
GPG and Me - jashkenas
http://www.thoughtcrime.org/blog/gpg-and-me/
======
moxie
A lot of the comments I've been getting are in the genre of "well... but GPG
works."

Yes, GPG is a powerful tool that makes some encrypted communication
_possible_. But is it really "working" if it's the tool we've had for the past
20 years, and we still ended up in a world where surveillance is so ubiquitous
and privacy is so rare? Having used GPG, it seems more likely to me that there
are only ~50k GPG users in the world because of the product, not because of
weak desire or need for private communication.

I'm not suggesting that there's anything "better," but that it's really sad
there isn't. GPG isn't ever going to be anything other than what it is now,
and I don't think that's the future we want for ourselves.

We could try to slap a GUI on top of it, but I don't believe great products
are made that way. Good UX requires thinking about interactions all the way
down to the protocol. The good news is that GPG has such a small legacy
install base (literally on the order of ~50k users), that there's _no reason_
to maintain compatibility with OpenPGP. When building new products, we can
start fresh with modern cryptography, a modern protocol, and a modern design
philosophy.

~~~
ghshephard
GPG is way, way, way to complex for all but the 0.01% of people who are GPG
experts. It's too complex for me - and I've read (and enjoyed) Applied
Cryptography.

But, not having used it for a few years, I went to take a look again - list
some keys, maybe SMS some friends to exchange fingerprints and sign their
keys, etc... - I'm trying to recall what the relationship between PUB, SUB,
UID, Key Fingerprints are. And how do I indicate that I trust a key and upload
it back up to pgp.mit.edu?

And I consider myself a member of the 0.1% who at least understand the
principals behind PGP/Public Keys/Private Keys/Web of Trust, etc...

So - if _I 'm_ having trouble understanding this without a couple hours of
study, their is Zero chance that the other 99% of the population will ever be
able to wrap their heads around the intricacies of PGP. Something else is
going to have to replace it.

[EDIT - as an aside, I've spent the last hour trying to do a "gen-key" on my
ubuntu host, and been prevented by lack of entropy - and yes, I've tried
running tcpdump, tried egrepping every file on the system for a string, etc...
Ended up on
[https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011](https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011)
and the answer seems to be, "Find a machine that does have entropy, or install
a hardware random number generator in your computer."

Please add this to the reasons why normal people never use GPG

Edit-2: It took about 25 minutes, but apparently between find / -type f |
xargs grep wontfindme and sudo tcpdump -nnn not port 22, I managed to collect
enough entropy to keep gpg moving forward. ]

~~~
kS6n6GN8If
There has been a number of studies ([http://www.2uo.de/myths-about-
urandom](http://www.2uo.de/myths-about-urandom) ; I don't agree with
everything but interesting reading anyway) showing that entropy from Linux
random is not better than from urandom (once urandom has been properly
seeded). For this reason, I patched my rndlinux.c GnuPG source code file to
always use urandom. Makes key generation instantaneous. When a software is
stupid, I don't want to install additional stupid software or comply with
stupid instructions; I simply patch it.

~~~
TheJH_
I think that on linux, you ideally don't want /dev/urandom, you want a recent
kernel and getrandom(buf, len, 0). From the manpage:

If the GRND_RANDOM bit is not set, then the /dev/urandom pool will be used.
Unlike using read(2) to fetch data from /dev/urandom, if the urandom pool has
not been sufficiently initialized, getrandom(2) will block (or return -1 with
the errno set to EAGAIN if the GRND_NONBLOCK bit is set in flags).

Then again, that's probably not important if you interactively launch gpg on a
desktop system that wasn't just installed a minute ago or so.

------
secfirstmd
As someone who trains human rights defenders and journalists on this stuff...I
couldn't agree more. Often things end up being an unfortunate tradeoff between
trying to get PGP working for people and having to settle for something less.
Particularly in the developing world, which lower computer literacy rates -
this is a significant problem.

To be fair, at least Whisper Systems and the Guardian Project are doing great
work to try to make encryption in various implementations work better for the
average user. And let's be fair, groups like these and the LiberationTech
community runs on a shoestring in comparison to even one large commercial
tool.

~~~
pakled_engineer
For people like this I write a simple shell script that abstracts away all the
complexities and shitty UI. Never tried working directly with libgcrypt, I
just let the regular gpg application handle it. Decrypting incoming mail
automatically, checking to make sure outgoing is encrypted before sending and
even regenerating keys and signing them is just a few shell commands you can
script away. Projects like Tails should have this instead of big clunky GUIs.

~~~
secfirstmd
Interesting. Are you thinking of making the script publically available? I'm
sure a lot of people would benefit from it.

~~~
pakled_engineer
It's a hacky shell script for OSX to make the process almost invisible to the
user without using in-house mail servers or writing network facing daemons.
When users launch their mail app it also launches the script (and mail console
applescript) that command line fetches mail, decrypts and inserts into
mail.app db, looks through msgs for new public keys and extracts them, updates
contacts automatically with GoogleCL and gpgtools, then starts offline mail
client to view/reply as they normally would. The script then fetches outgoing
mail, gpgtools encrypts it according to destination, verifies it and sends.

GPG key ID is automatically inserted into contacts
[https://code.google.com/p/googlecl/](https://code.google.com/p/googlecl/) so
when the user deletes a contact the script reads the KeyID and removes it from
the keyring as well. It had to be Google contacts it wasn't my decision.
Nobody wanted to change their mail app workflow and they couldn't figure out
gpgtools/gpg suite so this poor scheme was devised but it works.

The janky part comes when the script checks mail console logs to detect no
connection errors when users req to fetch new mail (and suppress popup
notifications of this) so they don't have to push a second button to do it
outside set intervals that fetch automatically. For some reason it was
important that no other buttons existed to fetch new mail. There's probably a
Claws Mail plugin that can be written to accomplish all this too if users were
willing to switch apps, mutt will do most of it automatically and can be
abstracted to make it invisible, or script OpenSMTPD to do this.

------
zmanian
GPG is an immense failure from the point of protecting person to person
communications.

It is largely a success in verifying the identities of the software
developers. The entire Debian ecosystem relies on GPG in largely successful
ways.

Peter Todd suggests that PGP drop encrypted communications as a goal and focus
only on identity and authentication. It appears the PGP just can't be
bootstrapped into modernity from a communication point of view. The only major
innovation in authentication and identity has been threshold signatures which
GPG could support.

~~~
chimeracoder
> Peter Todd suggests that PGP drop encrypted communications as a goal and
> focus only on identity and authentication.

Identity and authentication are the biggest reason that PGP _hasn 't_ caught
on with non-technical users - the web-of-trust is necessary to do distributed
identity and authentication properly (under the current model), and the
importance of out-of-band verification can be hard to explain. Authentication
(as opposed to authorization) is _hard_ , even without factoring in state
adversaries.

The fact that the web-of-trust hasn't succeeded doesn't mean that another
model won't, but I don't think it makes sense for PGP to throw out the one
goal it already does incredibly well (securing communications) in order to
focus on the biggest problem we haven't been able to solve in 20 years.

~~~
tinco
There's no other model than the web-of-trust. And it didn't fail because it's
hard to grap (it's really not), it failed because a) almost no one needs it
and b) the tech is hard to use.

Imagining a world where the web-of-trust was succesful is not hard. It starts
with everyone using Outlook instead of gmail. Then imagine Outlook having PGP
support builtin. Then imagine in the contacts list, every contact was marked
with a color, red, yellow green.

Whenever sending an e-mail to a red contact, Outlook would display a small one
liner on top of the compose box "There is no identity information about the
contact you are sending an e-mail to". (it doesn't matter that no one knows
what that means, it's just a small nag that people understand is negative)

Whenever sending an e-mail to a yellow contact, Outlook would display the
following nag line: "You have not verified the identity of the contact you're
sending an e-mail to. Click here to resolve".

When the user clicks the line, they'll be asked to call the contact on the
phone, or meet with them in person and ask them to compare keys. (Perhaps
aided with some fancy tech like NFC or whatever)

Will people ignore the nag line? Yes. Will people click through the dialogs to
resolve the nag line without actually verifying? Yes. Does that matter? Not as
much as crypto-purists would have you believe.

There's always that uncle, niece or colleague that's going to be anal about it
anyway. And if the web of trust is big enough, and the devices enabling the
web are communicating, it will be very easy for the web to self-heal whenever
corruption arises. Just imagine if whenever someone who purports to be your
aunt sends you an e-mail, and your e-mail client automatically checks the key
with everyone elses in your family.

The only reason the web-of-trust doesn't work is because it was never adopted
and made usable by the important software developers. And that never happened
because not enough people cared.

~~~
rictic
At the risk of being inappropriately snarky, to someone who is somewhat
skeptical of WoT-based proposals, this reads like:

Step 1: the UI will be a mixture of meaningless and annoying to users, causing
them to ignore and misuse it

Step 2: mumble mumble... self-healing corruption

Step 3: the only reason this hasn't succeeded is that people didn't care
enough

It's exactly those parts in step 2 where I've historically fallen off of the
WoT story. What does the UI do when my nontechnical friend has marked my key
but his dad has marked it as untrusted? What happens when I lose my phone with
my keys on it? How do we not end up in a situation where users see big scary
warnings all the time constantly and they just learn to ignore them?

~~~
stormbrew
I think part of the problem that the OP is sort of addressing is that we've
spent so much time trying to gloss over the first-line failures of PGP, in
terms of even getting a key to begin with let alone giving it to other people,
that we don't even know if there are practical solutions to the problems
you're listing.

Every tool in this space suffers from the choices PGP implementations have
made and asking what your uncle would do if trust conflicts occured when he's
going to first be asked if he wants an RSA/RSA, RSA/DSA, DSA sign-only, or RSA
sign-only key before he gets there, and then have to figure out what keyserver
to send to and then....

Answering these high level UX questions requires having actual users.

~~~
XorNot
Frankly, red/yellow/green is an excellent solution. Do I care now? No. Do I
care when the secrecy is important? Maybe I'll not send things to non-green
users.

------
diyorgasms
The old adage is that perfect is the enemy of good enough, but the author is
claiming that GPG isn't even good enough. I have to somewhat disagree. While
the ideal product in this space would be as easy to use as clicking a 'Like'
button, and just as ubiquitous, GPG works well enough for now.

The most sensitive use case for GPG has to be sending correspondence that, if
decrypted, could put you in severe physical danger. If the choice is between
life and death, relative freedom or torture in some black site dungeon, the
choice is clear. Using GPG is preferable to death or torture.

This doesn't exactly seem like a ringing endorsement, but if these are the
stakes, then you are probably willing to read the equivalent of 40% of
Fahrenheit 451 to be secure. You are probably willing to learn to practice
good opsec.

It would be fantastic if GPG were displaced by something equally trustworthy
and secure, but more user-friendly, and I look forward to the day that
happens. But I think that GPG is the best we have, and we should be
appreciative of that.

~~~
TaylorAlexander
I don't think that the author ever disputed that GPG is a highly secure system
when functioning, or that it is "the best we have". Certainly it's the best we
have, and that highlights the sad state of affairs.

I think a lot of engineers make the mistake that regular people will be so won
over by a new technology that they'll learn it as well as the engineers do.
That isn't how it works. So far we still haven't gotten regular people to
learn programming, though more people program than ever before.

Humans like simple. This is not a flaw. Software can do anything, and it is
written for us. We should not have to learn a bunch of arcane commands,
skills, and concepts unless there is no technical way around this.

Ideal encryption would have a quick initial setup, and then each message would
have a sticky button for "encrypt?". Then whatever is required in the backend
does what it needs to do.

Complex software that gets the job done is much, much worse than simple
software that gets the job done. Unless things get so oversimplified that
there is no way to verify correct operation. I agree that people need to learn
about encryption, but there's a middle ground between no knowledge and knowing
enough about it to use GPG.

~~~
Ar-Curunir
The problem is that security and crypto specifically, is a complex beast, so
often it isn't possible to abstract away the details.

You cannot expect to avail of the benefits of crypto without taking some time
to understand how different protocols work, how public key vs symmetric key
crypto works, etc.

I agree that the situation could be much better than it currently is, but
people can't expect to be given everything for free; there mist be some effort
from the other side, which I don't see happening today, especially with the
widespread disregard for mathematics in the general public.

~~~
TaylorAlexander
I have to say I really disagree. Why would someone need to know how different
crypto protocols work? Do facebook users know how TCP/IP works? Or are they
just given a series of user interactions required to make the computer do what
they want? Couldn't we do this with secure communications software? I don't
need to know why a certain crypto method is recommended, for example, if I
know that a trusted party recommends it (say - Edward Snowden and Jacob
Appelbaum).

We could have an open source crypto program with a set of basic modes for use.
Maybe "mode 3" is good for basic interaction, while "mode 5" is recommended
for whistleblowers but requires another step in the physical world, while
modes 1 and 2 are deprecated because they were discovered to be vulnerable or
weak.

The above is stuff a regular person can understand. Do they need to know how
these modes work? Well, they need to know what input is required, but they
don't really need to know how it works behind the scenes if they trust someone
else to recommend the basic modes. Then it must certainly be possible to write
software that walked a user through how to complete the required information.
It could say "plug in your secure USB key now", then "type in your passphrase"
and then "remove USB key to continue".

Really, I think engineers have a hard time seeing how easy we could make
things. Yes that would all take a ground up rewrite and open source projects
don't do well with that. Yes it would be easier if people would just learn,
but that's a fantasy and we should understand that.

It _must_ be possible to make a secure communications "wizard". Disregard for
mathematics has nothing to do with it. People want to know what to do and they
want to use as few steps as possible. Installing a handful of command line
utilities and remembering a bunch of commands isn't the answer. One program
with a simple graphical interface _must_ be possible.

------
Uhhrrr
>When I receive a GPG encrypted email from a stranger, though, I immediately
get the feeling that I don’t want to read it.

This is an interesting case where a barrier to entry makes discourse less
valuable. Perhaps the barrier makes people feel like they have to prepare a
short speech in order to make the effort worthwhile. I certainly would rather
converse with most people than listen to one minute speeches from them.

~~~
chralieboy
If you ready on, you'll see that his gripe isn't with the effort put into
decrypting, but the subset of people who voluntarily use GPG.

~~~
Uhhrrr
I'm talking about the effort the sender has to put into encrypting.

------
ianso
Sorry but what is the actual point of this blog post?

GPG is just one guy. Who's practically beggared himself writing and
maintaining the tool.

GPG is actually used by human rights activists, journalists etc. That, right
there, is reason enough to celebrate it and NOT "kill it off".

I think the massive pile-on this is creating is really dumb, to be honest. So
Moxie thinks it could be done better; that's great. He's good enough that he
can "show, not tell".

Why waste time denigrating a project that's basically a labour of love for one
guy that is actually tremendously important, even if it's "90's technology"?
Old doesn't necessarily mean bad.

~~~
mike_hearn
> Why waste time denigrating a project that's basically a labour of love for
> one guy that is actually tremendously important, even if it's "90's
> technology"? Old doesn't necessarily mean bad.

In the world of crypto, where we've learned so much, yes old means bad. Almost
always.

Why denigrate GPG? Unfortunately, because the message that it's not good isn't
being widely heard.

How many NEW crypto projects are being created that start out by saying,
"first we will use GPG"? I've seen lots. OK, you failed right there, right at
the start. Don't do that.

How many crypto geeks STILL spout rubbish about how the PKI is totally busted
and the web of trust is the future? Way too many. WoT is sort of like the year
of desktop Linux by now. It's just a bad joke that too many people won't let
go of.

The most serious and effective applied cryptographers I know about are all
ignoring GPG and rolling new modern crypto protocols. I feel the same way as
Moxie - if you build a product based on GPG then almost immediately you are
less interesting than a project that's doing something new.

And FWIW I have the same sinking feeling when I get a GPG encrypted email.
Sometimes I don't read it immediately, I put it off. Sometimes I have to put
it off because I'm not near my laptop. And when I decrypt it, inevitably I
discover that I could have guessed the contents of the mail from the subject
line and identity of the sender. The encryption was largely pointless to begin
with.

The future of encrypted messaging is not GPG. We need to collectively let it
go.

------
JoelJacobson
I think it's mainly GnuPG's fault. There is no API, so developers can't
integrate it into their applications. The only way is to pass arguments to gpg
binary and interpret the output on STDOUT using regexes. The "libraries" that
exist for Python and other languages all work like this. That is why they
require you to specify the "The path to the gpg executable."

If GnuPG provided a real API, then there would be hope, because the actual
OpenPGP specification isn't that bad if you only implement and use the bare-
minimum features.

This is one of the reasons my company developed support to deal with PGP
signatures directly in PostgreSQL, without using GnuPG:
[https://github.com/trustly/bankapi/tree/master/debian/postgr...](https://github.com/trustly/bankapi/tree/master/debian/postgresql-
pgcrypto-openpgp)

It's a bit funny it's now actually safer/better/easier to use PostgreSQL
instead of GnuPG if you are developing an application which uses PGP, as your
only option is to pass input to the gpg executable and regex it's output,
which is hackish and not suitable for production purposes.

------
Tharkun
Creating a GPG alternative is hard. That's pretty much the only reason why
it's still around. That, and the ubiquity of e-mail.

Sending encrypted/signed e-mail with GPG isn't hard when you're using things
like Enigmail. Maybe the GUI could be a little friendlier, I don't know, but
the encryption part isn't hard. Key management, now _that_ 's hard. Not just
in terms of usage, but in terms of explaining it to new users.

On the one hand, both parties need to somehow exchange keys before they can
communicate in a secure fashion. Doing this is hard, and if done wrong can
leave you vulnerable to attack. That's why we verify key fingerprints. If
there's an easy way to make this painless, I don't know it. Central
authorities like what we've got with TLS/HTTPS are obviously a steaming pile
of shite. Decentralized (like GPG) are difficult for users. What else is
there? I don't know.

------
A_COMPUTER
>When I receive a GPG encrypted email from a stranger, though, I immediately
get the feeling that I don’t want to read it.

>the email was written by someone who would voluntarily use GPG.

>There just seems to be something particular about people who try GPG and
conclude that it’s a realistic path to introducing private communication in
their lives for casual correspondence with strangers.

Is it just me or is the implication here that anybody who uses PGP is usually
a kook of some kind?

~~~
danudey
I think the implication is that GPG is so pathologically complex, awkward,
cumbersome, and broken that getting GPG-encrypted e-mail means it's from
someone who's so paranoid/obsessive that they encrypt all e-mail, even to
strangers (when possible?) even when the tool is so awful as to discourage the
average individual.

~~~
A_COMPUTER
>someone who's so paranoid/obsessive that they encrypt all e-mail, even to
strangers

That's pretty much what I meant, clearly somebody didn't like me bringing it
up. I wonder why. I have to use PGP every day for my job, I don't feel like a
paranoid/obsessive, so I resent the implication a little bit. It's a clunky
piece of software, but it hasn't caused me nearly as much suffering as Lotus
Notes.

~~~
fensipens
Don't bother. While I have much sympathy for the average user and see several
problems with PGP, the gen-pop here is creating way too much buzz around a
tool that is working reasonably well.

And with respect to the PGP-user / character link.. this is just beyond
stupidity.

------
decasteve
I appreciate the sentiment overall but I have the exact opposite reaction when
somebody emails me with a GPG signed or encrypted email. I immediately think
it's great that somebody actually cares enough to voluntarily use it. That the
contents of the email are deemed important enough that they don't want it sent
in the clear.

~~~
obituary_latte
Curious as to how often this happens? I suspect had I ever received email
signed, I would be excited too. But I think it might be due at least in part
to the novelty of it. I'd bet moxie gets more than the average user and
perhaps maybe even is a bit...jaded isn't the right word, but being entrenched
in crypto and knowing the importance and knowing the barrier to
entry...overwhelmed. Not by the process, but by the hill yet to climb.

------
AceJohnny2
This is a very interesting point, all the more interesting that it takes
someone with Moxie's clout for the message to come out.

I've been in and out of the "GPG everything!" group over the years, and I
definitely agree that GPG is a pain to use. I always figured this was because
of the lack of proper frontends, and was hoping for the major influx of
funding a couple weeks back would help it make progress in usability and
infrastructure, but Moxie says that it's obsolete at its core.

But if we're to replace it, the replacement has to not only be at least as
secure, but also standardized and embeddable. A webapp or Chrome extension
(which Google's End-to-End is) won't make the cut.

~~~
secfirstmd
Mailvelope has made some strong efforts in this area. Though only as an
extension.

------
Nanzikambe
As a member of the encrypt-everything clique I have to say, though Moxie has a
point, Gnupg is infinitely better than alternative of nothing at all. Until
someone comes up with a solution that preserves its power and flexibility and
marries it with a functional UX -- I shall keep using it

~~~
StavrosK
I kinda like the solution of embedding public keys in email addresses:

name+8znBcmtXJ2ZeSn7fWVCGfpQI9HnJH1pNBPK397SGrT8=@gmail.com

Sure, you'll never actually tell someone this, but it's short enough to
copy/paste.

~~~
sarciszewski
With modern ECC this is actually feasible.

~~~
StavrosK
Yeah, that's an actual ECC public key in my example above.

~~~
sarciszewski
I'd recommend going base32 instead of base64 (case sensitivity won't screw
anything up) and not padding with = characters. I know not padding violates
RFC 4648 but I don't know anyone who's used to a = in their email address.

~~~
StavrosK
Base32 would be too long, but maybe the equals sign could be elided, yeah.

~~~
rakoo
Base58 it is, then (no non-alphanumeric characters so you can double click and
it will select the whole string, no similarly-looking characters you could
mistype (1 and l, 0 and O...))

([https://en.wikipedia.org/wiki/Base58](https://en.wikipedia.org/wiki/Base58))

------
acqq
Note that the article author is the author of TextSecure
[http://en.wikipedia.org/wiki/TextSecure](http://en.wikipedia.org/wiki/TextSecure)
It's not surprising that he prefers TextSecure over GPG in the context he
explains:

"introducing private communication(...) for casual correspondence with
strangers."

It's obvious that author prefers his chat for that. Still there are scenarios
where the GPG wins over chat. But it's also true, most people would make
serious errors if they'd try to use GPG.

~~~
eyeareque
I don't think he is trying to push the use of text secure over PGP, he has
admitted that there isn't a replacement for PGP yet. He is just a forward
thinker, hoping for a future where strong encryption is ubiquitous.. and not
the state where PGP is today.

------
mbubb
Articles (and the attendant discussions) like this are incredibly useful for
me. I really appreciate HN for things like this.

Recently signed up for keybase to check it out. Read critiques (mostly
negative) but jumped in anyway as I am hungry for something like it. I do not
have a deep grasp of the arguments but I see the 'lipstick on a pig' criticism
of slapping a gui on an aging infrastructure.

The practical problem with keybase for me is finding people to test it out
with. I've added folks who don't know me and my friends couldn't care less.

There is a blindspot for me - I use ssh and rsa on a daily basis, many times a
day. I do not know what I would do if I has to switch to something else. I do
not know how to evaluate security options and know to know one is better than
another.

We have very good infosec people in my company and have a standing weekly
meeting to vet my sysops doings.

In any event will check out Whisper Systems and keep refreshing this
discussion...

~~~
L_Rahman
Just signed up for keybase and in the same position. Don't know anyone on the
service to actually use it with.

Interested in testing it out with me?

~~~
eastbayjake
If no one's taken you up on that, here's a message for you:

\-----BEGIN PGP MESSAGE----- Version: Keybase OpenPGP v2.0.7 Comment:
[https://keybase.io/crypto](https://keybase.io/crypto)

wcFMA5S7hsT55Ka3AQ/+K3YTd9aLF70PcDuDzUSBwt42I4UJdASvSzU9ljJZhxmh
xn/XgzfuPVEqi75jhI20SfKJetR867leishDNU/XrynFCyJcr0ax6Q6BQes/w94d
ErmBchxcYwFumB0i0tWMygmCUKgpL7W5bC26gB4AUdoPhhdJQnHYwiLvEv+e1G6I
wFEA2/WzJlB+K+4v782zF7RhZaTA6OXl0noL6Nsoi2V/yufD5qKVnolx3RSHzdTd
1bSdS7lTCIQzvDmuLYvkophBL6Vb6Qa8IdwkLVxt+akr/W4oOxLaEE14HxS05OTO
bN0R5yXzNNI7RWfU4cB3JKUMSKLGB4cBf+jEj1WyGCm04/9I1XgnNqFULE4RfHwG
t8mqS1oeetfKlrzEx7NkXVn7mvITiYUzeH+M/DaTlnp5+Nb1FgQK1U54emIgEpmR
qaG9JYDxZBtmBQ2gb3RtXndZFWQh7YifqaDFsUkJl4cdjXZ69WccvFRr+Vr3Ow1O
m19lrHAFj4XZtsS9C1PNBejpdcfANoWjG+9Eitd6iliAo4nCG9jUi/6mIWRuamcs
OS2uAAWMe1ZrfhwwU/x2+/QM6eGKU43DBLy9lmyFj2UgZKW1UokQg7iAp3Wd0f+Z
SBEXNFsM3rPoYVb29boUcJtkA4CpArH36kIBv45A9u1c14uTUVRreGeLe1pqrsXB
wEwD5S1urhQzgBEBCACk1jR8gIaMRKCsl7ofIjGr8PrrOYVCkNtpWjGsNnq+SFkG
SUUekwzB0MfRVSdrkfVk/7Axrm0YGWqW9v12aNrrRLe8Vs/VJU9r2RRBgI164YbI
UDxlGBJZhNnG1BxPVt1en1nH9ceEw4yq15giSxRMOhtlmpdv6Y0HIWzhnAb+Hc68
rxFq74j2wEfkHkIYJV7cOZtXy9WF0WHVgi0wIyiDHvV84KTO5HUv2qA1uJiqt3UU
phq+lmFr3DzH7mcz2vLBW8r1AeFOd9VtRNVPkLEaVIjlCPGTYgr0hCfUX+JSf6PN
1VSRdogjcBu5Cqui60Fz9RKQvPCpX0NAUJpEZ30H0sEQATqCbZ/PF7nEqVHAOoH4
FK+Q6cR4+8iArPnUjr0lP0KWaQDJBghbYqQ8aUX37NUJaih7wae1b5WyBBCtwilI
GowCJXwiD0kd7xUns61MhNDSn2K2ZPifHptJcv5QvODLkoJSHP4ylqCa9SrzyFNR
gpRk3I31NIxZd7M5PT8fepQ75qTOgZ/v8ZTEd0HbPpjjRNJ3hMtIo7nmzPk54aD7
182jBWbXhiYiTTYEExnGwq+uDHoQjtGGBQzJegqeNex/q3Ba7Lf5RCbfFXQy3aDj
JGRY6rZCQFbtcym2fjxeT9lRmHHeXA400zeLXgbqmmAKAcQwBtQQIF4Cg/cDNItN
6o5Jov0+pAm/NKKRWIXGJErGXsi0iTqJyl0anasbrQH6dnEXNbbMslIOtDl9CtKR
N5Y+x+vJJKsOQaT6dJmQHZ19RxW4tickEr6zEu6IhB8ooMGMAjdq+tpRAF4+qKyK
/yWUTIpp14deORe3aK7Hu0mA6H9dxDfwNwvat3Iv8R7YbsILdp7sFBPBlVLRLoBp
BlYe7Eqroe7dCLg+v9Uw3Hpbu0yp3/BY64H3Qj9f7X3HQ+6nHQ0oQNS6XcwvJnKo
JTV8lO263q0P7+Pti05SSs4= =gLgR \-----END PGP MESSAGE-----

------
diafygi
It seems that the biggest problem with encryption in general is that of
incentives. Great UX takes lots of design and iteration, which means someone
has to pay for all those designers and front end devs. However, when you want
good encryption, user experience always comes after security, which means you
spend the majority of your resources on the security, not the design. So, we
end up with great security and terrible user experience. It's (painfully)
rational.

Sure, every once in a while you have good security luck out and land a great
designer (TextSecure), but that's extremely rare. The vast majority of
security teams don't value design as much as security because they don't have
the incentive to.

So how do we fix the incentives? Can we? Should we?

~~~
saidajigumi
> However, when you want good encryption, user experience always comes after
> security

I'm going to throw down a gauntlet: encryption design that doesn't _start_
with designing for the human users is already fundamentally broken. Why?
Because it _cannot_ represent a solid system. This isn't machines in the
Matrix talking to one another: the needs of the human users are the _only_
thing that matters.

Combine that with the past few decades of experience in software encryption
systems, and we realize that this is hard to achieve. The non-adoption and
misuse of GPG that Moxie speaks of, the train-wreck of passwords, and so on.
It really feels like we've hit a wall, where there are no significant gains to
be had unless these design problems are taken seriously. "Perfect"
cryptosystems that have major real-world usability flaws are in fact
worthless. Implementing new systems of this kind is a waste of effort and a
disservice to everyone who vitally needs the services of a robust encryption
infrastructure.

~~~
sarciszewski
If you can't even get two machines in the Matrix to talk to each other
securely, how can you expect to succeed with human error thrown in the mix?

~~~
saidajigumi
That seems to be a straw-man which misses my point. I'm not saying that
cryptosystem or broader security research is without merit; that's obviously
false. Rather, the major problems with cryptosystems under large-scale
adoption are limited not as much by technical encryption design, but by
exactly the lack of human UX design that the parent post referred to. If your
thinking about "end-to-end" stops at the computer and not at the human, that's
become a rather enormous issue.

------
tptacek
I don't want GPG to get in the way of better, newer options. But even less do
I want to read more about people burned by the incompetent engineering of
lesser new alternatives.

Can we just declare a flag day and switch to TextSecure?

~~~
Ao7bei3s
Yes, but not unless:

1\. there are full-featured native clients for computers that aren't
smartphones

2\. it works with anonymous accounts, without needing a phone number

3\. federation is open

Right now, TextSecure can't even fully replace OTR (for secure IMs), let alone
GPG (for email <\- real work).

~~~
whyever
To replace email, we might want named conversations as well.

------
aftbit
I'm sick of "opinionated software". IMO it's code for "adding more settings is
hard". I'd prefer "sane defaults" as an operating mode, and maybe burying
confusing settings behind a warning screen like about:config in Firefox.

Software that thinks it knows my use case better than I do is wrong.

~~~
whyever
In crypto options are dangerous, so it makes a lot of sense to be opinionated.

------
eliteraspberrie
There are a couple alternatives to GPG being developed right now.

One is reop ([https://github.com/tedu/reop](https://github.com/tedu/reop)).
The cryptography is done by libsodium and it is well-written.

Another is NetPGP ([http://www.netpgp.com/](http://www.netpgp.com/)). The
cryptography is done by the OpenPGP SDK. The NetPGP code is well-written but
the OpenPGP SDK code looks like OpenSSL.

Both are promising and deserve everyone's support.

~~~
stormbrew
Reop looks exciting, perhaps as being exactly what a "fresh start" should look
like.

I see the section on not supporting key revocation at all and it worries me,
because it seems to me there should be some way to do so. But perhaps the key
here is that this particular tool is not trying to solve the key distribution
problem, which is a whole other kettle of fish? It is possible that PGP fails
partly because it tries to do both.

But that does mean that a solution still needs to be found for that problem,
even if you switch to reop.

------
yummyfajitas
Reading this article over an unencrypted connection and viewing the resulting
MITM attack is quite ironic:

[https://i.imgur.com/hXNGb5l.jpg](https://i.imgur.com/hXNGb5l.jpg)

GPG may be a failure, but HTTPS is not.

------
jvehent
I'm eagerly waiting for something better to come up. There hasn't been
anything satisfying so far, so I keep encrypting truly confidential
communication with GPG, and it gets the job done.

------
loteck
When (if?) Google's End-to-End matures, it would be a game-changer for a lot
of the less savvy users of GPG that I know.

[https://github.com/google/end-to-end](https://github.com/google/end-to-end)

------
wuschel
Well, that is certaily an understandable position. I am very happy that such a
software _exists_ in the open source community, as unpractical it might be.

The trouble, however, does not start with the lack of UI design, or other
impracticalities - for me it starts with the platform I choose to run a PGP
type of software on.

Would you trust your Iphone, Android, Microsoft/Linux/iOS/Lenovo/Dell/et
cetera computer with _" really sensitive, mission critical"_ data?

I don't.

"The paranoid will survive" is a good sentence to remember. So I better
install that PGP-etc on a offline unit and decrypt encrypt my messages there.

------
napoleond
I'm not too sure. I am skeptical about the reality of replacing email any time
soon, and more skeptical that a viable alternative for end-to-end encryption
for email will present itself. If those two pessimistic assumptions hold true,
then we're stuck with trying to make PGP easier to use. It's easier said than
done, of course (I've tried and failed) but here's one way it could work:
[http://davidnoel.ca/specifying-a-pgp-client-that-your-
grandm...](http://davidnoel.ca/specifying-a-pgp-client-that-your-grandmother-
could-use/)

~~~
vog
There's an interesting project that tries to replace smartphone IM application
with an open alternative which builds upon the email infrastructure:

[http://quickmsg.vreeken.net/](http://quickmsg.vreeken.net/)

That could be taken as a starting point for how to make things more smooth for
users.

------
mmaunder
GPG has been struggling with funding for some time now, but that's fixed:
[https://gigaom.com/2015/02/06/funds-flow-in-for-gnupg-
author...](https://gigaom.com/2015/02/06/funds-flow-in-for-gnupg-author-after-
article-reveals-his-plight/)

Also, to be fair, it's used widely by many infosec researchers/vendors/IC
folks who know how it's done.

------
jchrisa
Is there a list of credible web of trust implementations with installed bases?
Is there anything on that list using new Html5 crypto plus IETF JOSE?

~~~
rlpb
> Is there a list of credible web of trust implementations with installed
> bases?

I'm not sure if this is what you're asking, but Debian developers are required
to have their keys signed by a number of other Debian developers. So there is
a comprehensive web of trust amongst them.

You can get the entire set of public keys from the "debian-keyring" package,
assuming you trust your OS (and you use Debian or a derivative). And if you
want to be signed into the strong set, find and ask a Debian developer (you
probably have one reasonably local to you).

~~~
jchrisa
Debian is a good answer, but I meant alternatives to GPG, hopefully using
modern crypto. Maybe Talko or some of the other secure comm apps? Anything
open?

------
zby
For 20 years nobody cared about crypto - how is it surprising that we have
what we have?

For the future - progress does not come from just line of development, there
needs to be many many experiments before we get good crypto. We need better
UIs, and we also need many infrastructure improvements. I have not looked at
the protocol itself - but it being flexible and having too many options is not
really a problem - it is needed for the other layers built upon it to have
space for experimentation. But the PGP related libs are really not good. I had
once an idea for a Web of Trust related website - and I found out that there
is no way to for example verify a signature without loading a full key-ring,
that is loading all unrelated keys into the memory just to build the data
structure used by the library. This is just one case - but it supports the
thesis that the libs are a fossil from the last century. If we want better end
user tools we need to give better libs for programmers to start the
experiments.

------
markwakeford
I am curious as to to know what mail clients people are using with GPG. In OSX
I am not a big fan of the native mail client at all but it seems thats the
only approach if you want to use GPG. I am currently on a quest to find a
decent mail client that looks good and works well and I am currently trialling
Airmail 2 but its GPG support is buggy at best.

~~~
stadeschuldt
I have been using Thunderbird (with Enigmail plugin) for over a decade now.
Never had any issues.

~~~
Nelson69
Other than using an email client application rather than a web application.

Enigmail is good though.

------
sixdimensional
From what I have learned, security/cryptography is about protecting what needs
to be protected for as long as is necessary (which is relative to the parties
and data involved) - there is no such thing as "absolute" or "perfect"
security/cryptography and probably never will be.

Based on that statement, "good enough" is "good enough" relative to the value
of what is being protected. From my personal experience, while difficult for
use by ordinary users, GPG has proven "good enough" (if not better) for most
common business/organizational/personal uses.

That is not to say, that a better alternative/increased ease of use is not
possible. Better alternatives are always possible (possibly hard), but it
seems such an alternative has not yet presented itself. This leads me to
believe that this is in fact an ongoing market and worldwide opportunity for
those who have the skills to make alternatives real.

------
lucb1e
> When I receive a GPG encrypted email from a stranger, though, I immediately
> get the feeling that I don’t want to read it.

I don't understand why. Did I glance over it, or is it not in the article?

When I receive GPG encrypted email, I only have to enter my password and it
gets decrypted. Simple as that. Same as when starting me email client, then
too I have to enter a password to decrypt the login for the server. It takes
only a moment really.

I don't receive that much email from strangers anyway, but the times I get GPG
encrypted email from a stranger it's never spam, so it's surely worth the
approximately three seconds to enter that password.

(For the curious, I use Thunderbird with Enigmail and kgpg as front-end to
GnuPG.)

~~~
jshholland
It's probably equivalent to receiving a letter written in green ink (British
perception that letters written to media in green ink are more likely to be
from what I'll charitably call fringe interestts)

------
contingencies
Developer of _phone_ -based crypto afterthoughts that give people a false
sense of security and ignore the evidence that using phones is the worst thing
you can do for privacy and security: "[my competitor] the most widely deployed
message-oriented cryptography application in the open source world is crap".
Well, yes and no. Forward secrecy is nice, but a world without forward secrecy
and a workable standard when required is still arguably better than a world
full of people throwing away insecure phones every six months while convincing
themselves App1.2.3 makes them untouchably secure because n-marketing claims.

------
upofadown
I think a major part of the solution is going to involve teaching people about
public key cryptography in school. It isn't the sort of thing that anyone
wants to bother to learn on their own. Without this essential understanding
any attempt to get the general public to protect their privacy is doomed. Even
if they somehow manage to go through the motions they are eventually going to
do something to mess everything up if they don't know what they are doing.

Some tasks require understanding. This is one of those tasks.

------
orblivion
How long would it take to vet something new? I don't know a lot about crypto
but I get the sense that GPG is the gold standard for now. I agree that the
interface is awful (and I feel bad for saying that after having learned of
Werner Koch's financial situation) and it needs to be replaced. I wonder if
some of the guts can be retained to avoid the bugs that come from starting
from scratch?

------
tanx
I'm completely missing a discussion about federation. Sure TextSecure and
iMessage solve UX in a great way. But what about business requirements that
email/PGP does solve? More in our blog post here:

[https://blog.whiteout.io/2015/02/25/pgp-theres-life-in-
the-o...](https://blog.whiteout.io/2015/02/25/pgp-theres-life-in-the-old-dog-
yet/)

------
radisb
When I imagine a world with an easy to use encrypted email system such that
anyone could transparently use, I cant avoid imagining either a world sunken
in spam, or a world where each individual no matter their computer skills"
would have to maintain anti-spam systems. So we are back to square one
regarding mass adoption...

------
antihero
I as a fairly technical person fine GPG confusing, despite being shown how to
use it several times, and still have no idea whether it's working properly or
if anything is actually being secured with how I've got it set up. Also, seems
centric on the dwindling population of people who actually use email clients.

------
escapologybb
I'm not a programmer so I was hoping somebody could answer this question for
me, why did Moxie choose to italicise the word python in this sentence:

"Mailpile had to write 1400 lines of python code just to interface with a
native GnuPG installation for basic operations, and it still isn’t rock
solid."

~~~
Johnny_Brahms
He means that you can do alot in 1400 lines of python, and if interfacing with
GPG needs that much to be "not rock solid" there is something wrong.

------
bkeroack
One of the problems is the constant mantra: "crypto is hard--leave it to the
experts", discouraging new tools from being written. Crypto is hard but
there's a big community out there to help with auditing the codebase and
fixing issues once a project gains traction.

------
bonn1
Clever Marketing gig for TextSecure which has been rumbled by the third
commentator on that page:

> Okay, since you want to play in the same league as OpenPGP: where can I find
> the RFC describing TextSecure? How many independent implementations of the
> TextSecure protocol currently exist?

~~~
whyever
There is Whatsapp, which is not compatible but uses the Axolotl protocol as
well.

You can find the protocol on github.

------
motters
I don't think that email is going to go away any time soon, so there doesn't
appear to be a lot of alternative. I doubt that Moxie is suggesting that users
send emails in plain text, so maybe email encryption needs to be reinvented.

------
lisper
I'm working on a GPG replacement that is designed to be super-easy to use. Not
quite ready for prime time but if any HNers would like a sneak preview drop me
a line. Contact info is in my profile.

------
mark-r
> “I send you the private key to communicate privately, right?”

That could be fixed with a simple terminology change, call it the "secret" key
rather than the "private" key.

------
tiatia
Yes. This guy does not need GPG. But he needs a new haircut.

------
jms703
breaking news! </sarcasm>

ok. what's moxie selling next?

------
fensipens
These rants are not very useful until one of the two geniuses (Green, Moxie)
can come up with a comfortable solution to the core problem of key
distribution.

And given that nowadays Green seems completely consumed by twitter while Moxie
believes in fixing whatsapp, I wouldn't hold my breath.

~~~
mbubb
Could you further ID "Green"? Do not know who that is.

Edit. Matthew Green?

~~~
fensipens
Matthew D. Green, the "expert in applied cryptography and network security"
who was invited to take a look at the Snowden-stash but declined because he
was scared. Which is funny, because since Snowden he became some sort of web-
celebrity always ready to tweet and comment on every little crypto/security
issue.

