and which key to use to decrypt it. It’s pretty intuitive after that.
- After you click “send,” it’ll ask for that passphrase again. Always remember your passphrase. There’s no prompting to help you remember in this program. Just remember it or it’s lost FOREVER. There’s nothing more embarrassing than having your security friends find out you forgot your passphrase. Or is there?
Control the Key
During the creation of this blog, I couldn’t find the key I generated at first. I sent out an email to the testers and told them I lost the key. Sally and Ethan were both online and talked a bit about the game of the “key.” Sally thought that I should include a bit about keeping control of the key. She said that “maintaining control of the key is PARAMOUNT.” she also said “When you lose the key or worse yet, someone else gets their hands on it it’s game over.” I think it would be super scary if someone could pretend to be me in email. So I better train this key to stay in the yard or get an invisible fence.
I asked Ethan what to do when I thought I had lost they key and he said that “Exposure of a private key definitely means you should generate a new key and issue a revocation of your old one (if you can).” Next blog, I’m going to act like I actually lost the key and tell you how to fix it if you do!
References & Credits
- Ethan Robish (email communication, March 28, 2016)
- Sally Vandeven (email communication, March 28, 2016)
- Photos: Click on all photos for their reference. All used via Creative Commons.