

Let PGP die - pvorb
https://translate.google.com/translate?hl=en&sl=de&tl=en&u=http%3A%2F%2Fwww.heise.de%2Fct%2Fausgabe%2F2015-6-Editorial-Lasst-PGP-sterben-2551008.html

======
secfirstmd
I agree with the message but we need something in place before letting it die.

------
informatimago
"How good end-to-end encryption must look like today, Apple demonstrated with
iMessage: millions of iPhone owners do not even know that they encrypt their
short messages."

No. This is not good. Because who in his sane mind would trust a company like
Apple not to sucumb to pressions from powerful governments, or his own people,
to have backdoors and look at your data. Who in his sane mid would trust a
company like Apple (or Gemalto or any other), to never hire spies, and to
always ensure 100% secrecy of cryptographic or communication systems?

Basically, the problem is that you need to trust a lot of elements to ensure
secure and private communication channels, starting from your hardware.

It would be possible that hardware is compromised (and it's a certainty in the
case of smartphone, since no smartphone contains 100% open hardware, but
always have a core of privative chips around the communication module (which
is why Gemalto hack is not such a big deal anyway: GSM is wicked from the
start)), but even with clean hardware, there would be no point in using
cryptographic system if you use privative operating system (even if those
privative operating systems are derived from free and open operating systems).
iOS may contain some parts BSD software, that doesn't prevent Apple to include
secret backdoors. And even while Android OS is free and open source, until its
18 _gigabytes_ of sources are audited, we cannot really trust them, much less
in their Google or Samsung and other binary forms.

Basically, even [http://www.blackphone.ch/](http://www.blackphone.ch/) cannot
really be trusted for this reason: it's not open and free software.

PGP is good, because it's a distributed public key system, into which some
trust can be put, for the precise reason that people have to understand it to
use it. Also because you would normally use it on open and free operating
systems that you can trust, and hopefully, on open hardware that you can trust
too (no privative firmware, chips preferably fab'ed in your own country,
components assembled by yourself or somebody you trust not to be a CIA or MSI
agent, etc).

Brazilian and German politicians may be unhappy about the USA spying their
phones, and may initiate the building of their own phones and phone operating
systems, but while those are not open software running on open hardware, only
THEY can trust their phones. I would trust a brazilian phone just as much as a
korean one or an USian one: ie. I would be 100% sure in both case that my
communications are spied, by brazilians, koreans or USians spies.

So, how good end-to-end encryption must look? It must look like being
implemented on open and free software running on open hardware, of which the
USER can audit the sources (and therefore that must have a very controlled
complexity), and of which the USER may modify and compile the programs at
will.

Ie. all the contrary, from the user point of view, of what a smartphone or
tablet is nowadays.

