Hello Folks.
I use Pidgin and Thunderbird for checking emails, My government used some deep packet filtering, Can they sniff my password?
In pidign I enable "Connection security" is it useful?

Do you have any suggestion for improving security?

Thank you.
Regards.

i think they can, but will leave your user accounts intact as long you don't do anything really stupid.

Just don't do anything that a government would be interested in.

If I use tor and change my password, Can they access it?

TOR provides anonymity only to some extent. The TOR web site strongly suggests using end-to-end encryption always.
*There is an actively maintained and developed pre-configured-for-TOR Linux distribution: TAILS.

Re Thunderbird, you may want to check this out http://www.enigmail.net/home/index.php

1 members found this post helpful.

TAILS in essence is only a collection of tools. And while tools may make things easier (or more difficult, depending on how you look at it) they are limited in scope. While for example a browser may warn you about the servers cert not matching its FQDN it won't prevent you from using password authentication over HTTP and then switch to HTTPS. So the real problem with your question is that you shouldn't be satisfied with any "it's OK" type of answer anymore: you have to do your own research and actively gain knowledge about what SSL actually is used for (what it protects against and what not), be able to spot implementation flaws (for example SSL-ized connection but cookies not forced over HTTPS) and get to know a little about how SSL could be attacked (https://www.ssllabs.com/downloads/SSL_Threat_Model.png and the rest of www.ssllabs.com). Next to that you have to review your personal password hygiene (re-use mostly), device use wrt flaws, software (anything from browsers auto-completion to cross-site scripting attacks), be aware constantly when facing links, login buttons, URL bar changes, etc, etc and keep abreast of any vulnerabilities always. If for example BEAST, CRIME, TIME and Lucky 13 don't ring a bell then you should really step up your research. A good stating point may be http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openssl.

1 members found this post helpful.

It is unlikely that anyone can sniff your passwords or decode other data that has been encrypted with current standards. As has been pointed out above, the difficult part is in ensuring that you're actually encrypting your data and talking to who you think you are.

To add a little perspective on the subject, you are the weak link in the system and if you do something to attract sufficient unwanted attention you will be the target and it won't likely result in attempts to sniff your network traffic. Instead you will probably face this: http://xkcd.com/538/

Not unlikely as the situation is the following: http://dailyinfographic.com/wp-conte...nfographic.jpg

I find the "don't piss your government off" very funny. As posted, it can be reformulated as "If you have nothing to hide, don't worry if we watch you".

VERY BIG BROTHER, MEN!

Sorry, it is just that I have just read some news about portable scanners to spy on people, haha.

Other than that, I think there is not true Internet security and privacy against global attackers. Depending on the country and the cases, the Civil Guard, the Feds or whoever can kick some doors down and confiscate the equipment which handles your data, so you see... I have heard of cases in which that is what actually happened.

I mean, c'mon, asking Google to surrender your info is likely quicker for them than setting a sniffer scenario. Just saying.

because governments know what's best...


Get a VPN or SSH/SSL.

1 members found this post helpful.

"Yes, the government can sniff your passwords." Or, they can probably arrange for the e-mails to be transcribed and retrieved entirely without your knowledge or consent. Because, basically, that's what governments are tasked to do: to act on behalf (more or less) of hundreds of millions of people at a time. (Including you, BTW ...)

The comment, "just don't do anything that a government (or law-enforcement, etc.) would be interested in," is a perfectly-valid and appropriate statement, all things considered.

Your "expectation of privacy" with regards to e-mail in any case should be minimal. If you need to protect the content of your e-mail, you need to use PEM technologies. (And even then, you're not protecting against the guv'mint.)

I had an, shall we say, "interesting uncle." He was very expressive. One day he bought a police scanner. A few days later, he walked up to one of the local policemen (who he knew well, in his small town), and, very gravely, shook his hand. And said to him: "Thank you. I had no idea."

Yes there is. In Evolution, you will want to select use secure connection, e.g. TLS (which works over port 25 using "plain" passwords).

Also, if you are connecting to your own POP/IMAP server (e.g. Dovecot / Cyrus) you will want to do the following. Create a self signed SSL key and Certificate Authority just like you do for Apache and you can follow the instructions in many of the how-to documents. I prefer the one by Van Emery personally. You can then tell your Pop/Imap server to listen for secure connections using these keys.

Of course this only works if your mail provider is in another country and will not take money from your government. I'm assuming that's taken for granted but though it worth pointing out in case it wasn't.
I would suggest not using encryption though and simply never saying anything that you would not say in front of a police officer.
The reason I say this is because using encryption in any country could make the government take notice and, as has been pointed out above, it could fail in a number of ways. This means that if somebody sees your email is encrypted and decides to spend time getting into it if you have said anything even vaguely illegal you will be arrested and detained simply to justify the time and money spent getting into your email.

Here is a simple answer for the OP: use hushmail. I think that this has been suggested before. The servers are in Canada and per the terms of service unless a warrant signed by a Canadian judge with authority in British Columbia is presented, they will not turn over your email. Access to and from the site is encrypted via HTTPS. Mail to and from them may be encrypted if desired and there are multiple ways to do this.