How To: Securely communicate with AgileBits support
I sent an email message encrypted with the AgileBits Support public PGP key. Here's the response I got:
Hi WIlliam,
Thank you for taking the time to write to us here at AgileBits. We didn't actually receive a message, so could you let me know what sort of sync issues you're having, as well as what version(s) of 1Password you're running?
Thanks.
I thought it was disappointing to work with a support staff member at a consumer security company who cannot recognize a PGP encoded message.
Additionally, the web forums lack SSL support, so it's impossible for users to browse anonymously or talk to support securely (given what we know about contemporary network security issues on the internet).
Here are my questions:
- Are PGP encrypted messages to the AgileBits Support email address welcome?
- SSL encryption for the AgileBits forums: good idea?
(I realize the actual hosting for the support forums seems to be done through Vanilla Forums.)
Thank you.
Comments
-
I agree that Agilebits ought to have the capability to respond to OpenPGP-encrypted mail addressed to support@agilebits.com. Otherwise, why bother publishing a key associated with that email address? Besides, Agilebits encourages use of the discussion forums except for questions that are too private.
Still, email is not anonymous. And as for the forums, you have just disclosed that Tiro = William. :-)
Perhaps you could send an email requesting an O-T-R chat with a support person.
0 -
-----BEGIN PGP MESSAGE-----
Comment: GPGTools - http://gpgtools.orghQEMA4bqPvQrxFPrAQgAvi+R66IcoqTyFRVgVMEJsY3rkqt6Od6xC8/btlMl31E4
O+IDlKy1liSVtnIiTXKFCZ1RcIaIUHkBt5yNxzPmVwxDffMgaEHzNIciWfN/5hzm
ODenm8HUyXGxrKymazTmlFHiK3KOEs5aVOuG4LOfc7RP2GC7+PSBmqgIghBkeYR3
gvq3YowlOMn7zTZo4pYdgkv/bILx33FnV462tPyfEf77u+c49AX2/qKSPMYD6Uos
7xiwlUV0pW11kFumEivJAT2Ra6whByf1Hzx+9ZI3SWKHlMV1GLJ2GjwZwoyWjrBA
mrkamYTqITjxn3JShly7+MOqcEW5a8PM1YEY62TtFtJZAWDD0ZKxXyCKljDw5eud
Mt44RD8n2BfbuHsimfTtZGSkDw59SwCmsufa7kqXDAg0rVHp+dcR2eUza5yb3Tck
GOWUtXWrJdvpJhKb93JveHQhyFjHgflwerM=
=y6dS
-----END PGP MESSAGE-----0 -
Hi @tiro,
I'm so sorry that we failed to respond appropriately.
PGP mail into support is welcome, but not everyone who deals with support queries is fully trained up on it yet. So typically, it will lead to a delay, and on occasion the mishap that you encountered. I just took a look at our internal guide about dealing with PGP encrypted messages. It had an error which may be what is behind our failure to respond correctly in this case. The page never used the term "PGP" (it did use "GPG" and "GnuPG") so anyone searching for "PGP" internally wouldn't have found that document.
The email support system that we use can do some mangling of messages – both incoming and out-going – and so signed messages may fail to verify.
Here is the key for support at agilebits.com. Key ID:
BD58E71C42F3D4D4
and fingerprintF9F8 9579 AFDF EBB2 D4E9 1BE2 BD58 E71C 42F3 D4D4
Of course you are right that we should use SSL for the forums. We like to think that everyone posting here is using a unique password for the forums, but that really isn't a good excuse.
Those of you who are familiar with system administration will understand when I say that sometimes what looks like a simple configuration change turns out to be nasty and breaks stuff. So we've put that kind of stuff off until we can actually afford the (surprising) amount of time it takes.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com0 -
@jpgoldberg Thanks for the Key, added you just now . . . Ahhh secure now. . . . ;)
0 -
Guys, there is absolutely no excuse to not use SSL. I am aware that it is additional server configuration hassle, but there are external providers offering forums with SSL. Not using SSL should be punishable by law.
0 -
You're right.
Thankfully, there is no requirement to use this forum to get support from us. If you do not want to use it, please email us:
support@ agilebits .com
We're always here to help.
0 -
I personally did not know you guys had PGP in place. I'll have to go get your PGP key pair and try it out next time I contact support :)
Thanks @jpgoldberg for taking the time to show that they key can be marginal trusted !
0 -
The last time I checked GPG/PGP support on OS X (which the vast majority of our support folks use) is extremely underwhelming and clunky, and our email support system does not have any built-in support for it. So while we can accept encrypted email if the contents are of a particularly sensitive nature, as @jpgoldberg mentioned it will likely slow down the process and as such I wouldn't recommend it for "just because" purposes.
Obviously everyone has a slightly different level of what they consider to be sensitive, but really there should be very little "sensitive" (by my definition) info submitted in an email to us. For example, you should never send us your keychain or your Master Password.
Thanks!
0 -
GPGTools for OS X is actually pretty good once you get the hang of it. The problem is getting the hang of it. Here is a wonderful blog post in which the author presents a list of things that cannot be done using GPGTools. The post corrects every complaint, because GPGTools actually can do everything that the author laments. It's just that the means are not obvious, and some of the more esoteric tasks cannot be accomplished via the GUI.
0 -
The latest version of GPGTools is a fantastic improvement over its predecessors.
The difficulty, for most people, with using PGP/GPG isn't the unwieldy software but conceptual. For example to use it properly over a period of time one must recognize the distinction between "trust as an introducer" versus "trust the identify of". PGP's "web of trust" mechanism for certifying keys fails because it puts to much difficult to understand responsibility on users. The alternative that we have in X.509 (SSL certifications) fails for completely other reasons.
In a sense, the somewhat paradoxical math of public key systems is probably the easy bit to understand.
0 -
GPG Mail gotcha. Dueling perspectives.
0 -
That's interesting @benfdc. I have not been able to reproduce that problem with GPGMail using Fastmail as my IMAP server.
I do have Fastmail set up to keep my drafts on the IMAP server, but I see that my draft is encrypted with the recipient's PGP public key. Of course I have checked the Mail > Preferences > GPGMail "Encrypt/sign drafts" box to "yes."
0 -
-
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 There is an xkcd for everything. http://xkcd.com/1181/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJS66iUAAoJEMZlzvC8xMhNH7gH/iK1djBLmhx95SKAoq/YXOiu tt/yJ2UvUqHDgWfgA0QeLRP+ZwPmdLNGaMArnI+D7SUcDbgIihGGroJTtPrPqJP9 q+ofBa6B7LLHNlmHxrat0VfKC9w73EYql4q8p9xsarmisDN5w4c3o13AWk/pXkJ6 pyWehwAJOgXXEMoxMvc+Qay3ZYt22BLUeqqtYfwp5styoJ4xUOrmDVh7hWxoSd5V c+pAVKSul4+KQaK5cWrmXlpEcTn3uDUevBrblg97divdLF0d9HgD33GCqOXpyj79 8v7X9KbondFqD3yx6hLAcdqJn4NnYPI+GYqhwlt2Yy8Qoi7jnSB97vi9PMG1XcQ= =iNV8 -----END PGP SIGNATURE-----
0