How To: Securely communicate with AgileBits support

tiro
tiro
Community Member
edited January 2014 in Lounge

I sent an email message encrypted with the AgileBits Support public PGP key. Here's the response I got:

Hi WIlliam,

Thank you for taking the time to write to us here at AgileBits. We didn't actually receive a message, so could you let me know what sort of sync issues you're having, as well as what version(s) of 1Password you're running?

Thanks.

I thought it was disappointing to work with a support staff member at a consumer security company who cannot recognize a PGP encoded message.

Additionally, the web forums lack SSL support, so it's impossible for users to browse anonymously or talk to support securely (given what we know about contemporary network security issues on the internet).

Here are my questions:

  1. Are PGP encrypted messages to the AgileBits Support email address welcome?
  2. SSL encryption for the AgileBits forums: good idea?

(I realize the actual hosting for the support forums seems to be done through Vanilla Forums.)

Thank you.

Comments

  • benfdc
    benfdc
    Community Member

    I agree that Agilebits ought to have the capability to respond to OpenPGP-encrypted mail addressed to support@agilebits.com. Otherwise, why bother publishing a key associated with that email address? Besides, Agilebits encourages use of the discussion forums except for questions that are too private.

    Still, email is not anonymous. And as for the forums, you have just disclosed that Tiro = William. :-)

    Perhaps you could send an email requesting an O-T-R chat with a support person.

  • benfdc
    benfdc
    Community Member
    edited November 2013

    -----BEGIN PGP MESSAGE-----
    Comment: GPGTools - http://gpgtools.org

    hQEMA4bqPvQrxFPrAQgAvi+R66IcoqTyFRVgVMEJsY3rkqt6Od6xC8/btlMl31E4
    O+IDlKy1liSVtnIiTXKFCZ1RcIaIUHkBt5yNxzPmVwxDffMgaEHzNIciWfN/5hzm
    ODenm8HUyXGxrKymazTmlFHiK3KOEs5aVOuG4LOfc7RP2GC7+PSBmqgIghBkeYR3
    gvq3YowlOMn7zTZo4pYdgkv/bILx33FnV462tPyfEf77u+c49AX2/qKSPMYD6Uos
    7xiwlUV0pW11kFumEivJAT2Ra6whByf1Hzx+9ZI3SWKHlMV1GLJ2GjwZwoyWjrBA
    mrkamYTqITjxn3JShly7+MOqcEW5a8PM1YEY62TtFtJZAWDD0ZKxXyCKljDw5eud
    Mt44RD8n2BfbuHsimfTtZGSkDw59SwCmsufa7kqXDAg0rVHp+dcR2eUza5yb3Tck
    GOWUtXWrJdvpJhKb93JveHQhyFjHgflwerM=
    =y6dS
    -----END PGP MESSAGE-----

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited November 2013

    Hi @tiro,

    I'm so sorry that we failed to respond appropriately.

    PGP mail into support is welcome, but not everyone who deals with support queries is fully trained up on it yet. So typically, it will lead to a delay, and on occasion the mishap that you encountered. I just took a look at our internal guide about dealing with PGP encrypted messages. It had an error which may be what is behind our failure to respond correctly in this case. The page never used the term "PGP" (it did use "GPG" and "GnuPG") so anyone searching for "PGP" internally wouldn't have found that document.

    The email support system that we use can do some mangling of messages – both incoming and out-going – and so signed messages may fail to verify.

    Here is the key for support at agilebits.com. Key ID: BD58E71C42F3D4D4 and fingerprint F9F8 9579 AFDF EBB2 D4E9 1BE2 BD58 E71C 42F3 D4D4

    Of course you are right that we should use SSL for the forums. We like to think that everyone posting here is using a unique password for the forums, but that really isn't a good excuse.

    Those of you who are familiar with system administration will understand when I say that sometimes what looks like a simple configuration change turns out to be nasty and breaks stuff. So we've put that kind of stuff off until we can actually afford the (surprising) amount of time it takes.

    Cheers,

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • TattooedMac
    TattooedMac
    Community Member

    @jpgoldberg Thanks for the Key, added you just now . . . Ahhh secure now. . . . ;)

  • r42
    r42
    Community Member

    Guys, there is absolutely no excuse to not use SSL. I am aware that it is additional server configuration hassle, but there are external providers offering forums with SSL. Not using SSL should be punishable by law.

  • khad
    khad
    1Password Alumni

    You're right.

    Thankfully, there is no requirement to use this forum to get support from us. If you do not want to use it, please email us:

    support@ agilebits .com

    We're always here to help.

  • Urda
    Urda
    Community Member
    edited January 2014

    I personally did not know you guys had PGP in place. I'll have to go get your PGP key pair and try it out next time I contact support :)

    Thanks @jpgoldberg for taking the time to show that they key can be marginal trusted !

  • The last time I checked GPG/PGP support on OS X (which the vast majority of our support folks use) is extremely underwhelming and clunky, and our email support system does not have any built-in support for it. So while we can accept encrypted email if the contents are of a particularly sensitive nature, as @jpgoldberg mentioned it will likely slow down the process and as such I wouldn't recommend it for "just because" purposes.

    Obviously everyone has a slightly different level of what they consider to be sensitive, but really there should be very little "sensitive" (by my definition) info submitted in an email to us. For example, you should never send us your keychain or your Master Password.

    Thanks!

  • benfdc
    benfdc
    Community Member

    GPGTools for OS X is actually pretty good once you get the hang of it. The problem is getting the hang of it. Here is a wonderful blog post in which the author presents a list of things that cannot be done using GPGTools. The post corrects every complaint, because GPGTools actually can do everything that the author laments. It's just that the means are not obvious, and some of the more esoteric tasks cannot be accomplished via the GUI.

  • Interesting, @benfdc. Thanks for the heads up. I believe this is the same toolkit I used a couple years ago but it looks like they have made a lot of progress. Doesn't help the fact that our support system has no integration for it, but could be helpful none the less.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    The latest version of GPGTools is a fantastic improvement over its predecessors.

    The difficulty, for most people, with using PGP/GPG isn't the unwieldy software but conceptual. For example to use it properly over a period of time one must recognize the distinction between "trust as an introducer" versus "trust the identify of". PGP's "web of trust" mechanism for certifying keys fails because it puts to much difficult to understand responsibility on users. The alternative that we have in X.509 (SSL certifications) fails for completely other reasons.

    In a sense, the somewhat paradoxical math of public key systems is probably the easy bit to understand.

  • benfdc
    benfdc
    Community Member
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited January 2014

    That's interesting @benfdc. I have not been able to reproduce that problem with GPGMail using Fastmail as my IMAP server.

    I do have Fastmail set up to keep my drafts on the IMAP server, but I see that my draft is encrypted with the recipient's PGP public key. Of course I have checked the Mail > Preferences > GPGMail "Encrypt/sign drafts" box to "yes."

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512
    
    There is an xkcd for everything.
    
    http://xkcd.com/1181/
    
    -----BEGIN PGP SIGNATURE-----
    Comment: GPGTools - http://gpgtools.org
    
    iQEcBAEBCgAGBQJS66iUAAoJEMZlzvC8xMhNH7gH/iK1djBLmhx95SKAoq/YXOiu
    tt/yJ2UvUqHDgWfgA0QeLRP+ZwPmdLNGaMArnI+D7SUcDbgIihGGroJTtPrPqJP9
    q+ofBa6B7LLHNlmHxrat0VfKC9w73EYql4q8p9xsarmisDN5w4c3o13AWk/pXkJ6
    pyWehwAJOgXXEMoxMvc+Qay3ZYt22BLUeqqtYfwp5styoJ4xUOrmDVh7hWxoSd5V
    c+pAVKSul4+KQaK5cWrmXlpEcTn3uDUevBrblg97divdLF0d9HgD33GCqOXpyj79
    8v7X9KbondFqD3yx6hLAcdqJn4NnYPI+GYqhwlt2Yy8Qoi7jnSB97vi9PMG1XcQ=
    =iNV8
    -----END PGP SIGNATURE-----
    
This discussion has been closed.