Yes, GPG is a powerful tool that makes some encrypted communication possible. But is it really "working" if it's the tool we've had for the past 20 years, and we still ended up in a world where surveillance is so ubiquitous and privacy is so rare? Having used GPG, it seems more likely to me that there are only ~50k GPG users in the world because of the product, not because of weak desire or need for private communication.
I'm not suggesting that there's anything "better," but that it's really sad there isn't. GPG isn't ever going to be anything other than what it is now, and I don't think that's the future we want for ourselves.
We could try to slap a GUI on top of it, but I don't believe great products are made that way. Good UX requires thinking about interactions all the way down to the protocol. The good news is that GPG has such a small legacy install base (literally on the order of ~50k users), that there's no reason to maintain compatibility with OpenPGP. When building new products, we can start fresh with modern cryptography, a modern protocol, and a modern design philosophy.
It's not just that, though. Anyone else with your knowledge but no standing would be scorched for saying what you just said. "Throw away the one thing that has proven to be secure and write our own protocol" doesn't go hand in hand with "serious cryptographers trust what this person is saying."
The truth is probably that either you do this or nobody will.
You should. The world would be better for it.
I'm not going to back just any crypto project, but with the right people leading the charge I would get behind it.
(Unrelated to GPG, but this goes towards crypto projects by Moxie and other solid people.)
This attitude is why GnuPG (and other PGP implementations) are in a position to be criticized by the Moxies of the world. Is there some particular reason why anybody outside of some recognized elite should be discouraged from at least trying to create a better, improved system? Yeah, they'll probably fail in a lot of cases, but if the world really wants a modern, easy-to-use alternative to PGP (a real alternative, not use-case-specific alternatives like RedPhone and TextSecure; encrypted/signed email is still a valid use case that both those things blissfully ignore, by the way), this sort of attitude - that anyone outside of a select few rightfully deserves to be scolded for trying to make better crypto - is lethally toxic to that goal.
In between the time that a cryptographically illiterate developer releases their MVP 1.0 version and the time that it's discovered that their cryptography is fundamentally flawed --- a window of time that can stretch on for years --- actual people will rely on the tool for their security, not realizing that serious adversaries are reading their messages.
Most new cryptosystems --- a cryptosystem being "anything that uses a cipher, including when the cipher is simply AES --- are terribly broken.
Search for [decryptocat] for an extremely good example of what I'm talking about.
Developers who are new to cryptography that want to learn more about it and eventually use it in their own systems should start by learning how to exploit broken cryptography. If you can't exploit an RSA padding oracle, you shouldn't be designing systems that use public key cryptography. If you can't exploit a CTR nonce stutter, you shouldn't be using block crypto.
Developers who don't want to learn cryptography should work on improving the UX (UI and workflow) of existing cryptosystems. PGP could sure use some help, but even if you don't want to help with PGP, there's a huge green field of work to be done on browser TLS trust and CA user interface. Just as one example.
This results in things like GnuPG being considered hard to use. This results in things like GnuPG struggling along with a single core developer and barely enough funding to support that developer (even now). This results in things like OpenSSL being horribly undermaintained, to the point where nasty bugs like Heartbleed are allowed to exist longer than they should because there is an insufficient quantity of eyeballs to find them and squish them. It doesn't take a rocket surgeon or a cryptographic guru to see that this is nothing but an awful situation for pretty much everyone involved.
i think any 3rd party distributed crypto is only useful against weaker adversaries (weaker than the person doing the distributing). For p2p crypto designed and agreed to by the two parties, there are lots of options, starting with a 1-time pad, CTR mode hash based ciphers, etc...
But, not having used it for a few years, I went to take a look again - list some keys, maybe SMS some friends to exchange fingerprints and sign their keys, etc... - I'm trying to recall what the relationship between PUB, SUB, UID, Key Fingerprints are. And how do I indicate that I trust a key and upload it back up to pgp.mit.edu?
And I consider myself a member of the 0.1% who at least understand the principals behind PGP/Public Keys/Private Keys/Web of Trust, etc...
So - if I'm having trouble understanding this without a couple hours of study, their is Zero chance that the other 99% of the population will ever be able to wrap their heads around the intricacies of PGP. Something else is going to have to replace it.
[EDIT - as an aside, I've spent the last hour trying to do a "gen-key" on my ubuntu host, and been prevented by lack of entropy - and yes, I've tried running tcpdump, tried egrepping every file on the system for a string, etc... Ended up on https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011 and the answer seems to be, "Find a machine that does have entropy, or install a hardware random number generator in your computer."
Please add this to the reasons why normal people never use GPG
Edit-2: It took about 25 minutes, but apparently between find / -type f | xargs grep wontfindme and sudo tcpdump -nnn not port 22, I managed to collect enough entropy to keep gpg moving forward.
If the GRND_RANDOM bit is not set, then the /dev/urandom pool
will be used. Unlike using read(2) to fetch data from
/dev/urandom, if the urandom pool has not been sufficiently
initialized, getrandom(2) will block (or return -1 with the
errno set to EAGAIN if the GRND_NONBLOCK bit is set in flags).
Then again, that's probably not important if you interactively launch gpg on a desktop system that wasn't just installed a minute ago or so.
Timer EntropyD  can be extremely handy (as can the audio-entropy gathering)
This sounds like an implementation fail / lazy implementor. GPG shouldn't need more than 32 bytes of entropy (for keying AES-128 and then encrypting a 128-bit block of data repeatedly until you collect enough randomness.)
haveged is an absolute essential for all servers
that means it will block when it estimates that you have "used up" all of the available entropy
you can check how many bits of entropy your kernel thinks are available easily
edit: i should have mentioned that there is some reason to argue against this behaviour but that doesn't change the usefulness of haveged for existing systems
The random(4) manpage is unfortunately exceptionally misleading, and has sadly led to a small but non-zero numbers of products that try to use /dev/random rather than /dev/urandom.
Sadly, gpg --gen-key doesn't even give you this option - but that's (as noted above) another flaw in GPG.
How's about this: rather than a protocol-up rewrite, how about just writing a library-up rewrite? Write a ground-up implementation of (maybe a subset of) RFC 4880, with opinionated choices of default ciphers (a bit like NaCl). Make it a portable library that can be used on all the popular mobile platforms and from all the popular languages. That's a plenty big enough job, and would fix the concrete pain points with GPG without throwing out the good part.
> We could try to slap a GUI on top of it, but I don't believe great products are made that way. Good UX requires thinking about interactions all the way down to the protocol.
What kind of concrete things would have to change at the protocol level? Plenty of good products conform to existing protocol standards, and a crypto protocol that has survived years of use in a hostile environment is worth its weight in gold. The talk of "modern" seems very handwavey as a reason to throw this out.
> GPG has such a small legacy install base (literally on the order of ~50k users), that there's no reason to maintain compatibility with OpenPGP.
I find it hard to believe there are only 50k users given that OpenPGP is built into the package-management infrastructure that every Debian user uses, and is required on Maven Central which virtually every Java system uses. Yes, these aren't people who actively chose it or are even aware that they're using OpenPGP - but protocols are like that; they're infrastructure.
And as for your 50k, that may be a small number but they're the people who really care about privacy. Snowden is among them. If you're trying to spread crypto, those are the last people you want to alienate.
That's what PBP does:
- Code: https://github.com/stef/pbp
- A short (9:03) talk by the author: https://www.youtube.com/watch?v=Kl_gLMef1mI
Sure there is. For one, we were talking about encryption protocols. Those are not encrypted. The one that is encrypted, HTTPS, sucks (the whole CA system). So after Snowden's documents came out I would've expected more people to say "it's time to get rid of HTTPS". That hasn't quite happened yet, and I'm disappointed by that. In case w
As for TCP/IP, again, not encrypted, and they need to be. In case we've forgotten, TCP/IP and HTTP is what made it happen for the Internet to become a giant spy machine. That to me means they are broken.
We need to switch to something like CurveCP, MinimaLT, Noise, etc, that is encrypted by default at the Transport or even the IP layer. If we agree "encrypting all the things needs" to happen, then the current state of TCP/IP and HTTP is horrible, and we're not moving fast enough to replace them.
The fact that we don't yet have a good encrypted by default alternative to TCP/IP and HTTP/S is what will also bring us a world of hurt when the "Internet of Things" arrives in a big way, along with self-driving "smart" cars that can be remotely updated (and hacked).
Transport is the wrong layer to do encryption (much as I'd love to see more adoption of IPSec) because encryption and authentication are inextricably linked. Suppose you can confirm that you're absolutely, veritably talking to 188.8.131.52, and your messages can't be read by anyone but them. What good does that actually do you?
TLS is, despite all the problematic cipher suites, fundamentally sound infrastructure - which is why it hasn't been replaced. The same is true of OpenPGP. We don't need new protocols, just better implementations - an equivalent of LibreSSL for OpenPGP.
In the current post Snowden climate, can't we agree that this is at least a good thing? The good it does at the most basic level is protect your communications from prying eyes.
Yeah, +1 for this. The lack of a proper GPG library is very strange.
I'm in the process of writing a Python program that interfaces with GPG right now, and I was surprised to learn there isn't an official GPG library. The closest thing seems to be GPGMadeEasy , which is an official library wrapper for the interactive program.
Since I need low-level key manipulation (writing out a key with known values), what I've ended up doing is using the BouncyCastle Java library via a separate Java command line program my Python program can call out to. It works, but it's painful.
So, yeah -- what would be the cost/benefit of the project lmm proposes to create a real, portable GPG library? It makes a lot of sense to me.
Almost as important as his crypto expertise, moxie's deep understanding of UX and especially barriers to entry and the network effect have concretely made the world a better place, and not just for people like us...but also (and especially) for people like my mom, my partner, and my (mostly non-programmer) friends. Thank you for understanding that their privacy is important and that their human dignity matters--and especially for meeting them where they are.
As a result, now it's not just my colleagues "in tech"--but also essentially all of my friends and family--who are with you!
And yeah, it's true that some of the Snowden docs reference ZRTP attacks & spoofing voice so it's not necessarily foolproof (or her phone could be owned etc.), but another one of the things my mother told me when I was a kid was "the key is to begin." And that's what moxie's done...
I feel like a lot of the things GPG aims to do are fundamentally hard. It's not the technology that sucks, it's the problem. I completely agree that the answer will come from thinking about user interactions first, but I'm not sure that the solution will look much different than a better GPG client.
I think the problems are solvable, but only if we have a different design approach. So when I see projects trying not-PGP, I'm interested. When I see projects building on PGP, I'm less interested.
This is my feeling as well. To optimize for security and privacy, it seems like it needs to be difficult by design. If it's too easy, it's probably less secure.
I'm not sure if anyone has given it seriuos attempts to make it more user friendly, though? Would be surprised if no one has, there should be a great opportunity here. Escpecially now that it has so much focus.
It's made by the CryptoCat author, so make of that what you will.
Literally the second tweet on their twitter account is 'Damn, it works. Got a lawyer who resisted all other methods to encrypt our comms with @Peerio. Big score for usability. Bravo @kaepora & co.' which kind of bugs me, too.
However, I also (like Moxie) believe PGP is not at the sweet spot. It has too much complexity for the most popular use cases. Thank you Moxie and others who are searching for the sweet spots.
Arguably it was easier to use GPG back then than it is now. Pine was my MUA and I had an easy to find public key. Now I have an iPhone, don't use Linux on my laptop anymore, and make heavy use of messaging products.
Here's what I have now that I didn't have then, 2FA. There's an app on my phone that makes it super easy so I use it. If I had to still carry around a separate RSA code generator I probably wouldn't.
Surely we can figure out a way to make encrypted email nearly transparently easy with the major mail providers, and the default mail apps on our laptops and and phones. Surely we can figure out a way to make a trustworthy distributed keystore.
Perhaps this will all change because before Snowden we were blissfully unaware and GPG was a cool toy unless your life was in real danger, post Snowden we're residents of a vast internet police state and my Mom knows how Target was hacked.
I have a strong suspicion we will figure this out, and soon. I wonder, are VC's are looking into funding easy to use consumer encryption?
Every time I see this in regards to email, I'm puzzled. Carnivore was known about in the 90s. Then there was the AT&T Room 641A in the 200s. So I don't know how people were unaware that state level actors could tap connections and record email.
Second, for this threat model, just forcing and validating TLS on SMTP gets you pretty far, does it not? You're then mostly trusting your email provider. And without trusting them, we get into user-unfriendly stuff like not being able to forget your password. (Barring some sort of breakthrough ideas.)
Seriously, has there been any good proposals that provide strong privacy (say, no one but the user can read the message) but aren't complicated or require users to do things they aren't gonna do: validate keys? PGPFone and ZRTP are great because you already have an "out-of-band" key auth mechanism in place, and it's fairly straightforward to check.
Nobody should trust their email provider if they are concerned about the privacy of their email. The Job To Be Done, by an email provider such as gmail/yahoo/hotmail is to act as a mail store, and mta. A user should be able to rely on a local MUA for confidentiality. Admittedly, that shifts the level of trust from the Email Provider to the provider of the MUA software and the Local Hardware, which is why things like OpenBSD/Linux and (hopefully not firmware-tweaked) commodity hardware is so important.
I'm hoping someone comes up with a breakthrough idea here, something fantastic that enables real privacy with no inconvenience. But in 20 years, there's been essentially zero progress on that front. All proposals either violate Most Users' required features, or boil down to offloading trust to the email provider.
It can be very hard to know whether you have the right public key, especially for people that you know only from online activity. And it's not uncommon to find multiple unrevoked keys, with the same email address.
But check out https://keybase.io/mirimir. You can easily get a GnuPG key that signed proofs in my profile here, on GitHub, and on reddit. Also, the email address in my key is linked to a Gravatar that StackExchange and other sites use. So whoever I am, you can be confident that I control that GnuPG key.
Private keys are obviously an issue, but I don't really get why passwords are considered so important.
I like to use GPG when I can for communicating with people, but most of the things I put on it are less private than what you would get if you got my computer.
I don't think passwords protect you if the attacker can install a keylogger (correct me if I'm wrong), so anyone with hardware access or malware isn't going to be stopped. You are only protecting against people that can read files from your computer but not install hardware/software.
I think for the average user the password provides little extra security while having a high UI cost.
If you had to open an app on your phone at each login you'd get crazy real fast :)
I do like your analogy tho. Digital music is a breeze to buy nowadays. Moxie seems to appear as covertly saying its misguided to donate money to GnuPG so that it finally gets good, because, you know, not-moxie-made.
The.. what was it called? Redphone? Whisper? and various other projects - while very cool - didnt achieve even as much popularity as GnuPG (which in itself is far from greatly useable).
I know of one tech that has a chance right now and thats U2F/Fido. It allows for building a framework (being GnuPG or otherwise) around it that's both secure and works for everyone. Why? Because fucking gmail supports it that why. It has nothing to do with the actual tech. It has to do with support. It has to do with my iphone, android, whatever, working with it seamlessly. It a lot to do with "slapping a GUI" at the right places.
The Axolotl protocol that was created for Whisper System's TextSecure is now used, by default, by Cyanogenmod (10 million users) and the Android version of WhatsApp (more than 500 million installs from the play store).
I'd say Moxie's tech has been pretty widely adopted.
If the only "usable" implementation is on a hard-to-physically-secure mobile device that uses a tonne of different uncontrolled network access points a day -- that's not really an option now, is it?
What, Gmail? Yahoo? They exist only because they can read your plain-text email and serve ads against it. Most people get their email through free webmail providers, who have every reason not to make encryption easy.
If you're referring to GPG's shitty interface, then sure. But how much of that is "1990s crypto" and how much is due to the fact that it's one guy working by himself and barely being able to afford it, for years?
GPG with Linux-levels of support would be an entirely different beast.
edit: oh sorry, are we not allowed to disagree with Big Names™?
Not when it comes to cryptography and HN. Moxie, Collin, and tptacek are the only 3 people that can say anything that isn't mainstream pop-crypto. Anyone that dares to disagree with them is clearly wrong and must be punished with downvotes.
Should random software engineers experimenting with crypto claim that they've created a software package worthy of being used by dissidents and whistleblowers?
But should we be discouraging random software engineers from experimenting with crypto, and starting open source projects that may gain steam...and eventually, after years of use and audits, gain the standing and reputation to be used by dissidents and whistleblowers?
Again, absolutely not.
I know you said there's no unifying theme to these emails, but can you elaborate? Maybe something about security-obssessed lay people using GPG to send the most trivial of emails? Or something else entirely?
I know stereotypes often treat people unfairly, but the kind of person who has the dedication required to use PGP seems, to me, to often coincide with the people who find fault with everyone who hasn't had the dedication or focus to learn sophisticated software techniques.
And, if I were Moxie, that would be a source of constant frustration to me. The very people who have the ability to make things better -at best- don't empathize with the people they could help, and at worst harbor a bit of contempt for them.
Considering Moxie seems to be dedicating a large part of his life's work to helping average people, I believe the attitude I described could play foil to the inspirational messages he also receives. But I don't pretend to know him or anything.
You may say that, but after the "we specifically work to make TextSecure impossible without Google Play because using Android without google is 'going back to the old broken desktop security model'" thing, I'm not convinced.
I'm sure moxie is good with crypto, but sadly, he's on different side of war on general purpose computers than I am. He's on the side of walled gardens and limits what can you do on your own device, and I can't accept that.
EDIT: and of course he would spit on GPG. For moxie, GPG is competition.
"Way to take a dump on people who make an effort."
Which says something about the downvoters.
... just like Windows users ;)
'People who use Windows do not have both the intelligence not to desire it and the power to do as they wish.'
GPG is a terrible UX. Accidental use of GPG tends to fail open, and insecurity results. Futzing with different keys, rotating them, retracting them, etc, are grievous. I can't reencrypt old stuff to new stuff (e.g., a pw database) without spending a good deal of time thinking about attacks, file safety, etc.
I'm really a distributed encrypted email fan, I guess. I want to securely communicate over email to my friends and family, without having to do the GPG dance.
Every Linux distribution signs packages with it. So that's at least 100M users right there. Several APIs regarding domain name and AS registrations is based on it. I know at least two financial systems that signs their messages with it. That's just mentioning a few I can think of right now. I'm sure it secures a lot lot more. It's used all over the place and it seems to do the job fairly well in most cases.
Is it suitable for signing email in 2015? I don't know. Things could certainly be improved. I know there are more suitable schemes for IM communciation. But the software and the underlying protocol is not something you can break in a heartbeat. It's important software.
Perhaps we need to speak more of the evolving use case in email?
The fact that GPG is used for other things is fine, as it will still exist and can still be used for those things.
The difference being, its worse to make a mistake using GPG than it is to make a mistake using most other programs. In the end, you are securing confidential information, which will always be hard, unnerving and require concentration and care. And this is just inherent to the task, which is fighting an undefined, super-powerful, ill-meaning enemy.
Encryption is violence. The objective is to violently keep an enemy away from your jewels. Instead of using an armed guard at your door, you use mathematical forces which are impossible for your enemy to overcome. Imagine your enemy needs the cleartext to save his own life, how does he feel when he is denied access and unable to gain access? It doesn't matter if its a steel door or a block-cipher.
What people are essentially demanding when they want "easy to use crypto" is a self-firing and self-aiming rifle with friendly-fire detection. "Keep all my adversaries away but don't bother me about it."
That's not how conflict works. If you attempt to secure your communications from a state actor, you are engaging in a full-blown combat against one of the most deadly forces there can be. That conflict will always be demanding and unpleasant. GPG being "hard to use" will be the least of your problems.
But no, we want everything for free. Protecting yourself against the overlords should be easy and painless, almost automatic. The defendant shouldn't have to learn how his defense works or how to properly use it.
EDIT: And what I find unnerving about your post is, suddenly the people who put in the effort to use GPG are the bad guys? The 0.1% who actually take privacy seriously enough to go through the the trouble? Don't get me wrong, I almost never use GPG, not because it's hard to use (M-x epa-encrypt-region, anyone?), but because I don't want to experience the emotional distress related to struggling with a super-powered state.
OTR is much more successful because it allows ad-hoc connections instead of trying to make authenticity guarantees. It encourages authentication, but the decision of when to invest that extra effort is left with the user. Fundamentally, OTR just offers privacy from eavesdroppers, and it does that well. Every other feature is extra. Even better, these new features (e.g. authentication) don't have to start from nothing. A big benefit of separating features is that is added later can leverage the existing infrastructure.
I personally believe the "killer crypto app" that will actually be adopted is a tool that is the opposite of OTR. It should only promise ad-hoc authenticates and do it in an generic style. I mean something that is somewhere between "gpg --clearsign" and 2channel/4chan style tripcodes. In an ideal world, this needs to have a clearsign-style mode, so it can be used on existing forums. If the browser simply offers a "sign this" button next to textareas (no password, auto-gen they key and stuff it on a keyserver, just make it happen), it will be used. On the decode side, any blocks of text the browser sees that look like a signature get check, with the key pinned. That's it. Any features that allow nicer integration with email, forum software, etc, are nice but optional.
This provides a minimum, anonymous level authentication (forgery prevention), and the only UX the user should have to see is the "sign this" button and a loud "possible forgery" warning if a signature doesn't match the pinned key. It even works regardless of who is transporting the message (different websites, email, gopher, avian carriers) without needing an "identify provider". Upgrading this infrastructure of pinned keys into something more interesting can happen later on, if desired.
Would this work? I believe it's worth trying. It is clear that trying to solve all of the security needs in a single tool has not worked, and the one tool that got any adoption at all (OTR) has a much more narrow set of goals.
[[SECURE_CONTENT firstname.lastname@example.org -> email@example.com
For simplicity the registry will do email validation of its' users, it should issue a SALT so that PBKDFx(SALT + email + passphrase) is used to generate the private key... the public key is stored in the registry.
For more control, a given service entry in dns for peer-crypt registry for the given domain can be set as an authority. A distributed system could be used for confirming tokens combined with DNSSEC as a control system for greater availability.
There are flaws with this idea, but it could be something that can be made insanely easy to use, as well as adding a lot of security to email transmission without creating an all new infrastructure, only adding services on top of what exists.
For power users, they could set the public key without salt in the registries, if they wanted to manage their own, instead of relying on the generation mechanism, or to use/keep the same key across different addresses/providers.
Well, that's the issue, right? How does it do this?
What do you think of the Dark Mail effort? And of Pond?
I'm right there with you on that one. So is most of HN I imagine.
But the Apple ][ really brought the PC home for so many more people than it's competitors purely because of it's relatively simple GUI.
Command prompts scare the average user.
I guess that's why I will always be a C=> fan.
Public awareness of privacy especially wrt mass government surveillance, identity theft and high profile corporate breaches seems that such an thing is ripe.
I am naively optimistic given the right implementation a consortium of stakeholders could do something meaningful.
Secure communication is as much a cultural change as a technological one.
There is also the cultural issue of just exchanging fingerprints. Only techies put them on business cards, and even then only some. It needs to be common action.
Another approach for verification is employed by Threema : The server verifies email addresses and phone numbers, so if the address or number is in your contacts you can have more confidence, represented by an orange dot next to the contact. If you verify the fingerprint by scanning QR codes, you get a green dot.
About fingerprints for the masses: I really like the visual fingerprints Peerio is using (basically bigger Github-style generated avatar icons).
Agreed 100%. I just don't have anything to offer in this space :(
It's not that I don't care about privacy, I very much do, and my friends care as well (to a slightly lesser extent I would say and I'm willing to accept more to get to that point than they are). It's just that I am completely overwhelmed, only 1-2 of my friends even understand encryption at a high level and none of them expose private keys for communication. Even other developers I worked with got annoyed with OTR with adium/pidgin to the point I had to turn it off. It's not that I want to throw in the towel, I desperately want a solution, but even easy to use (what I'm looking for) "secure" communication tools get torn to shreds here on HN and so I haven't even considered trying to get them all to switch tools (even I thought it was possible, which I don't).
I guess what I'm trying to say is I'm not going to stop talking to my friends and my friends more or less refuse (due to complexity) to use encryption so what is the purpose of me even trying? The end result would be what? Maybe 1-2 people with which I can talk securely? Now I have to have 2 workflows and even if I have super-secure unique PW's, FDE (Full Disk Encryption, which I do use), and take steps to secure all MY data all of my friends are essentially leaking my data. So if the NSA/FBI/China/Hacker/etc want my communications they can just go after the weakest link, the people I talk to. It's very disheartening to say the very least.
I've considered blogging about this a number of times but didn't want to get destroyed here on HN (if I even posted it here, I probably wouldn't due to backlash) for being defeatist or get told how I am the problem. I am not a cryptographer and therefore am not qualified to even attempt to build secure software (if I even thought I was capable of coding up such a project). Even the tools that are easy to use that DO use tried and true encryption (Like PGP gmail/chrome extension, that's all well and good but what if I'm on mobile? Or on a friends computer? It's just too restrictive) are locked to a an OS/Browser/Device. I really do understand I'm asking for quite a lot (Cross-platform AND cross-device) but without those "features" there is no way I could get my peers to switch.
I'd love to have someone reply with how wrong I am how there is X tool/product/service that satisfies my requirements but I've searched high and low so I don't expect such a reply...
What's your ideal vision of what end-to-end encryption for the common (wo)man should look like other than "not GPG"?
Two questions whose answers are nonexistent in your article.
> the working hypothesis for privacy enhancing technology was simple: we’d develop really flexible power tools for ourselves, and then teach everyone to be like us... Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible. It’s up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish
I think it's self-explanatory why it's not good that users need to know about SERPENT, IDEA, and TwoFish.
> the fundamental architecture of PGP also leaves no room for now critical concepts like forward secrecy.
> a ballooning penumbra of OpenPGP specifications and notes so prolific that the entire picture is almost impossible to grasp... Mailpile had to write 1400 lines of python code just to interface with a native GnuPG installation for basic operations, and it still isn’t rock solid.
> journalists who depend on it struggle with it and often mess up (“I send you the private key to communicate privately, right?”)
UX failure leads to user uncertainty or insecure behavior.
What a better replacement looks like (from the comment here):
> Good UX requires thinking about interactions all the way down to the protocol.
> we can start fresh with modern cryptography, a modern protocol, and a modern design philosophy
Would a ground-up rewrite of OpenPGP have PFS? Of course. Is the functionality important enough to justify a new protocol? Not on its own, IMO.
I'd say user uncertainty and insecure behavior are, each, sufficient criteria to declare a UX a failure.
The second question, however, still isn't adequately answered; "we should be thinking about interactions" and "we should use modern things" are two of the most vague answers possible.
> The frustrating and ironic thing about GPG is that even experts make mistakes with it. Even, as it turns out, Edward Snowden.
> I now had Poitras’ permission to send Snowden her encryption key, but in his first email to me, Snowden had forgotten to attach his key, which meant I could not encrypt my response. I had to send him an unencrypted email asking for his key first.
I don't open a link to Paul Graham's site to read "Shit's bad, guys, and here are some fairly shallow reasons why I feel I can make that statement". I go there to read something that's been thought out by someone 'in the know'. Same goes for when your name is on a post about crypto. This was just whining.
That may be totally acceptable to you, but I don't think I'm alone in expecting more than just an opinion.
In any case, your point still stands, generally speaking.
Go generate a revocation certificate and push it to the global pool. You'll stop getting those disappointing emails.
But seriously, go build something better. I fucking dare you. We'd all be better off for it if you really did.
That's very marketingish of you. Why not fix GnuPG instead? There's more than slapping GUIs to things!
Also, where is your 50K user base number from? According to my SKS keyserver traffic, it's much greater, even if i were to assume 50% of the traffic is non-human.. what the fuck happened to you man?
Also, if it's well done - I'm not against something different from GnuPG. I just disagree with the argument.
Which leads to this question:
which product are you going to announce in 6mo that would be so much better?
To be fair, at least Whisper Systems and the Guardian Project are doing great work to try to make encryption in various implementations work better for the average user. And let's be fair, groups like these and the LiberationTech community runs on a shoestring in comparison to even one large commercial tool.
GPG key ID is automatically inserted into contacts https://code.google.com/p/googlecl/ so when the user deletes a contact the script reads the KeyID and removes it from the keyring as well. It had to be Google contacts it wasn't my decision. Nobody wanted to change their mail app workflow and they couldn't figure out gpgtools/gpg suite so this poor scheme was devised but it works.
The janky part comes when the script checks mail console logs to detect no connection errors when users req to fetch new mail (and suppress popup notifications of this) so they don't have to push a second button to do it outside set intervals that fetch automatically. For some reason it was important that no other buttons existed to fetch new mail. There's probably a Claws Mail plugin that can be written to accomplish all this too if users were willing to switch apps, mutt will do most of it automatically and can be abstracted to make it invisible, or script OpenSMTPD to do this.
It is largely a success in verifying the identities of the software developers. The entire Debian ecosystem relies on GPG in largely successful ways.
Peter Todd suggests that PGP drop encrypted communications as a goal and focus only on identity and authentication. It appears the PGP just can't be bootstrapped into modernity from a communication point of view. The only major innovation in authentication and identity has been threshold signatures which GPG could support.
Identity and authentication are the biggest reason that PGP hasn't caught on with non-technical users - the web-of-trust is necessary to do distributed identity and authentication properly (under the current model), and the importance of out-of-band verification can be hard to explain. Authentication (as opposed to authorization) is hard, even without factoring in state adversaries.
The fact that the web-of-trust hasn't succeeded doesn't mean that another model won't, but I don't think it makes sense for PGP to throw out the one goal it already does incredibly well (securing communications) in order to focus on the biggest problem we haven't been able to solve in 20 years.
Imagining a world where the web-of-trust was succesful is not hard. It starts with everyone using Outlook instead of gmail. Then imagine Outlook having PGP support builtin. Then imagine in the contacts list, every contact was marked with a color, red, yellow green.
Whenever sending an e-mail to a red contact, Outlook would display a small one liner on top of the compose box "There is no identity information about the contact you are sending an e-mail to". (it doesn't matter that no one knows what that means, it's just a small nag that people understand is negative)
Whenever sending an e-mail to a yellow contact, Outlook would display the following nag line: "You have not verified the identity of the contact you're sending an e-mail to. Click here to resolve".
When the user clicks the line, they'll be asked to call the contact on the phone, or meet with them in person and ask them to compare keys. (Perhaps aided with some fancy tech like NFC or whatever)
Will people ignore the nag line? Yes. Will people click through the dialogs to resolve the nag line without actually verifying? Yes. Does that matter? Not as much as crypto-purists would have you believe.
There's always that uncle, niece or colleague that's going to be anal about it anyway. And if the web of trust is big enough, and the devices enabling the web are communicating, it will be very easy for the web to self-heal whenever corruption arises. Just imagine if whenever someone who purports to be your aunt sends you an e-mail, and your e-mail client automatically checks the key with everyone elses in your family.
The only reason the web-of-trust doesn't work is because it was never adopted and made usable by the important software developers. And that never happened because not enough people cared.
SPKI & SDSI had a different model: rather than trust people to tell you who someone is, one trusts them to tell you who they think they are. That is, rather than me verifying that key 0xDEADBEEF belongs to the individual known to the town council of Lower Shroppington as 'William Morris' (which is inherently fragile: I may not be an expert at verifying identity documents, or at verifying those issued by Lower Shroppington; the individual before me might have a document issued by Lower Shroppington deliberately to mislead me; heck, who is the real William Morris: there could be more than one), I would just verify that this is the individual I call William Morris, and let you make use of that as you may. If Lower Shroppington wanted to, they could issue a certificate stating that they call him William Morris too.
It was a really smart way of doing things.
How might it fit into a modern email infrastructure? Easy! example.com could use key 0xBADDA451 use certify that firstname.lastname@example.org belongs to the keyholder of the key 0xC0FFEEBA; .com could use key 0xFEEDBAC7 to certify that example.com belongs to 0xBADDA451; the root domain could use key 0x55378008 to certify that .com belongs to 0xFEEDBAC7; IANA could certify the ownership of the root domain; the ICANN board could certify the current IANA key; the previous ICANN board could certify the current ICANN board, and so forth.
What would you see in Outlook or Gmail? Your agent would display that the claimed sender email is valid. It might also try to find some path connecting you & good ol' Bill Morris, then show you that your buddy Steve's ex girlfriend Wilhelmina says that key belongs to Billy Morris.
Interestingly, this could even work for an email legitimately sent on William's behalf. All a normal user would care about is, 'this email is legit' (for some value of); us geeks could geek out as we wished.
In the end a tree-of-trust rests on the fact that you trust the manufacturer of your laptop that they put trustworthy certificates there so you could verify the roots.
We're seeing the major browsers now turning that tree-of-trust into a web-of-trust by cross referencing domain certificates to see if there are duplicates or other shady things going on.
> In the end a tree-of-trust rests on the fact that you trust the manufacturer of your laptop that they put trustworthy certificates there so you could verify the roots.
For hostname and IP address ownership, there is a central authority: ICANN. The problem with the CA model is that someone other than ICANN can lie about who owns a hostname. As for the ICANN roots, those should be publicly known and verified in the same way that any information is publicly known and verified (ultimately, it comes down to verification).
The problem with ICANN being a central authority is that knowing that I'm talking to the legitimate owner of 'apple.com' tells me nothing. It could be Apple Records or an apple farm or a guy who just really likes Apples for all I know. The CA system uses a ridiculously expensive, painful process to do ICANN's job for it, and still doesn't provide me the guarantees I need in order to do business online.
With respect to email, I can use a tree-of-trust system to guarantee that I can send email to the legitimate owner of an email account, but I cannot guarantee that said legitimate owner is the person I think it is (after all, ICANN in a very real sense owns the Internet, and could transfer anything to anyone). If I wish to, I could use an SPKI/SDSI system to ensure that I'm sending a message to the person who the person who the person who I think is Jim thinks is Sally thinks is Bill.
Which, really, is the only way trust can work anyway. What does anyone know other than what he has heard from others?
Step 1: the UI will be a mixture of meaningless and annoying to users, causing them to ignore and misuse it
Step 2: mumble mumble... self-healing corruption
Step 3: the only reason this hasn't succeeded is that people didn't care enough
It's exactly those parts in step 2 where I've historically fallen off of the WoT story. What does the UI do when my nontechnical friend has marked my key but his dad has marked it as untrusted? What happens when I lose my phone with my keys on it? How do we not end up in a situation where users see big scary warnings all the time constantly and they just learn to ignore them?
Every tool in this space suffers from the choices PGP implementations have made and asking what your uncle would do if trust conflicts occured when he's going to first be asked if he wants an RSA/RSA, RSA/DSA, DSA sign-only, or RSA sign-only key before he gets there, and then have to figure out what keyserver to send to and then....
Answering these high level UX questions requires having actual users.
The system might send you an e-mail if someone casts doubt over the trustworthiness of a key. If you lose your phone with your keys, they're gone, just like when you lose your keys.
I never said big scary warnings. Just small reminders that what's happening isn't secure, like the green bar in your browser. Most of the time harmless, but informative when you need it.
My opinion is basically GPG for identity and Axolotl for comms.
I like how they wanted to completely remove identifying info and similar signature schemes from signify http://www.tedunangst.com/flak/post/signify
The most sensitive use case for GPG has to be sending correspondence that, if decrypted, could put you in severe physical danger. If the choice is between life and death, relative freedom or torture in some black site dungeon, the choice is clear. Using GPG is preferable to death or torture.
This doesn't exactly seem like a ringing endorsement, but if these are the stakes, then you are probably willing to read the equivalent of 40% of Fahrenheit 451 to be secure. You are probably willing to learn to practice good opsec.
It would be fantastic if GPG were displaced by something equally trustworthy and secure, but more user-friendly, and I look forward to the day that happens. But I think that GPG is the best we have, and we should be appreciative of that.
I think a lot of engineers make the mistake that regular people will be so won over by a new technology that they'll learn it as well as the engineers do. That isn't how it works. So far we still haven't gotten regular people to learn programming, though more people program than ever before.
Humans like simple. This is not a flaw. Software can do anything, and it is written for us. We should not have to learn a bunch of arcane commands, skills, and concepts unless there is no technical way around this.
Ideal encryption would have a quick initial setup, and then each message would have a sticky button for "encrypt?". Then whatever is required in the backend does what it needs to do.
Complex software that gets the job done is much, much worse than simple software that gets the job done. Unless things get so oversimplified that there is no way to verify correct operation. I agree that people need to learn about encryption, but there's a middle ground between no knowledge and knowing enough about it to use GPG.
You cannot expect to avail of the benefits of crypto without taking some time to understand how different protocols work, how public key vs symmetric key crypto works, etc.
I agree that the situation could be much better than it currently is, but people can't expect to be given everything for free; there mist be some effort from the other side, which I don't see happening today, especially with the widespread disregard for mathematics in the general public.
We could have an open source crypto program with a set of basic modes for use. Maybe "mode 3" is good for basic interaction, while "mode 5" is recommended for whistleblowers but requires another step in the physical world, while modes 1 and 2 are deprecated because they were discovered to be vulnerable or weak.
The above is stuff a regular person can understand. Do they need to know how these modes work? Well, they need to know what input is required, but they don't really need to know how it works behind the scenes if they trust someone else to recommend the basic modes. Then it must certainly be possible to write software that walked a user through how to complete the required information. It could say "plug in your secure USB key now", then "type in your passphrase" and then "remove USB key to continue".
Really, I think engineers have a hard time seeing how easy we could make things. Yes that would all take a ground up rewrite and open source projects don't do well with that. Yes it would be easier if people would just learn, but that's a fantasy and we should understand that.
It must be possible to make a secure communications "wizard". Disregard for mathematics has nothing to do with it. People want to know what to do and they want to use as few steps as possible. Installing a handful of command line utilities and remembering a bunch of commands isn't the answer. One program with a simple graphical interface must be possible.
See also "deanonymizing alt.anonymous.messages"
That's what I call faint praise.
Seems like a meager price to ensure another 70 years of life.
That's something you say while building it, so that you get something working built instead of debating what should built, or instead of adding so much stuff that you never finish. It's not something you say to discourage people from improving something that's already shipped.
In order for GPG (or its replacement) to fulfill the dream, it needs to be the norm rather than the exception. There are some companies who could prod things in that direction. GPG acting alone is absolutely not the future.
Besides, the cryptography isn't even very good. There is no forward secrecy, for example. I believe that email has to change at the protocol level in order to fulfill the promise that GPG (PGP) makes. And with so many interested in preventing the security of email, well, it seems like secure email is a dead end. And that's a real shame, because I love the idea of being able to securely send a message between two people on the Internet, using open source software and without trusting any intermediates.
What's fun: using ssh might be similar.
This is an interesting case where a barrier to entry makes discourse less valuable. Perhaps the barrier makes people feel like they have to prepare a short speech in order to make the effort worthwhile. I certainly would rather converse with most people than listen to one minute speeches from them.
"People like myself for twenty years and nothing to sell."
GPG is just one guy. Who's practically beggared himself writing and maintaining the tool.
GPG is actually used by human rights activists, journalists etc. That, right there, is reason enough to celebrate it and NOT "kill it off".
I think the massive pile-on this is creating is really dumb, to be honest. So Moxie thinks it could be done better; that's great. He's good enough that he can "show, not tell".
Why waste time denigrating a project that's basically a labour of love for one guy that is actually tremendously important, even if it's "90's technology"? Old doesn't necessarily mean bad.
In the world of crypto, where we've learned so much, yes old means bad. Almost always.
Why denigrate GPG? Unfortunately, because the message that it's not good isn't being widely heard.
How many NEW crypto projects are being created that start out by saying, "first we will use GPG"? I've seen lots. OK, you failed right there, right at the start. Don't do that.
How many crypto geeks STILL spout rubbish about how the PKI is totally busted and the web of trust is the future? Way too many. WoT is sort of like the year of desktop Linux by now. It's just a bad joke that too many people won't let go of.
The most serious and effective applied cryptographers I know about are all ignoring GPG and rolling new modern crypto protocols. I feel the same way as Moxie - if you build a product based on GPG then almost immediately you are less interesting than a project that's doing something new.
And FWIW I have the same sinking feeling when I get a GPG encrypted email. Sometimes I don't read it immediately, I put it off. Sometimes I have to put it off because I'm not near my laptop. And when I decrypt it, inevitably I discover that I could have guessed the contents of the mail from the subject line and identity of the sender. The encryption was largely pointless to begin with.
The future of encrypted messaging is not GPG. We need to collectively let it go.
It's not about activists and journalists being (more or less) able to use GPG; it's about the fact that nobody who doesn't face as deadly a risk as them would bother to use GPG.
I didn't feel any denigration reading him; rather, the statement that:
* We have new crypto needs, in wake of revelations such as Snowden's;
* GPG isn't an adequate answer to those needs, and isn't likely to evolve into one;
* Tech people don't realize that GPG is unlikely to morph into an adequate solution, and therefore don't bother starting an alternative.
Finally, I believe that a successful answer would rely on excellent UX and PR at least as much as sound crypto. I'm not aware that Moxie is an expert in these fields (although he might have more talents than I know), so it's not obvious that he's in a position of showing rather than telling.
PGP is impossible for many people to use correctly. That means there is a bunch of -- often insecure -- software to fill the gap.
So the people who really need PGP/GPG have to struggle to use it and don't know if they've managed it or they use some other software instead that probably doesn't protect them.
If GnuPG provided a real API, then there would be hope, because the actual OpenPGP specification isn't that bad if you only implement and use the bare-minimum features.
This is one of the reasons my company developed support to deal with PGP signatures directly in PostgreSQL, without using GnuPG: https://github.com/trustly/bankapi/tree/master/debian/postgr...
It's a bit funny it's now actually safer/better/easier to use PostgreSQL instead of GnuPG if you are developing an application which uses PGP, as your only option is to pass input to the gpg executable and regex it's output, which is hackish and not suitable for production purposes.
Sending encrypted/signed e-mail with GPG isn't hard when you're using things like Enigmail. Maybe the GUI could be a little friendlier, I don't know, but the encryption part isn't hard. Key management, now that's hard. Not just in terms of usage, but in terms of explaining it to new users.
On the one hand, both parties need to somehow exchange keys before they can communicate in a secure fashion. Doing this is hard, and if done wrong can leave you vulnerable to attack. That's why we verify key fingerprints. If there's an easy way to make this painless, I don't know it. Central authorities like what we've got with TLS/HTTPS are obviously a steaming pile of shite. Decentralized (like GPG) are difficult for users. What else is there? I don't know.
>the email was written by someone who would voluntarily use GPG.
>There just seems to be something particular about people who try GPG and conclude that it’s a realistic path to introducing private communication in their lives for casual correspondence with strangers.
Is it just me or is the implication here that anybody who uses PGP is usually a kook of some kind?
That's pretty much what I meant, clearly somebody didn't like me bringing it up. I wonder why. I have to use PGP every day for my job, I don't feel like a paranoid/obsessive, so I resent the implication a little bit. It's a clunky piece of software, but it hasn't caused me nearly as much suffering as Lotus Notes.
And with respect to the PGP-user / character link.. this is just beyond stupidity.
First of all, if he receives an encrypted email from a stranger, this is because he has a GPG key, too. So that stranger had every reason to assume that he's also a "GPG tinfoil hat".
Sarcasm aside, using GPG for minor stuff is not about paranoia, but about protecting minorities! This includes discriminated minorities as well as whistleblowers, investigative journalists, and so on. I for myself may not need that level of protection, but others do. Maybe even the stranger I'm writing to. The more encrypted communication we have, the less minorities spike out who really need that protection.
So encrypting everything is not "I fear", but a political statement. And that political statement is simply "I want encryption to become the norm rather than the exception, to protect minorities".
I've been in and out of the "GPG everything!" group over the years, and I definitely agree that GPG is a pain to use. I always figured this was because of the lack of proper frontends, and was hoping for the major influx of funding a couple weeks back would help it make progress in usability and infrastructure, but Moxie says that it's obsolete at its core.
But if we're to replace it, the replacement has to not only be at least as secure, but also standardized and embeddable. A webapp or Chrome extension (which Google's End-to-End is) won't make the cut.
Sure, you'll never actually tell someone this, but it's short enough to copy/paste.
I was talking about EdDSA.
There's nothing special about EdDSA compared to other digital signature schemes.
EDIT: Oh, I realize you were saying that ECC allows much shorter public keys than most signature schemes.
"introducing private communication(...) for casual correspondence with strangers."
It's obvious that author prefers his chat for that. Still there are scenarios where the GPG wins over chat. But it's also true, most people would make serious errors if they'd try to use GPG.
Recently signed up for keybase to check it out. Read critiques (mostly negative) but jumped in anyway as I am hungry for something like it. I do not have a deep grasp of the arguments but I see the 'lipstick on a pig' criticism of slapping a gui on an aging infrastructure.
The practical problem with keybase for me is finding people to test it out with. I've added folks who don't know me and my friends couldn't care less.
There is a blindspot for me - I use ssh and rsa on a daily basis, many times a day. I do not know what I would do if I has to switch to something else. I do not know how to evaluate security options and know to know one is better than another.
We have very good infosec people in my company and have a standing weekly meeting to vet my sysops doings.
In any event will check out Whisper Systems and keep refreshing this discussion...
Interested in testing it out with me?
-----BEGIN PGP MESSAGE-----
Version: Keybase OpenPGP v2.0.7
-----END PGP MESSAGE-----
Sure, every once in a while you have good security luck out and land a great designer (TextSecure), but that's extremely rare. The vast majority of security teams don't value design as much as security because they don't have the incentive to.
So how do we fix the incentives? Can we? Should we?
I'm going to throw down a gauntlet: encryption design that doesn't start with designing for the human users is already fundamentally broken. Why? Because it cannot represent a solid system. This isn't machines in the Matrix talking to one another: the needs of the human users are the only thing that matters.
Combine that with the past few decades of experience in software encryption systems, and we realize that this is hard to achieve. The non-adoption and misuse of GPG that Moxie speaks of, the train-wreck of passwords, and so on. It really feels like we've hit a wall, where there are no significant gains to be had unless these design problems are taken seriously. "Perfect" cryptosystems that have major real-world usability flaws are in fact worthless. Implementing new systems of this kind is a waste of effort and a disservice to everyone who vitally needs the services of a robust encryption infrastructure.
I view the current state of security in applications a a result of two forces:
1) The human dynamics of the roles involved: The disciplines of security and user interface design overlap very infrequently, and very rarely done alongside one another, collaboratively; one always tends to drive the other. For user-friendly and secure communication software to be written in an open source environment, too many stars have to align.
2) The market value of data: Software which can be monitored, and data of its users aggregated, analyzed, acted upon, and sold is more lucrative than making something which is truly secure, even from the authors.
I believe usable encryption is possible, but I don't expect it to come from grassroots open source efforts, nor from the big market players. If anyone, I expect to see it come a collaboration between large non-profits (such as Mozilla, EFF), and universities. In the current environment, they're one of the few with sufficient resources, organization, and motivation to get it done.
Can we just declare a flag day and switch to TextSecure?
1. there are full-featured native clients for computers that aren't smartphones
2. it works with anonymous accounts, without needing a phone number
3. federation is open
Right now, TextSecure can't even fully replace OTR (for secure IMs), let alone GPG (for email <- real work).
Software that thinks it knows my use case better than I do is wrong.
One is reop (https://github.com/tedu/reop). The cryptography is done by libsodium and it is well-written.
Another is NetPGP (http://www.netpgp.com/). The cryptography is done by the OpenPGP SDK. The NetPGP code is well-written but the OpenPGP SDK code looks like OpenSSL.
Both are promising and deserve everyone's support.
I see the section on not supporting key revocation at all and it worries me, because it seems to me there should be some way to do so. But perhaps the key here is that this particular tool is not trying to solve the key distribution problem, which is a whole other kettle of fish? It is possible that PGP fails partly because it tries to do both.
But that does mean that a solution still needs to be found for that problem, even if you switch to reop.
I wouldn't be surprised to learn that intelligence services sabotage open source crypto projects by helping turning their codebase into an arcane mess, which scares away the million eyeballs which are supposed to make bugs shallow.
I've worked on OpenSSL quite a long time ago; I thought they kept it so messy in order to sell their expertise through consulting. At that time, only tinfoil hat folks would have believed that spooks would spend millions sabotaging everything and anything crypto-related... Now I believe that infiltrating open-source SSL / TLS / PGP developper communities is at least as strong a priority as infiltrating terrorist communities for them, so I'm utterly convinced they're trying, and I'd rather bet they succeed.
GPG may be a failure, but HTTPS is not.
The trouble, however, does not start with the lack of UI design, or other impracticalities - for me it starts with the platform I choose to run a PGP type of software on.
Would you trust your Iphone, Android, Microsoft/Linux/iOS/Lenovo/Dell/et cetera computer with "really sensitive, mission critical" data?
"The paranoid will survive" is a good sentence to remember. So I better install that PGP-etc on a offline unit and decrypt encrypt my messages there.
That could be taken as a starting point for how to make things more smooth for users.
Also, to be fair, it's used widely by many infosec researchers/vendors/IC folks who know how it's done.
I'm not sure if this is what you're asking, but Debian developers are required to have their keys signed by a number of other Debian developers. So there is a comprehensive web of trust amongst them.
You can get the entire set of public keys from the "debian-keyring" package, assuming you trust your OS (and you use Debian or a derivative). And if you want to be signed into the strong set, find and ask a Debian developer (you probably have one reasonably local to you).
For the future - progress does not come from just line of development, there needs to be many many experiments before we get good crypto. We need better UIs, and we also need many infrastructure improvements. I have not looked at the protocol itself - but it being flexible and having too many options is not really a problem - it is needed for the other layers built upon it to have space for experimentation. But the PGP related libs are really not good. I had once an idea for a Web of Trust related website - and I found out that there is no way to for example verify a signature without loading a full key-ring, that is loading all unrelated keys into the memory just to build the data structure used by the library. This is just one case - but it supports the thesis that the libs are a fossil from the last century. If we want better end user tools we need to give better libs for programmers to start the experiments.
I've been using Claws Mail for the past few months. It's simple, fast and stable, and GPG support is fine. That's all I need. It sucks for reading and writing HTML emails, but I'm okay with that. Parts of the UI are still rough (e.g. the main window isn't responsive while the "sending" dialog is open), but it's less worse than Evolution.
We need entry-level e-mail clients to have GPG/PGP built in. Your post highlights the need to select a client which is why GPG/PGP has a niche user-base who send dull e-mail to Internet Celebrities who happen to share public keys. I mean my parents e-mail client, which would naturally be the default for their operating system (yes, Windows Live Mail), should have in-built GPG/PGP capability and the address book should auto encrypt any messages to me with the public key in my "contact" info, and decrypt any from me with their private key which is created and stored without them even realizing (as SSH does). It's hard to select an e-mail client anyway, but convincing my parents to select an e-mail client and/or plug-in, isn't going to happen.
I've been puzzled why fat clients traditionally have S/MIME built in, but certificates are complex to obtain, and don't have GPG/PGP with easy to create keys.
Strong crypto for emails has to work like https does for web browsing. Picture if people had to use some command line tool to generate and keep keys in order to do online shopping in their web browser. Compared to just using a (any) browser with https built in.
The amount of people that would want to use some native desktop email client for ALL their email work is likely even smaller than the number that use GPG today! If I couldn't read my email on my phone or on any computer it would have lost most of its value already.
While I really enjoy reading and sending encrypted emails, and think it's far better than sending sensitive data in the clear, I am surprised to learn that there are people who use PGP and don't hate it or have issues with it.
Enigmail is good though.
Based on that statement, "good enough" is "good enough" relative to the value of what is being protected. From my personal experience, while difficult for use by ordinary users, GPG has proven "good enough" (if not better) for most common business/organizational/personal uses.
That is not to say, that a better alternative/increased ease of use is not possible. Better alternatives are always possible (possibly hard), but it seems such an alternative has not yet presented itself. This leads me to believe that this is in fact an ongoing market and worldwide opportunity for those who have the skills to make alternatives real.
I don't understand why. Did I glance over it, or is it not in the article?
When I receive GPG encrypted email, I only have to enter my password and it gets decrypted. Simple as that. Same as when starting me email client, then too I have to enter a password to decrypt the login for the server. It takes only a moment really.
I don't receive that much email from strangers anyway, but the times I get GPG encrypted email from a stranger it's never spam, so it's surely worth the approximately three seconds to enter that password.
(For the curious, I use Thunderbird with Enigmail and kgpg as front-end to GnuPG.)
Some tasks require understanding. This is one of those tasks.
"Mailpile had to write 1400 lines of python code just to interface with a native GnuPG installation for basic operations, and it still isn’t rock solid."
> Okay, since you want to play in the same league as OpenPGP: where can I find the RFC describing TextSecure? How many independent implementations of the TextSecure protocol currently exist?
You can find the protocol on github.
That could be fixed with a simple terminology change, call it the "secret" key rather than the "private" key.
ok. what's moxie selling next?
And given that nowadays Green seems completely consumed by twitter while Moxie believes in fixing whatsapp, I wouldn't hold my breath.
Edit. Matthew Green?