

Distress Call: Please make a better, easier way to use PGP - Balgair

In light of recent news, I decided to start using PGP for email. It is NOT easy to start using. Since this is HackerNews and all, I think this would be a good place to send a distress call. If someone out there feels the need, please start work on a better way to use PGP for email. Thank you
======
napoleond
Although it has taken disastrously longer than desired, my company is still
working on [http://parley.co](http://parley.co)

The project has changed somewhat since we posted the outline[1]; basically
we're focusing on email only to start (instead of email/IM) and we'll be a
service that sits on top of your existing email inbox (instead of a standalone
email service). We'll be releasing a [possibly paid] beta by the end of July.

1\. [http://parley.co/outline.html](http://parley.co/outline.html)

~~~
Balgair
I will be watching out for that!

------
digitalengineer
Exactly. Why is it so hard to implement PGP? We have turn-key servers and what
not, but a simple PGP is not possible? Here are some insights why PGP is
pretty much... dead.

[http://geekyschmidt.com/2010/08/28/netcraft-confirms-pgp-
ema...](http://geekyschmidt.com/2010/08/28/netcraft-confirms-pgp-email-
encryption-is-dead)

~~~
Balgair
Great read, thanks! It seems like a great App is waiting to be made here

------
vanilla
[http://www.mailvelope.com/](http://www.mailvelope.com/) is an easy way to do
PGP but most certenly not the securest

~~~
Balgair
Thank you for the link!

------
RyanGWU82
Have you tried S/MIME instead of PGP? S/MIME support is built into desktop
mail clients like Thunderbird, Microsoft Outlook, and Apple's Mail.app.

~~~
JoachimSchipper
If you're paranoid, S/MIME is probably not your first choice, being dependent
on a CA and all...

~~~
tptacek
What is the CA-related attack on S/MIME that you're thinking about here?

~~~
JoachimSchipper
Nothing particularly interesting, and it is possible that I'm just wrong (I've
never looked at S/MIME in great detail). Basically, S/MIME requires the sender
to figure out which certificate to encrypt to. I'm not aware of any method of
doing such discovery that, at least on first use, is more secure than the
least secure trusted CA. But in the public, internet-wide scenario envisioned
by OP, "least trusted CA" means that we have the same problems as for SSL.

This is not just a first-use problem, either. At least Outlook happily accepts
valid-but-different-from-previously-seen certificates, and will encrypt
replies to the certificate signing/encrypting the message being replied to.
Thus, if I can convince BadCA to give me a certificate for thomas at
matasano.com, I can send a mail "hey, $PARTNER, I'm away from my usual devices
and I really need the proposal for $BIG_CUSTOMER. Could you send it to me?
Please don't forget to encrypt it." Such an e-mail will appear appropriately
signed, and I can read any replies $PARTNER sends.

Deploying S/MIME within an organization or within a couple of mutually-
trusting organizations works just fine, of course; it's only involving public
CA's that causes a problem.

(Or did I miss something?)

------
NoSuchNSA
Yeah, use PGP. I can't break that.

~~~
Balgair
Haha love the user name

