I can't edit that now but actions speak louder than words - get your GPG key set up today: http://gpgtools.github.io/GPGTools_Homepage/keychain/ It takes 5 minutes, tops. If you've spent 5 minutes talking or worrying about this issue you owe it to yourself to do it. Set it up with your favorite email client and encourage your friends to do the same.
I've had my public key available on my website for years. Nobody uses it. The problem is social: people are not in the habit of using encryption and only the technically adept have any idea how. Even my correspondents who know how to use gpg don't bother.
That, and the fact that public/private key encryption is difficult to understand on a conceptual level, uses poor, inconsistent, or misleading terminology, and has a user-hostile interface with GPG or a buggy and error-prone interface with Enigmail. The problem is social in part because we've done such a poor job packaging and marketing the solution.
This, a thousand times this. I could write an entire post on the key metaphor alone. I don't think anyone has ever had their conceptual understanding improved by calling the codes you use to encrypt and decrypt things 'keys'. If we insist on calling them that, can we at least make sure to explain why it's called a key, instead of giving people the impression that it somehow works like an actual key?
I wonder whether users need to know the difference.
Seriously, the are few situations where someone's actually going to want to post their private key to the internet - at least if they understand what it is - so what are we imaging that they're doing with it that they need to know about it in the first place?
You're probably going to want them to have a backup, but you can have them make a backup without having them understand the difference - you just have your program back up a folder structure that the private key is hidden somewhere in and only make the public one obvious. Make them aware that if they don't backup they won't be able to access their emails - should the worst happen - but don't tell them why. Someone with a push-button understanding of computer... they just don't really need to know why.
... -sigh-
I almost wonder whether it wouldn't be easier to market public-private key crypto as a packaged solution. Buy an encrypted email address kind of thing. Send people a physical token they mentally associate with that email address and tell them not to lose it.
Except in other contexts, the use of the public and private keys is reversed. I use my private key to generate signatures: does it aid understanding to tell someone to use my "lock" to verify such signatures?
GPG has a sucky API and crazy CLI. It's a stack of eggs that everyone is scared to improve.
People don't even try to understand the bare basics of PKI or even security because they are fundamental lazy and not required too. No one expects them to understand the math, just the few processes required for basic usage. If you can understand the arcane rules of baseball, or how to drive a stick, or solder, or field strip a pistol or basic cooking, you can learn how to "use" encryption.
> That, and the fact that public/private key encryption is difficult to understand on a conceptual level, uses poor, inconsistent, or misleading terminology
Consider https. That is very easy to use, because the user doesn't have to do anything to use it. The user doesn't need to know anything about encryption.
> Consider https. That is very easy to use, because the user doesn't have to do anything to use it. The user doesn't need to know anything about encryption.
Doesn't this mean that many users will just click through any errors, thus making https less secure than it could be?
Consider the evolution of warnings. Padlocks were shown in different states and colours, then pop-up dialogue boxes appeared, and now Chrome has an entire red screen with a suitably stern warning.
You're right that https is the easiest form of PKI for users to understand. And they still get it wrong. And that's for encryption that could make a difference to their lives - people could steal their money or their products or whatnot.
I remember reading about Hushmail a few years back, encryption was built in the web based email system with PGP, the use would never need to worry about encrypting the mail since it was baked in out of the box, esp between hushmail accounts.
The only problem was that the system was compromised in order to comply with US requests.
In all seriousness, I agree that it's a social problem. I think we (in the tech industry) can do a better job of making the tools easier to use. If we really want to make something like PGP take off, we'll have to provide easy tools that integrate with people's email clients and provide dead simple tutorials of how to get started.
The best way to make people use it is to make it seamless.
I am talking about something like a Chrome/Firefox extension, which creates a GPG key pair for you, uploads the public to some central server and encrypts stuff like the text in your hotmail, gmail, yahoo mail, etc, after you press "send" and before the text is sent to google.
Then, at the other side, the a user with the same extension opens the new message and as soon as it appears, the extension detects that it is an encrypted message, reads the id of the sender and decrypts the message.
There are lots of details which makes this difficult to implement... but that would be the only way to make the vast majority of people use public key encryption.
I think there is a certain level of distrust of the technology on top. I had a discussion about encryption with a group of non-technical peers a while back and every single one of them strongly believed that it could be circumvented with ease. If you come with that attitude, you'll find no reason to use encryption, as it is only as good as plain text at that point anyway.
Yes, and that's why the software needs to be easier to use. In fact it should be effortless: once installed, it should automatically encrypt on the way out and decrypt on the way in.
My public key is here: http://sho.ch/alexgraul.publickey and on the gpg keyserver, where's yours?