Contacting me securely

There is no perfect solution when it comes to communications security. Below I explain the properties of various methods to secure your communications with me.

The method (or methods) you choose should depend on your threat model – that's a general idea of what you are trying to protect against. If you are unsure, need help, or would prefer an ad hoc solution, feel free to reach out and ask.

For most purposes, my contact form should provide enough security. For greater security, you can use Keybase or, if you know me in person, Signal. If you're familiar with OpenPGP, you can use that. For even greater security, you can use my offline keys.

You should also take care to protect anything you use to handle the "plaintext" (the unsecured message). Read more about OS and hardware security.

My contact form

The contact form on my website is a very easy and reasonably secure way to contact me. The message is sent over a secure connection to my web server, where it is then forwarded over a secure connection to Tutanota.

Note that I will not be able to reply securely if you do not provide a way to do so.

This method will resist most attacks, but will probably not resist targeted attacks carried out by attackers with nation-state capabilities.

To read the message, an attacker would need to do one of the following:

  • compromise my web server (before you send the message)
  • compromise Tutanota's mail servers (before you send the message),
  • copy the encrypted traffic (when you send the message) and break the encryption (after you send the message), which probably won't be feasible until 2030, or
  • compromise one of my devices (after you send the message).
  • Note: To ensure you are communicating securely with the web server, go to https://lauritzt.dk/contact and make sure that your browser is displaying a padlock near the address.

    Note: When you use the contact form, your IP address is recorded and stored in accordance with my privacy policy. If you need anonymity, you can use an anonymizing proxy service, such as Tor.

    Keybase

    Keybase is a reasonably easy and decently secure way to chat or share files with me. You need to install Keybase and create a Keybase account to use it. I am lauritzt on Keybase.

    If you need additional security, you can enable exploding messages, which means the message is automatically deleted after a certain amount of time.

    To read the message, an attacker would need to do one of the following:

  • place malicious code in Keybase without anyone noticing,*
  • copy the encrypted message (when you send the message) and break the encryption (after you send the message), which probably won't be feasible until after 2030, or
  • compromise one of our devices (before the message explodes).
  • *Keybase is open-source, so changes to its code can be reviewed by anyone.

    Signal

    If you know me in person, you can use Signal to contact me. It is very easy to use and provides decent security, though only after safety numbers are verified in person.

    If you need additional security, you can enable expiring messages, which means the message is automatically deleted after it has been read.

    To read the message, an attacker would need to do one of the following:

  • compromise Signal's servers (would not work with verified safety numbers)
  • place malicious code in Signal without anyone noticing,*
  • copy the encrypted message (when you send the message) and break the encryption (after you send the message), which probably won't be feasible until after 2030, or
  • compromise one of our phones (before the message expires).
  • *Signal is open-source, so changes to its code can be reviewed by anyone.

    OpenPGP

    OpenPGP is a public-key encryption system that can be used to send messages securely through another communication channel. It can be a little daunting, particularly if you choose a command-line interface rather than a graphical interface.

    It is also easier to make a mistake that could compromise security than it is with many of the other systems. If you decide to use this method, make sure to read your implementation's manual carefully.

    To read the message, an attacker would need to do one of the following:

  • gain access to one of our private keys (my general key is protected with a strong passphrase and is only stored on secured computers), or
  • guess one of the private keys (something that probably won't be feasible until after 2040).
  • The implementation I recommend is GnuPG (optionally with Kleopatra as a graphical front-end). You can also use Keybase as a OpenPGP client, which is simpler to use, though it may be less secure.*

    You can get my keys here and learn more about public-key cryptography here.

    *I'm referring to Keybase's web encryption interface. Keybase's servers could theoretically be serving malicious code to specific clients. You do not need an account for Keybase's web encryption interface.

    OS and hardware security

    You should keep in mind that your applications, your OS, and your hardware may be monitoring your activity.

    Windows

    The privacy policy of Windows lets microsoft collect and in some cases share contents of emails and files, as well as data about what you type. In the past, Microsoft has told American authorities about security vulnerabilities in Windows before fixing them. In addition, Windows is proprietary – that means that it is illegal to reverse-engineer Windows and review what it actually does. Learn more about the problems with Windows.

    I recommend against using Windows to contact me if you need security. Instead, you can use TAILS.

    TAILS

    TAILS is a live operating system. That means that it doesn't change the configuration of your computer and doesn't save any data on it. It runs from a USB-drive and lets you bypass the potential security problems of your regular OS or the applications installed on it. When you're done with TAILS, you simply remove the USB-drive and restart your computer, and you're back to using your regular OS. Learn more about TAILS.

    Offline keys

    If you need additional security, you can use my offline keys, also called "air-gapped" or "cold" keys. The private part of the offline keys are stored on an encrypted and specially protected computer that is never connected to the internet, making it even more difficult for an adversary to gain access to the private key.

    Encryption for offline keys is just like encryption for regular keys – just select the offline key instead. You should yourself use a computer that is never connected to the internet (or a computer with TAILS).

    I have an offline key for OpenPGP (download).

    It might take me longer to respond to messages encrypted for offline keys.