An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#52155 - 07/27/19 07:22 AM Sending Secure Information Via IM or Email
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
When the Internet Messaging and Email protocols were developed internet security was not a particular concern. Certainly not the concern that it is today. There are add ons to Email but those are IMO neither easy nor intuitive to use, especially if either the sender or recipient are not particularly tech savvy. Thanks to SmallDog Electronic's newsletter I have found a reasonably secure means of sending such information called 1ty.me.
  • The sender posts the secure information (password, etc.) on 1ty.me and receives an abbreviated 1 time URL.
  • That URL is sent to the desired recipient via an IM or Email.
  • the recipient clicks on the URL and the post is displayed.
  • The link is good for one (1) time only and is deleted the instant it is used.
Obviously this scheme is definitely is not DoD level security, but it makes it possible to separate the most sensitive data from the text and can make a felon's (or ICE agent's) life more "interesting".

I envision putting the data in an encrypted dmg file and sending that file via email to the desired recipient. Then sending the recipient the file password in a Text Message using 1ty.me to hide it. It is not something I would do often but there have been times when it would have been nice to have this ability — especially since the service is FREE.
_________________________
joemikeb • moderator

Top
#52157 - 07/28/19 12:52 AM Re: Sending Secure Information Via IM or Email [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Thanks for the link. I can envision using it, albeit veeery rarely.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#52158 - 07/28/19 05:15 AM Re: Sending Secure Information Via IM or Email [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
In retrospect instead of an encrypted dmg file an encrypted zip or 7zip file would be more universally openable.
_________________________
joemikeb • moderator

Top
#52159 - 07/28/19 09:22 AM Re: Sending Secure Information Via IM or Email [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
In retrospect instead of an encrypted dmg file an encrypted zip or 7zip file would be more universally openable.

Good thought, and couldn't a zip or 7zip file also be made much smaller than any dmg would be (if it makes a difference)?
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#52160 - 07/28/19 12:48 PM Re: Sending Secure Information Via IM or Email [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
Good thought, and couldn't a zip or 7zip file also be made much smaller than any dmg would be (if it makes a difference)?

Depends on the contents.
  • If it is a pure text file then yes zip or 7zip could be up to 50% smaller
  • if there is graphic content (jpg, png, heic, etc.) a zip or 7Zip is likely end up larger than the original file(s). Even if you use a good compression utility that does not attempt to compress graphic content there is additional zip/7zip overhead.
  • If the compression utility attempts to compress the graphic content the resulting file can grow to be significantly larger than the original file.
_________________________
joemikeb • moderator

Top
#52162 - 07/28/19 04:30 PM Re: Sending Secure Information Via IM or Email [Re: joemikeb]
artie505 Online


Registered: 08/04/09
On the one hand, I forgot about graphics, but on the other, I've always had trouble creating small dmgs...dunno if I'm doing something wrong or it's just the nature of the beast.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#52163 - 07/29/19 07:20 AM Re: Sending Secure Information Via IM or Email [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
On the one hand, I forgot about graphics, but on the other, I've always had trouble creating small dmgs...dunno if I'm doing something wrong or it's just the nature of the beast.

Tha nature of the beast is there will be additional overhead in the dmg such as the volume directory, and all the other accouterments of a full blown disk. So it has to be larger than the original files. But what is the process you use to create the dmg in the first place? The one that works best for me is….
  1. create an empty folder that will contain all the files and folders you want in the dmg
  2. move the desired files and folders into the folder.
  3. On the Disk Utility menu select File > New Image > Image from folder… (⇧⌘N)
  4. If desired choose Encryption (and in Catalina you have your choice of 128 bit (recommended) or 256 bit (slower and more secure))
  5. Select compressed image
This should yield the smallest .dmg file, but once again there will still be all the normal overhead of a disk drive in the dmg as well as your desired content not to mention the same restrictions on data compression found in Zip, 7Zip, RAR compression algorithms are still in effect so depending on file content the compressed dmg image may well be larger than the original files. frown
_________________________
joemikeb • moderator

Top
#52164 - 07/29/19 11:15 PM Re: Sending Secure Information Via IM or Email [Re: joemikeb]
artie505 Online


Registered: 08/04/09
That was helpful. Thanks!

I just created a dmg (your method), Zip, and 7Zip of a 2.83 MB folder containing 2 Excel spreadsheets and a TurboTax file with results
  • dmg = 3.46 MB (7Zip of the dmg = 2.86 MB)
  • Zip = 2.82 MB
  • 7Zip = 2.81 MB
and an empty 5 GB dmg which came with only 141 KB of overhead.

???

Reflecting on my earlier dmg problems (which arose years ago and are dim in my memory), some were related to sparse disk images, and those may very well have been the result of a lack of full understanding on my part, but I also remember having had trouble getting empty dmgs to come out anywhere near the size I wanted, which may have been a long since resolved OS X issue.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#52165 - 07/30/19 04:55 AM Re: Sending Secure Information Via IM or Email [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Those results sound about right to me. However, I am curious what level of compression you used for the Zip and 7Zip files. I just tested a graphics rich PDF and it appears Archiver treated it as a graphics file and did not compress the file at all. Zip, 7Zip, RAR, TAR/GZ all were the same regardless of the selected compression level or chosen algorithm.

NOTE FOR INFORMATION

The difference in compression levels is a function of the size of the "window" the algorithm searches for matching data patterns. The larger the window, the greater the amount of compression that is possible and the longer it takes to compress or decompress the file.
_________________________
joemikeb • moderator

Top
#52166 - 07/30/19 11:23 PM Re: Sending Secure Information Via IM or Email [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
Those results sound about right to me. However, I am curious what level of compression you used for the Zip and 7Zip files. I just tested a graphics rich PDF and it appears Archiver treated it as a graphics file and did not compress the file at all. Zip, 7Zip, RAR, TAR/GZ all were the same regardless of the selected compression level or chosen algorithm.

Sorry, but your point is lost on me.

Keka, which I use for compression, doesn't specify levels of compression other than like so, so the best I can do is say that I used the "Slow" setting.

This is interesting: My original 3.46 MB dmg was created by Disk Utility, but one just created by Keka was 2.86 MB...the same size as the DU dmg after 7Zip compression.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#52167 - 07/31/19 08:25 AM Re: Sending Secure Information Via IM or Email [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
As this says: "METHOD: SLOWEST, MORE COMPRESSION". Unfortunately slowest and more compression are relative terms. However given the variability in file compression that is truthfully about all anyone can say with a straight face.

My point was that it appears that like graphics files, PDFs are not amenable to file compression. PDFs can be compressed but, like graphics compression, it is a lossy process that works by discarding hopefully extraneous data. Whereas zip/7zip/rar/et. al. take great pains not to discard even a single bit of data.
_________________________
joemikeb • moderator

Top
#52168 - 07/31/19 10:24 PM Re: Sending Secure Information Via IM or Email [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
As this says: "METHOD: SLOWEST, MORE COMPRESSION". Unfortunately slowest and more compression are relative terms. However given the variability in file compression that is truthfully about all anyone can say with a straight face.

smile

Originally Posted By: joemikeb
My point was that it appears that like graphics files, PDFs are not amenable to file compression. PDFs can be compressed but, like graphics compression, it is a lossy process that works by discarding hopefully extraneous data. Whereas zip/7zip/rar/et. al. take great pains not to discard even a single bit of data.

I just saved this page as a PDF, and zipping it resulted in a 72% saving, whereas zipping an assortment of "graphics rich" PDFs resulted in savings of between 3 & 9%, so I guess as you suggested, the amount of empty space in a given PDF is critical.


Edited by artie505 (08/01/19 02:29 PM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#52169 - 08/01/19 10:23 PM Re: Sending Secure Information Via IM or Email [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
When the Internet Messaging and Email protocols were developed internet security was not a particular concern. Certainly not the concern that it is today. There are add ons to Email but those are IMO neither easy nor intuitive to use, especially if either the sender or recipient are not particularly tech savvy. Thanks to SmallDog Electronic's newsletter I have found a reasonably secure means of sending such information called 1ty.me.
  • The sender posts the secure information (password, etc.) on 1ty.me and receives an abbreviated 1 time URL.
  • That URL is sent to the desired recipient via an IM or Email.
  • the recipient clicks on the URL and the post is displayed.
  • The link is good for one (1) time only and is deleted the instant it is used.
Obviously this scheme is definitely is not DoD level security, but it makes it possible to separate the most sensitive data from the text and can make a felon's (or ICE agent's) life more "interesting".

I envision putting the data in an encrypted dmg file and sending that file via email to the desired recipient. Then sending the recipient the file password in a Text Message using 1ty.me to hide it. It is not something I would do often but there have been times when it would have been nice to have this ability — especially since the service is FREE.

I'm amazed by how long this took to gel!

Other than the one hour limitation, which doesn't seem to me to be exceptionally beneficial, how is 1ty.me the least bit more secure than simply sending the password in a separate email?

Regardless of which method is used, the password is vulnerable to interception in the same manner.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#52170 - 08/02/19 05:59 AM Re: Sending Secure Information Via IM or Email [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
If you send a password in an email that password is good until the encrypted file is deleted. With 1ty.me you are sent a one time link to the password and that link is good for only one hour. (NOTE: you can create more than one link to the same 1ty.me message in case multiple persons need access to the encrypted file. That significantly limits the window of vulnerability.

One time passwords and limited time key codes are commonly used and accepted security measures. 1ty.me is probably the simplest variation on that scheme, but there are other variants that offer even better protection in specific cases where there are long term relationships. For example
  1. when I log onto my bank I send them my permanent password and in turn they send a one time password to a device known to be associated with my account, and that on time code has to be entered within 30 seconds in order to access my data.
  2. Apple Wallet and its associated features, Apple Pay and beginning next month Apple Credit Card, all rely on one time passwords with a lifespan measured in seconds for security making them more secure than regular credit cards even when used for online transactions.
1ty.me, my bank, even Apple Wallet are not foolproof, but each narrows the window of vulnerability. (I do wish 1ty.me offered variable time limits) On the other hand I don't know of any absolutely foolproof protection that involves internet and email communications. Now that I think of it there probably isn't an absolutely secure communications channel short of a bonded courier and given human cupidity, not even that is not absolutely secure, but bonding may cover your out of pocket losses.
_________________________
joemikeb • moderator

Top

Moderator:  alternaut, cyn