I don't use key servers. So when I get an encrypted message from my friend I have no issues.
Allowing a third party such as a key server to play some role in veifiing the authenticity of a key is basically broken from tht start, and has nothing to do with pgp it's self.
OpenPGP is broken in other ways! But this is a headline given to a particular current events story about OpenPGP.
Once you hand off the validation to a 3rd party that does nothing to validate other than a voting system of other people then you are done. You basically put your PGP keys on reddit and decided the key is valid because it made it to the front page.
PGP may be many things, but it is not broken, and saying so is blaming the tool for a obviously bad use of it.
I don't think you can fall back on this being an "obviously bad use of the tool", by the way, since it's a pretty core use of OpenPGP. I don't use keyservers either (or didn't, when I still used PGP, which I actively avoid doing now), but I'm outnumbered by the people who do.
PGP is more than simply encryption. It provides a means of trusted identity.
End to End encryption is pointless if you have no way to validate that a message came sender. Relying on automated systems for key exchange will always suffer from this problem.
The lucky PGP users stick to the command line, which is so clunky that they'll use it rarely. The less fortunate will use PGP email clients which are so poorly thought out that they just last year managed to exfiltrate plaintext to attackers.
Signal use in the real world dwarfs that of OpenPGP; it's almost certainly many orders of magnitude.
I don't think the number of people using something invalidates a technology's technical merits. All we now have is a bunch of people thinking they are secure to one day have a very rude awakening not if, but when their communications are compromised at for the sake of popularity and ease of use.
Most of the arguments against PGP are about clunky clients, and such, this again is not a argument refuting the technology. Meanwhile the new systems solve the ui problems by dropping the most important part of encryption -- the ability to validate.
So for me, I will stick with gpgp and the like.
People who care very deeply about these problems and who have studied them more carefully than almost any message board commenter have evaluated PGP and Signal. Among secure messaging and cryptography engineers, PGP is alternately either amusing or an unfunny hindrance to progress. Signal, on the other hand, won the Levchin Prize at Real World Crypto.
Don't use PGP.
Signal is not a protocol, it is a application. It uses open whisper (or some mutation of it) as its underlying protocol. That being said, you are still relying on trust provided by the signal servers that they properly authenticated your phone number. A phone number is a super weak way to verify identity. Lucky signal does provide a way to verify you are actually talking to who you are via the safety code process (in person or out of band). So the end result is Trust us first, then verify later. While most PGP applications require zero trust until verification by means of key exchange.
After all that there is nothing stopping anybody from making a application that works just as signal does but based of PGP, and being just as secure as Signal using PGP. The problem is people who understand this know that using PGP chained with a week service phone number base validation invalidates using the entire point -- so they don't. I personally think that is a mistake. As PGP is way better in the long run because it can be used for more than text chats, and video calls.
> tools that get people hurt.
People hurt them selves using tools improperly.
There are clear things wrong with the PGP protocol. PGP predates authenticated encryption (let alone modern AEAD ciphers) and the hacks PGP came up with to authenticate ciphertext resulted both in stripping attacks and, indirectly, in the Efail attack from last year. It was also Signal's linear packet based key format that resulted in the GnuPG/SKS attacks.
Signal is a protocol; in fact, it was "Signal Protocol" that won the Levchin prize. Signal also doesn't verify identities with phone numbers.
These are just basic, fundamental factual problems with your claims. We're not even getting close to serious comparisons between the two systems; we haven't even talked about forward secrecy, compromise repair, modern primitives, complexity, and UX.
In practice, the only allowed implementation does.
It finds your contacts based on phone number, it allows them to use any keypair, and it allows that key to change at any time. It shows a light grey item in the chat when the key changes, just "your safety numbers have changed" and then you continue chatting like nothing happened.
Even if you were paranoid about checking for the light-grey changed safety number message, there's practically no way to avoid it. There's no built-in way to back-up your keypair and then load it onto another phone, so you can't avoid needing to have your friends accept new keys whenever you get a new phone, or factory-reset your phone.
Maybe you want to fork the open-source client and fix some of these glaring security deficiencies ... nope, they don't want your fork connecting to their central servers. Federation is for silly nerds, no thanks.
Further - recent GPG's crypto implementations are not currently compromised, it's disingenuous to conflate the issues with mail client plugins and keyservers and the old constructions used 15 years ago with recent RSA keypairs.
GPG signatures are used to verify authenticity of debian, ubuntu, and arch linux packages, and these systems do not use keyservers. I've used gpg for a scripted system just for coworkers at my office. (We exchange keys and validate fingerprints in person in the office.) It works. It is not vulnerable to any currently known attacks.
You can't do any of that with Signal! Maybe signal's algorithms are the bees knees and will last for decades but it's just not a useful tool. It allows peer keys to change at any time, and encourages or even requires it!
If anything, I'd expect you to be promoting Keybase, it is "modern" and also does a lot to solve the key distribution and continuity problem ("for real users" you might say), that Signal does not do.
It's very frustrating to see you appeal so much to authority and say "my cryptographer friends and I all just laugh at silly geeks who don't trust Apple and Facebook and OpenWhisperSystems" and really not offer anything that could replace GPG as a tool for us "silly geeks" to use for practical purposes. We could chat with each other and feel good that Moxie's modern crypto is being used and not care when keys change, but that doesn't accomplish anything technically useful for us.
>> "Signal uses standard cellular mobile numbers as identifiers"
>> "The applications include mechanisms by which users can independently verify
>> the identity of their messaging correspondents and the integrity of the data
That is what I described, its trust us first, and maybe verify later if you
think of it.
>> "Open Whisper Systems introduced the second version of their TextSecure Protocol
>> (now Signal Protocol)"
Looks like it is Open Whisper, just V2 and renamed... Well maybe TextSecure.
> hacks PGP came up with to authenticate ciphertext resulted both in stripping
attacks and, indirectly, in the Efail attack from last year.
A quick look at Efail shows clients were at fault and the fix was fix was
patching clients. I can assure you my email client had no such issue. So again,
you are blaming something on PGP that really just involved PGP. If Signals code
has a bug in it too can leak encrypted messages after the client decrypts them.
> key format that resulted in the GnuPG/SKS attacks
Again you are back on keyservers, a method of offline verification to a 3rd
> Signal also doesn't verify identities with phone numbers.
Yes it does, unless you do the second step of verification, which is not done by
default. Have you used signal before? When I installed it on my phone magically
people I knew showed up base off -- what is that? A phone number.
And again Wikipedia - " Signal uses standard cellular mobile numbers as
> These are just basic, fundamental factual problems with your claims.
You keep conflating things with PGP that are not PGP, thus I have to refute
insane statements that don't have to do with pgp, but things like email clients,
or now how signal actually works. You thus far have just said I am wrong, but
yet not described how any of this works. Yet I am here pointing to and describing
in great detail how you are wrong. Simply saying I am wrong, and not
demonstrating it does not make you right.
> We're not even getting close to serious comparisons between the two systems;
You are right, because you are talking about end to end encryption and I am talking about the importance of verifying who you are talking to. Signal fundamentally solves a different problem that PGP is attempting to solve -- and it does so giving up some very strong benefits that PGP brought to the table. Signal is amazing if you don't want onlookers to see your message, not so good if you want to authenticate the sender (unless you go through the extra steps, in which case it is the same cumbersome process as pgp keys.)
In any case, i don't have any more time to spend on this. If you chose to reply I will read it but I am done because think we are going to come to a agreement.
Edit: how about a response instead of a downnvote, anonymous detractor?
As a note, I think there are probably better crypto technologies these days, but none of them do what pgp aimed to do, but rather we have a bunch of smaller tools that do small parts that pgp did. I am not going to send you a singed file over singal, and I think it is silly to have to use a alternative means of sending the file that will either remove the ability for authenticity, or require me to do the authentication dance again with you.
PGP suffers from bad tooling, and further suffers from the relentless onslaught of people who want fancy electron or phone apps that can only do a small % of what pgp would allow.
Final note, I think something better than PGP could exist, but nobody has made it yet. In either case, validating keys will always be a hard problem and any attempt to automate it will result in false sense of security. While end to end encryption will keep on lookers from viewing your communications -- you just might find out one day you are talking directly to the people you were trying to hind your communication from.
Secondly, Signal sends files just fine, and does so more securely than GPG. If you don't want to use Signal to do that, you can also use Magic Wormhole, which also works better and is more secure than PGP.
How else do you recommend
to independently establish a verifiable identity?
But even if you don’t agree with the argument that federation is dead and we truly need Electron apps (with eternally outdated Chrome instances) for secure communication, still you have to admit that PGP is arcane, the cryptography is not modern, and people by and large are ignoring the “web of trust” system. PGP needs a dramatic overhaul, at the end it won’t really be PGP.
(I am not sure if there isn’t a double ratchet system working in federated way. Jabber with OMEMO/OTRv3? Matrix? I don’t know)
If you don't have an effectively auditible trail of knowledge to be able to tell if someone attempted trickery then it doesn't serve the full purpose - but that doesn't scale well.
Basically unless you plug your GPG installation into keybase or do other GPG specific things, it's not using PGP/GPG at all and instead their own format.
I don’t understand how GPG maintainers think they can implement something better (function and performance-wise) than a proper database engine. Also I don’t think GPG will ever need to handle keyring lager than 140TB .
Someone might have misunderstood how undo logging / rollback journals work. Only pages to be changed are recorded in the rollback journal, not the entire database.
> For example, it was never clear to me whether signing a key meant that I’d verified the person’s identity, or that I then trusted them to verify other people’s identities.
Signing means you verified identity. Trust to verify (also called ownertrust) is controlled by a different setting and you can trust someone to verify other keys fully or marginally (or not at all if you know someone is controlling given key but does not verify others well). See this excellent post for details: https://www.linux.com/learn/pgp-web-trust-core-concepts-behi...
I actually don't think there is a problem with the concept of a web of trust per se. It's a fact of life. I think that the software doesn't help you use it appropriately. Even if Alice says that a person is Bob, I should not be fooled into thinking that it really is Bob, or that Bob is trustworthy. All it says is that when Alice talks about "Bob", she means this person who we're calling "Bob". If "Bob" then introduces me to "Cathy", we shouldn't be fooled into thinking that it really is Cathy. However, it's still very useful to know that Cathy is Bob's friend who is Alice's friend. If Alice tells me to talk to Bob's friend Cathy, I can be totally comfortable talking to the "Cathy" that Bob introduced me to.
Just to make a more concrete example, imagine that you have a problem with your software. You contact the company that supplies it and somehow determine that the person you are contacting is really operating on behalf of the company. They refer you to second line support. It would be incredibly useful to know that the second line support person you are talking to is, in fact, the second line support person you've been directed to and not a man in the middle. You don't care who that second line support person is. Maybe they aren't using their real name. Maybe they are an illegal immigrant. None of that matters to you. All you care is that they are the person you were directed to. And if they direct you to third line support, you care that the person you are talking to is the person you were directed to.
People get hung up on the wrong things with PGP IMHO. They check people's passports and include photos in their keys, etc, etc. I mean, great if you are the government trying to ascertain if a key really belongs to a citizen, but completely useless for most practical purposes. All you care about is that chain.
I think the author of the article you link to is mostly right. Long term keys don't make much sense most of the time. A key that's signed by a million people is useless. I only care that it's singed by the people who are relevant in the context for which I'm using it. Relationships change too. If I've got a key from level 1 support to a level 2 support person, I can't trust 6 months later that the level 2 support person still works at the company. You need to have a context to describe the link in order to understand it. PGP (and by extension GPG) are absolutely horrible in that regard.
I find it ironic that the author says that the best way to reach them is by their Whisper number. This is what frustrates me. We exchange "horribly flawed implementation" for a central trust broker -- who may or may not be trust worthy.
It's 20 years since I've been to a key signing party, but there are still several small circles of trusts where I have very good ideas about the trustworthiness of each member and of the overall circle.
I still trust the crypto that PGP (and OpenPGP) uses. (With the caveat of no forward secrecy unless you try to handle that yourself).
I'm not entirely sure I've _ever_ trusted a key server provided public key, beyond the use case of trying it to open a conversation in which I can verify (to whatever level is needed) whether the person on the other end is the person I am trying to communicate with.e
To be honest, I think Keybase has the only workable solution to this problem for modern online personalities -- tie it to directly to your other identities online such that you would need to break into many accounts in order to fake someone's identity. And individual users can decide for themselves what threshold of trust they have for someone.
It's another product based on the same specs.
Maybe you're thinking of https://sequoia-pgp.org/ or https://neopg.io/ ?
Is there a comprehensive summary anywhere?
And yet, I see 'utm_source=cryptography-dispatches' in the URLs!
Does anyone know good alternatives in this space?
Currently Git seems to be very much integrated with GnuPG and the same goes for GitHub's UX sprinkles over the signing feature. That is what I'd like a decent alternative to.
I considered using OpenBSD's signify but it does not integrate as nicely as GnuPG signing so I'd basically be rolling my own mechanism (which is fine I guess, but feels subpar)