Best Practices for Sending Secret

[MerceanCoconut]

What's the recommended method of giving someone your sync secret?

[Varnagas]

Cartman would do it by tweet. http://www.southparkstudios.com/full-episodes/s17e01-let-go-let-gov

 

On my use cases I do it by adding a folder named by a secret in already syncing folder. Deleted empty folder does not appear in history. Sending by this sync is as secure as sync itself. But that is only my use case already having folder in sync. Or being able to have folder on a flash drive or on a remote drive it is needed on.

 

Other way is by skype to me, but not my own choice. Skype is quite secure in transfer, but history keeping and so on sent secrets makes vulnerable. Physical or remote access to files makes sync folders vulnerable too, so not a huge difference.

 

My wide use cases do not require serious deal of security though. Mainly just serverless transfers and syncing for time efficiency and general simplicity. 

[GreatMarko]

What's the recommended method of giving someone your sync secret?

There is no "recommended method" as such - how user's choose to share their "secrets" is up to individuals.

 

One potential method, if you're really worried about your secrets being "intercepted" when sharing them with a friend/colleague via a single medium (for instance, in say an email), would be to split the secret up and send each part via a different medium - i.e. email say the first 8 characters of the secret to your friend, IM them the next 8 characters, send the next 8 characters in a text message, and then telephone your friend with the remaining characters... your friend just needs to then combine all the parts of the secret they've received via the various mediums, to construct the complete secret!

[dmason]

I've been using one time secrets with friends.

[Disappointed Cat]

Security through obscurity is bad practice.

Use PGP or steganography and send it in cat pictures.

[ctismer]

A way that works nicely for me is the threema app.

https://threema.ch/

This way you can securely exchange secrets with friends.

Side note: This is more secure than BTSync or even PGP because there is no backdoor.

Another good way is GnuPg.

[GreatMarko]

This is more secure than BTSync or even PGP because there is no backdoor.

 

...and what exactly is this "backdoor" in BitTorrent Sync that you speak of!!??

[Grrrd]

Talk to the person face to face?

[GreatMarko]

Talk to the person face to face?

Ha! What, and expect them to just "memorize" a string of 30+ random characters?!

[MerceanCoconut]

In person, with a thumb drive is what I have been doing.  With the group of people I want to share the secret with, I'm on the only one that would use PGP and the only one without a mobile phone, so solutions involving either of those would be difficult.

 

I came across a website this morning for sharing things once: https://1ty.me/

 

Frankly, it seems to be the perfect solution.  Any thoughts?

[aymanfadel]

this is a a concern of mine as well. I'm thinking of using BitTorrent Sync to distribute files to clients without them having to log in to a server and thus saving me the trouble of user names and passwords.

 

At the same time, I did not want to simply e-mail people their folder passwords. I do that to share family photos & movies, but not client data!

 

Sending it by fax or US postal service would force them to type it in from a sheet of paper, which most of them would find troublesome. but that's the route I'm headed towards. I am testing out MerceanCoconut's suggestion for 1ty.me.

 

Any other ideas or suggestions?

[goli]

Hey there.

 

 

Ha! What, and expect them to just "memorize" a string of 30+ random characters?!

 

Well, you can hand them a printed version or make them type in the secret directly into their devices. If, of course, you tell somebody "I'll tell you my private share secret in person when we meet" and he arrives without anything to store this information that has been announced as being transfered verbally, then I would think it's his own fault.

 

So yes, I would expect that and laugh on him.

 

The last couple of secrets I used were in fact transferred this way: We were in a starbucks, I told the digits to my collegue and he typed those into his computer. That's pretty easy, and no more complicated then what happens if you sit together at someones sofa and somebody asks "hey, what's the password of your wifi". Then the very same thing happens .

 

I came across a website this morning for sharing things once: https://1ty.me/

 

Nop. That doesn't solve anything. It only moves the problem from "how to transfer the 30 digits secret securely" from "how to transfer the randomly generated URL securely". I don't think that's any way better. Ok, you can rely on the share is only used by a single recipient. But what if the single person using this share isn't your friend? It could take "several files an GB" before you notice that you're uploading your personal data directly to the NSA instead of to your friend.

 

 

I personally would use well known secure email based on public key mechanisms. That's reliable, proofed to be strong, and after the most recent events I expect everybody to know about those and how to use them.

 

[rant]

 

I don't expect anybody to use signed or encrypted emails in daily business or personal conversation. It's completely up to you if you want your letters being secure or not.

But every time somebody tells me he doesn't know how to use e.g. PGP or even doesn't know that this implementation exists since 1991, which is 22 years now, I simply stop talking to him about security.

 

If course GnuPG as open source implementation of this is even better, that should not be the point. The simple fact is: Email encryption exists for 22 years now. That's at least as long as my daily mail contacts know how to use a computer. There's absolutely now excuse to not know about that.

 

And this, after having ranted some lines against ignorant people (excuse me for that, but I really get angry, especially all of my non computer since friends laughed at me when I told then I would perfer using email encryption) is my best bet:

 

[/rant]

 

Use encrypted emails as a proofed way to transfer sensible data to transfer sensible data

 

Regards,

Stephan.

[jtroth]

To encrypt a string on a linux box:

echo '$BTSYNC_SECRET' | openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:correct_horse_battery_staple

 

This generates the string "dSsDqj3ilLCNosmWNYpbzA==".  You can send this, in the clear, to your friend.

 

Your friend will then enter:

echo "dSsDqj3ilLCNosmWNYpbzA==" | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:correct_horse_battery_staple

 

Then just tell them the password through some other channel.

 

Sometimes if I'm lazy, I'll just put the key in a password protected pdf/rar/word doc and attach it to an email.

[casacota]

SMS

[lolcat]

XMPP or IRC with OTR?

[MerceanCoconut]

Thanks everyone for your feedback, some of which are quite humorous.  You've provided a number of feasible options depending on the situation.

[lolcat]

Use Pidgin or any chat client with OTR-encryption?

[CrayTo5]

Really great advice here, thanks to all!

 

However, if I had a mission critical secret to send remotely - I would not trust any 1 communication system, since it might be compromised - and reveal the secret to adversaries.

 

"Shamir's Secret Sharing" is a crypto algorithm designed to solve this dilemma. It splits a secret into pieces. You can send each piece separately by different means (ex. encrypted email, OTR, SMS). Only when the intended recipient receives all the pieces can the secret be re-constructed.

 

A very easy to use Windows implementation of this scheme is called  "Secret Sharp" 

http://sourceforge.net/projects/secretsharp/ . There is another for Linux called ssss, but I am not familiar with it