/
readme.txt
235 lines (143 loc) · 20.3 KB
/
readme.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
=== WP PGP Encrypted Emails ===
Contributors: meitar
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=TJLPJYXHSRBEE&lc=US&item_name=WP%20PGP%20Encrypted%20Emails&item_number=wp-pgp-encrypted-emails&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donate_SM%2egif%3aNonHosted
Tags: encryption, email, security, privacy, pgp, gpg, openpgp
Requires at least: 4.4
Tested up to: 4.4.2
Stable tag: 0.4.0
License: GPLv3
License URI: https://www.gnu.org/licenses/gpl-3.0.html
Signs and encrypts emails WordPress sends using PGP keys. Provides OpenPGP functions via WordPress plugin API.
== Description ==
WP PGP Encrypted Emails automatically signs and encrypts any email that WordPress sends to your site's admin email address or user email addresses after you give it a copy of the recipient's PGP public key or generate a signing keypair to use. This protects your user's privacy by ensuring that emails intended for them can be read only by them and them alone. Signing helps your users verify that email they receive purporting to be from your site actually was sent by your server.
*Donations for this and [my other free software plugins](https://profiles.wordpress.org/meitar#content-plugins) make up a chunk of my income. If you continue to enjoy this plugin, please consider [making a donation](https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=TJLPJYXHSRBEE&lc=US&item_name=WP%20PGP%20Encrypted%20Emails&item_number=wp-pgp-encrypted-emails&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donate_SM%2egif%3aNonHosted). :) Thank you for your support!*
The plugin works transparently for *all email* your site generates, and will also sign and encrypt outgoing email generated by other plugins (such as contact form plugins) or the built-in WordPress notification emails. All you have to do is add one or more PGP keys to the General Settings screen. You can also remove envelope information such as email subject lines, which PGP cannot encrypt. There is no longer any need to pay for the "pro" version of your favorite contact form plugin to get the benefit of email privacy.
Additionally, each of your site's users can supply their own, personal public key for their own email address to have WordPress automatically encrypt any email destined for them. (They merely need to update their user profile pages.) Once saved, all future emails WordPress sends to that user will be encrypted with their public key.
The encrypted emails can be decrypted by any OpenPGP-compatible mail client, such as [Mailvelope](https://www.mailvelope.com/), [MacGPG](https://gpgtools.org/), or [Enigmail](https://www.enigmail.net/). For more information on reading encrypted emails, generating keys, and other uses for OpenPGP-compatible encrpytion, consult any (or all!) of the following resourceful guides:
* [The Electronic Frontier Foundation's Surveillance Self-Defense guide to PGP](https://ssd.eff.org/en/module/introduction-public-key-cryptography-and-pgp)
* [RiseUp.net's OpenPGP best practices guide](https://help.riseup.net/en/gpg-best-practices)
Additionally, WP PGP Encrypted Emails provides an easy to use API to OpenPGP operations through the familiar [WordPress plugin API](https://codex.wordpress.org/Plugin_API). See the [Other Notes](https://wordpress.org/plugins/wp-pgp-encrypted-emails/other_notes/) page for details.
**Security Disclaimer**
Security is a process, not a product. Using WP PGP Encrypted Emails does not guarantee that your site's outgoing messages are invulnerable to every attacker, in every possible scenario, at all times. No single security measure, in isolation, can do that.
Do not rely solely on this plugin for the security or privacy of your webserver. See the [Frequently Asked Questions](https://wordpress.org/plugins/wp-pgp-encrypted-emails/faq/) for more security advice and for more information about the rationale for this plugin.
== Installation ==
WP PGP Encrypted Emails can be installed automatically from the WordPress plugin repository by searching for "PGP Encrypted Emails" in the "Add new plugin" screen of your WordPres admin site and clicking the "Install now" button.
WP PGP Encrypted Emails can also be installed manually by following these instructions:
1. [Download the latest plugin code](https://downloads.wordpress.org/plugin/wp-pgp-encrypted-emails.zip) from the WordPress plugin repository.
1. Upload the unzipped `wp-pgp-encrypted-emails` folder to the `/wp-content/plugins/` directory of your WordPress installation.
1. Activate the plugin through the 'Plugins' menu in WordPress.
Once activated, each user who wants to receive encrypted emails must add their PGP public key to their profile. See the [screenshots](https://wordpress.org/plugins/wp-pgp-encrypted-emails/screenshots/) for a brief walkthrough of how to configure WP PGP Encrypted Emails after it is installed.
Keep in mind, you will need to have the private key corresponding to the public key you save in your WordPress site, or you will not be able to decrypt the email you receive. To learn more about generating keys and decrypting email, consult one (or more) of the following guides:
* [The Electronic Frontier Foundation's Surveillance Self-Defense guide to PGP](https://ssd.eff.org/en/module/introduction-public-key-cryptography-and-pgp)
* [RiseUp.net's OpenPGP best practices guide](https://help.riseup.net/en/gpg-best-practices)
I have also found the following articles useful, but do not personally vouch for their accuracy:
* [Jerzy Gangi's "Best PGP Tutorial for Mac OS X, ever"](http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever/)
* [DeepDotWeb's Basic Guide to PGP on Linux](https://www.deepdotweb.com/2015/02/17/basic-guide-pgp-linux/)
* [BitCoin Not Bombs: Beginner's Guide to PGP](http://www.bitcoinnotbombs.com/beginners-guide-to-pgp/)
If you found a good guide to using PGP/GPG that I haven't listed here, please share it in [the WP PGP Encrypted Emails plugin forum](https://wordpress.org/support/plugin/wp-pgp-encrypted-emails#postform).
== Frequently Asked Questions==
= Is this plugin *really* secure? =
Against the NSA? No, probably not. Against a nosy co-worker? Yes, probably.
The "realness" of security cannot "really" be measured in abstract, imprecise terms, but rather only based on what real threats you are likely to face and what risks you are vulnerable to if those threats materialize in reality. You have a much better sense of the answers to these things than I do for your situation, because I am not you. Security professionals call this process "threat modeling," and if you are "really" concerned for your security (I encourage you to be!) then learning how to conduct a threat assessment for yourself is a good idea. [Learn more about threat modeling from the EFF's Surveillance Self-Defense Guide](https://ssd.eff.org/en/module/introduction-threat-modeling).
= If this plugin isn't secure against the NSA, what good is it? =
First of all, not everyone's security needs are the same. (See "threat modeling," discussed in the previous question.)
* Against an opportunistic attacker, your security measures merely need to be better than your neighbor's in order to be sufficient to deter attacks. This is "good enough" security for most users of WordPress, especially on shared hosting accounts (which are generally closer to the unsafe side of the security spectrum no matter what plugins you install anyway).
* Against a well-resourced, determined adversary who has specifically singled you out, however, what matters is that your ability to secure yourself exceeds your adversary's ability to compromise the specific security precautions you've put in place. Your relative security as compared with your neighbor's doesn't matter. In this case, it is better to do anything and everything you reasonable can do for your protection, even if no specific security measure will be enough on its own. This is known as "[defense in depth](https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29)" and is analogous to the way a medival castle had a moat that surrounded an outer wall which itself surrounded an inner wall protecting a keep. These concentric rings of security provide redundancy and serve to slow an attacker's intrusion. This plugin can be considered *one* small part of a larger defense-in-depth security approach for your website.
Read [Bruce Schneier's "Lessons from the Sony Hack"](https://www.schneier.com/blog/archives/2014/12/lessons_from_th_4.html) for a brief, real-life case study in understanding this important nuance between opportunistic and focused attackers.
Further, security is largely a matter of operational practice, not theoretics. If you never use PGP/GPG because the only tools you have access to are not perfect, then you will not have the experience you need to know how to use PGP/GPG when you actually get access to it because you never even practiced using it. By way of analogy, if you want to learn swordfighting but all you have is sticks you picked up in the forest, you are better off picking up those sticks and practicing with them than waiting and not practicing at all until you get your hadns on steel swords.
Don't let perfect be the enemy of good.
= Why are emails from [other-plugin-here] not being encrypted? =
Make sure the emails the other plugin sends are being addressed to an email account that WordPress knows about and that WordPress knows which PGP public key to use when encrypting email destined for that address.
More specifically, this means the "TO:" field of the outgoing email needs to match either your WordPress's "admin email" address or the email address of one of your WordPress user accounts, and you need to provide the PGP public key you want WordPress to use when sending email to that address. In many contact form plugins, you can supply an arbitrary email address to send those emails to, but if that email address is not the address of a user on your site, WP PGP Encrypted Emails won't know which PGP public key to use for encryption.
As a workaround, simply create an unprivileged ("Subscriber" [role](https://codex.wordpress.org/Roles_and_Capabilities)) new WordPress user account with that email addresss and enter the PGP public key in that user's profile. (Accept the automatically generated password, since you will not need to remember it, as you will never need to log in with that user account.)
= How do I read an encrypted comment? =
If you have received a "Private" comment, you will need to use an OpenPGP-compatible PGP client to decrypt and read it. There are many free apps that do this. Which one you choose depends on what kind of computer you are already using. If you use Windows, I suggest installing and using [GPG4Win](https://www.gpg4win.org/) since it provides the most features. For Mac OS X users, I suggest [MacGPG](http://gpgtools.org/) for the same reason, and Linux users should check their distro's package repository for compatible options. (For Ubuntu users, the [Seahorse-Nautilus](http://packages.ubuntu.com/precise/gnome/seahorse-nautilus) plugin is popular.)
We might add support for an in-browser client based on [OpenPGP.js](http://openpgpjs.org/) at some point, but for now you will still need an external program to read encrypted comments.
== Screenshots ==
1. Paste the plain text version of your PGP public key into the "PGP Public Key" field in your profile, then click "Save changes" at the bottom of the page. (There is a similar field for the WordPress admin email in the General Settings screen accessible to Administrator users.)
2. If the plugin detects a problem with your PGP public key, you will get a notice like the one shown here.
3. Authors who add a PGP public key to their profile also let readers leave semi-private comments on their posts. These are comments that are automatically encrypted to the author's public key upon submission. Commenters who want to send a "Private" comment simply write their comment normally and ensure the encryption checkbox is enabled when they submit their comment.
4. Administrators can generate an OpenPGP signing keypair with which to automatically sign outgoing emails. This helps recipients verify that email they receive actually came from your website. Admins can regenerate the keypair automatically by clicking the "Regenerate keypair" button, or they can manually paste an ASCII-armored keypair for the site to use.
5. For security, the private key part of the site's signing key will only be transmitted over a secure (HTTPS) connection, so you will see the following prompt to switch to a secure connection if you try to view it insecurely. You can still (re)generate a keypair, including the private key part, over an insecure connection because the key is generated on the server itself.
== Change log ==
= Version 0.4.0 =
* [Feature](https://github.com/meitar/wp-pgp-encrypted-emails/issues/1): Admins can now generate a PGP signing keypair for the blog itself. If a signing keypair exists, outgoing emails will be automatically signed.
* This keypair is intended to be used for signing outgoing emails. It is *not* intended to be used for any other purpose. *Do not* use this keypair for emails you send yourself. *Do not* export this key for use in any other system. This keypair should be treated as a low-trust, single-purpose keypair reserved exclusively for your website itself.
* Developer: New filter hooks. These are documented on the [Other Notes](https://wordpress.org/plugins/wp-pgp-encrypted-emails/other_notes/) page.
* `openpgp_enarmor` filter for ASCII-armoring arbitrary OpenPGP data.
* `openpgp_sign` filter for (clear)signing an arbitrary message.
= Version 0.3.0 =
* [Feature](https://github.com/meitar/wp-pgp-encrypted-emails/issues/6): Authors with a PGP public key set in their profile can now receive "private" comments. Readers write their comment as normal, and can then enable the "Private" checkbox next to the comment submit button. This will automatically encrypt the comment to the post author's PGP public key and saves the comment in the WordPress database as an ASCII-armored string.
* This feature is *not* secure against eavesdropping, other network attackers, or malicious web host. It does *not* prevent server administrators from reading the contents of your comment. Rather, it prevents *other readers* or unprivileged users of the blog from reading your comment after it has been sent to the author. This is useful if, for instance, you want to communicate semi-privately with the author in an otherwise public forum (the comment thread) but do not know the author's email address, perhaps because the author themselves wish to remain pseudonymous (and thus do not provide a valid email address associated with their PGP key).
= Version 0.2.0 =
* [Developer](https://github.com/meitar/wp-pgp-encrypted-emails/issues/5): Added two new filters, `openpgp_key` and `openpgp_encrypt` so plugin developers and theme authors can encrypt arbitrary data, too.
= Version 0.1.2 =
* [Security](https://github.com/meitar/wp-pgp-encrypted-emails/issues/3): Switch PGP library to [OpenPGP-PGP](https://github.com/singpolyma/openpgp-php).
= Version 0.1.1 =
* Bugfix: Fix `Fatal error` in cases where the public key is set to `false`.
= Version 0.1 =
* Initial release.
== Other notes ==
If you like this plugin, **please consider [making a donation](https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=TJLPJYXHSRBEE&lc=US&item_name=WP%20PGP%20Encrypted%20Emails&item_number=wp-pgp-encrypted-emails&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donate_SM%2egif%3aNonHosted) for your use of the plugin**, [purchasing one of Meitar's web development books](http://www.amazon.com/gp/redirect.html?ie=UTF8&location=http%3A%2F%2Fwww.amazon.com%2Fs%3Fie%3DUTF8%26redirect%3Dtrue%26sort%3Drelevancerank%26search-type%3Dss%26index%3Dbooks%26ref%3Dntt%255Fathr%255Fdp%255Fsr%255F2%26field-author%3DMeitar%2520Moscovitz&tag=maymaydotnet-20&linkCode=ur2&camp=1789&creative=390957) or, better yet, contributing directly to [Meitar's Cyberbusking fund](http://Cyberbusking.org/). (Publishing royalties ain't exactly the lucrative income it used to be, y'know?) Your support is appreciated!
= Plugin hooks =
This plugin offers additional functionality intended for other plugin developers or theme authors to make use of. This functionality is documented here.
== Filters ==
= `openpgp_enarmor` =
Gets an ASCII-armored representation of an OpenPGP data structure (like a key, or an encrypted message).
* Required parameters:
* `string` `$data` - The data to be armored.
* Optional parameters:
* `string` `$marker` - The marker of the block (the text that follows `-----BEGIN`). Defaults to `MESSAGE`, but you should set this to a more appropriate value. If you are armoring a PGP public key, for instance, set this to `PGP PUBLIC KEY BLOCK`.
* `string[]` `$headers` - An array of strings to apply as headers to the ASCII-armored block, usually used to insert comments or identify the OpenPGP client used. Defaults to `array()` (no headers).
Example: ASCII-armor a binary public key.
$ascii_key = apply_filters('openpgp_enarmor', $public_key, 'PGP PUBLIC KEY BLOCK');
= `openpgp_key` =
Gets a binary OpenPGP public key for use in later PGP operations from an ASCII-armored representation of that key.
* Required parameters:
* `string` `$key` - The ASCII-armored PGP public key block.
Example: Get a key saved as an ASCII string in the WordPress database option `my_plugin_pgp_public_key`.
$key = apply_filters('openpgp_key', get_option('my_plugin_pgp_public_key'));
= `openpgp_sign` =
[Clearsigns](https://www.gnupg.org/gph/en/manual/x135.html#AEN152) a message using a given private key.
* Required parameters:
* `string` `$data` - The message data to sign.
* `OpenPGP_SecretKeyPacket` `$signing_key` - The signing key to use, obtained by passing the ASCII-armored private key through the `openpgp_key` filter.
Example: Sign a short string.
$message = 'This is a message to sign.';
$signing_key = apply_filters('openpgp_key', $ascii_key);
$signed_message = apply_filters('openpgp_sign', $message, $signing_key);
// $signed_message is now a clearsigned message
= `openpgp_encrypt` =
Encrypts data to one or more PGP public keys or passphrases.
* Required arguments:
* `string` `$data` - Data to encrypt.
* `array|string` `$keys` - Passphrases or keys to use to encrypt the data.
Example: Encrypt the content of a blog post.
// First, get the PGP public key(s) of the recipient(s)
$ascii_key = '-----BEGIN PGP PUBLIC KEY BLOCK-----
[...snipped for length...]
-----END PGP PUBLIC KEY BLOCK-----';
$encryption_key = apply_filters('openpgp_key', $ascii_key);
$encrypted_post = apply_filters('openpgp_encrypt', $post->post_content, $encryption_key);
// Now you can safely send or display $encrypted_post anywhere you like and only
// those who control the corresponding private key(s) can decrypt it.
= `openpgp_sign` =
Signs a message (arbitrary data) with the given private key.
Note that if your plugin uses the built-in WordPress core `wp_mail()` function and this plugin is active, your plugin's outgoing emails are already automatically signed so you do not need to do anything. This filter is intended for use by plugin developers who want to create custom, trusted communiques between WordPress and some other system.
* Required arguments:
* `string` `$data` - The data to sign.
* Optional arguments:
* `OpenPGP_SecretKeyPacket` `$privatekey` - The private key used for signing the message. The default is to use the private key automatically generated during plugin activation. The automatically generated keypair is intended to be a low-trust, single-purpose keypair for your website itself, so you probably do not need or want to use this argument yourself.
Example: Send a signed, encrypted JSON payload to a remote, insecure server.
$comment_data = get_comment(2); // get a WP_Comment object with comment ID 2
// Create JSON payload
$json = array('success' => true, 'action' => 'new_comment', 'data' => $comment_data);
$url = 'http://insecure.example.com/';
$response = wp_safe_remote_post($url, array(
));
= `openpgp_sign_and_encrypt` =
A convenience filter that applies `openpgp_sign` and then `openpgp_encrypt` to the result.
* Required arguments:
* `string` `$data` - The data to sign and encrypt.
* `string` `$signing_key` - The signing key to use.
* `array|string` `$recipient_keys_and_passphrases` - Public key(s) of the recipient(s), or passphrases to encrypt to.