
OpenPGP really works - ergot
https://www.foo.be/2016/12/OpenPGP-really-works
======
chakalakasp
The ultimate engineer's perspective. It works so well that almost nobody uses
it!

Signal isn't even that popular compared to other platforms like iMessage, but
I bet more people use it than regularly PGP.

I was regularly signing messages with PGP on Fidonet all the way back in '93
(and trying to find people to swap encrypted messages with). It's a bit mind
blowing that the useability of the successor program today, GPG, isn't much
better than what people thought was kinda wonkish and hard back in the
Compuserve days.

~~~
rvern
It isn't because GnuPG doesn't work well or because it is too hard to use that
people don't use it. They don't use it because other people don't use it.

Why do people use Facebook instead of Diaspora? It's not because Facebook is
better, works well, or is easier to use... It's because other people use
Facebook.

Why do people use Skype instead of XMPP? It's not because Skype is better,
works well, or is easier to use... It's because other people use Skype.

Why do people use WhatsApp instead of GnuPG or OTR? It's not because WhatsApp
is better, works well, or is easier to use... It's because other people use
WhatsApp.

It's always the same standard chicken and egg adoption problem. As shown in
the article, GnuPG is used for package signing, commit signing, file
encryption, and all sorts of things _that don 't involve many people_. But
when it's about communication, you can only use GnuPG if the people you want
to communicate with use GnuPG too... and thus the adoption problem applies.

And the reason people initially used Facebook, Skype, and WhatsApp is _not_
that they were easier to use or better. It's advertising. Notice how all of
these are proprietary software made by companies with the means to advertise
their software? You can bet people would use GnuPG, Diaspora, and XMPP if they
had been advertised by companies like Facebook and Microsoft.

So if we want people to use open source software and open protocols instead of
living in walled gardens, we need to advertise them. Advertising works.

~~~
dispose13432
>And the reason people initially used Facebook, Skype, and WhatsApp is not
that they were easier to use or better. It's advertising. Notice how all of
these are proprietary software made by companies with the means to advertise
their software? You can bet people would use GnuPG, Diaspora, and XMPP if they
had been advertised by companies like Facebook and Microsoft.

I know quite a few non-techies who use VLC, Firefox, LibreOffice, and other OS
advertising-less projects. The difference is:

1\. Facebook, Skype and WhatsApp solved problems others didn't and became big.
Now it's too late to fight.

Had Diaspora been around before FB, and as easy to work with (put name here,
picture here, password here, friend here. You're all set up. Let's go), or
XMPP been around before Skype (which is a _very_ old program in internet
time), or Kontalk,Signal, etc. been around before WhatsApp (find friends by
number, not by username), they probably would have taken off (at least to some
degree).

Google came late onto the Desktop scene (Chromebooks) and are not successful
while the incumbent (MS) is good.

MS came late onto the mobile scene and failed, while the incumbent (Google) is
good.

~~~
adventured
> Had Diaspora been around before FB

I'd be willing to guarantee that with a name like Diaspora, it could have
never achieved mass adoption under any circumstances. Most people won't know
what that word means. The name sounds terrible and unfriendly, more like a
disease than a social network your mother would want to join. Diaspora is
another example of engineers not understanding how to make a product, top to
bottom, for the general public.

~~~
kbart
I tend to agree. Naming is important and if you target masses (non-engineers,
non-geeks etc.), you should name your product so that even a 5 years old kid
would understand it without a second thought and memorize instantly. An
anecdote, but I have harder times convincing people to use LibreOffice than
OpenOffice for no reason other than a name.

------
sleepless
I have been using OpenPGP for years without problems. Key transition /
exchange / verification can be a bit painful, but actually it is not that
hard.

Also the longer you use OpenPGP, the less keys need to be verified. The start
is very hard, since you start with no trusted keys at all. The longer you use
it, the more fluent usage becomes.

Have been using GPG Suite on macOS and the only problem is, you may not get
support for the new macOS on day 1 since apple provides no API for Mail.app.
And then again, giving Apple some time to figure out their bugs of the intial
major release isn't a bad idea.

~~~
FiloSottile
> Also the longer you use OpenPGP, the less keys need to be verified. The
> start is very hard, since you start with no trusted keys at all. The longer
> you use it, the more fluent usage becomes.

This is exactly what scares me and the point of my "I'm giving up on PGP"
article. People holding on to keys forever, moving them from laptop to laptop,
never rotating them and asymptotically approaching compromise... because it's
the only way to ease the pain.

~~~
peatmoss
How do you feel about Yubikey-based keys? Asking for a friend...

~~~
matheusmoreira
I have a YubiKey myself and they're really convenient. There's a
cryptoprocessor inside so the key doesn't have to leave the device. I think
it's more secure than a regular computer connected to the internet.

After reading¹² about this subject, I believe a reasonable level of security
and ease-of-use can be achieved through the following process:

1\. Boot a live Linux distribution such as Tails on a computer disconnected
from the Internet.

2\. Create the OpenPGP master key.

3\. Initialize the YubiKey with subkeys.

4\. Store the master key offline using paperkey³ and a machine-readable code.

The YubiKey is secure and convenient enough for daily use; the subkeys can be
easily revoked and the hardware reinitialized with new keys.

Master key operations such as key signing and changing expiration dates
require loading the master key into the offline live operating system. Much
more of a hassle but hopefully not as frequent as YubiKey use.

Printing the master key on quality paper ensures³ it will survive for a long
time.

¹
[http://security.stackexchange.com/a/51776/9252](http://security.stackexchange.com/a/51776/9252)

²
[http://security.stackexchange.com/a/31598/9252](http://security.stackexchange.com/a/31598/9252)

³
[http://www.jabberwocky.com/software/paperkey/](http://www.jabberwocky.com/software/paperkey/)

------
tptacek
As a sort of basically reliable swiss army knife for file-based encryption
problems, the kinds of problems you'd otherwise use AES passphrase-encrypted
ZIP files to solve, PGP not only works but also has a bad rap.

And there are a lot of those problems! Maybe even the majority of them!

But PGP was designed for message encryption, and it's a poor choice for
message encryption. The community is gradually converging on the idea that
SMTP store-and-forward email is just never going to be cryptographically safe,
and pretty much the only messaging application in which PGP makes any sense is
SMTP email.

What's worse is, much of the PGP ecosystem really only makes sense in a
messaging context. Which means that the complex parts of PGP, like key servers
and subkeys and things like that, aren't really adding value, but still
confuse and distract users.

~~~
lovich
A little off topic but could you point me towards some resources for learning
about what pgp was meant to solve? I've read back and forth opinions about it
on hackernews,reddit, etc but I've not seen a definitive description of how it
attempts to solve the problem of encrypted communication that wasn't heavily
editorialized.

~~~
DanBC
> > As a sort of basically reliable swiss army knife for file-based encryption
> problems, the kinds of problems you'd otherwise use AES passphrase-encrypted
> ZIP files to solve, PGP not only works but also has a bad rap.

I have a text file. I encrypt it using a key. I send you the encrypted text
file. How do you decrypt it? You need the key.

If I can send you the key securely why don't I just send the plain message
using that secure mechanism?

Public key cryptography solves that problem.

~~~
tedunangst
Who said anything about sending the file anywhere?

------
SFJulie
No one criticizes openPGP on the crypto point of view.

It is the UX/UI experience that anger people to the highest point. Noobs like
long time users.

Correct key handling (signing, revoking, publishing and sometimes doing
actually the job) is a burden.

Nothing is wrong with the code so far. Much more whatever correct the software
is, it is a pain.

My guess, is that true correct cryptography requires this burden whatever the
algorithms are because ensuring identity are trustable is where the more work
is, and no software can do it.

~~~
dom0
> No one criticizes openPGP on the crypto point of view.

Hm?

Of course PGP is criticized for that, just less vocally.

\- Authentication is off by default in GPG

\- Even so, it's very complex, and most of the protocol isn't authenticated

[ This is problematic, because ciphers tend to be more or less easily
malleable, so non-signed messages can be tampered with; this is also an issue
for encrypting files symmetrically ]

(- Compression is on by default and makes everything super-slow for no good
reason)

\- Widely used defaults for encryption and key derivation are rather arcane
(eg. CAST5)

\- PGP signatures, by principle, are non-repudiatiable, unlike most modern
encrypted chat applications, so they prove to _anyone_ _forever_ that your key
signed that message.

\- PGP format announces all recipients to the world

\- No forward secrecy possible

\- ...

~~~
criddell
Would the lack of perfect forward secrecy be considered a shortcoming?

------
alexnewman
online and offline are both important. Is pgp implemented on any formally
verified code base?

~~~
nickpsecurity
No. I've only seen two, formal verifications of secure email with neither
being PGP. I can't find the link to one but the other of Privacy-Enhanced Mail
is here:

[https://pdfs.semanticscholar.org/b6e2/3ac057b8716ebd4ab7831f...](https://pdfs.semanticscholar.org/b6e2/3ac057b8716ebd4ab7831f4c4e03bdad59d4.pdf)

They use Kesterel's Specware tools to essentially turn it from HOL properties
to a formal design with code generation following. Kesterel was kind enough to
open-source some of their stuff:

[https://github.com/KestrelInstitute/Specware/](https://github.com/KestrelInstitute/Specware/)

However, recent results in other tooling suggest the best way to go about it
would be using tools like F* in miTLS, CRYPTOL, SPARK Ada, and/or Frama-C.
Each component of a basic, subset of PGP has already been verified in
isolation. Now, the algorithms just need to be fed into such tools, the
protocol speced out miTLS-style, the integration proven sound, and object code
shown to match the source. It looks doable with today's formal methods. More a
matter of available labor and interest.

------
tibu
My mobile Chrome is complaining about the site's certificate. Does this happen
for others too? It seems it is having an issue with the issuer which is Let's
Encrypt. Really strange.

------
Khaine
It doesn't

