wire.less.dk

wireless networking, free software, solar power

The recent PGP/GnuPG debate – some thoughts

Posted on | April 17, 2015 | No Comments

It is a bit ironic:

In the wake of the Snowden revelations, only a very few security and encryption technologies were found to still be trusted and uncrackable
(from all we know today).

One of these technologies is

PGP

Side note: The terms “OpenPGP”, “PGP”, and “GnuPG / GPG” are often used interchangeably. This is a common mistake, since they are distinctly different.

    OpenPGP is technically a proposed standard, although it is widely used. OpenPGP is not a program, and shouldn’t be referred to as such.
        PGP and GnuPG are computer programs that implement the OpenPGP standard.

    PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication. For more information, see the Wikipedia article.

    GnuPG is an acronym for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication. For further information on GnuPG, see the Wikipedia article.

Now, the very moment PGP etc is identified as one of the only feasible approaches to “privacy for the common user”,
it is gets under heavy fire, from various sides.

(Some sources for further reading at the bottom of this article)

The criticism mostly targets the follwoing areas

1/ quality/beauty of core code / protocol
2/ usability issues
3/ key management
4/ social / cultural issues

(where 2/ & 3/ might be seen as the same)

 

2/ usability issues

mainly points at the lack of easy-to-use implementations,
causing users to make grave mistakes like sending their private key out, instead of their public key
(though i would argue that there has been great progress).

An Einsteinism is due, though:

“make things as easy as possible, but dont make them more simple than
they are.”

In the context of online privacy, Clay Shirky might be wrong when he says:

“Communications tools don’t get socially interesting until they get
technologically boring. The invention of a tool doesn’t create change; it
has to have been around enough that most of society is using it. It’s when
a technology becomes normal, then ubiquitous, and finally so pervasive as
to become invisible, that profound changes happen.”

No level of usablity will get you around the fact that
privacy is a conscious act:
it can (and should) be made easier, but not invisible.

If you don’t get the key idea, you can’t have a locked house.
If you don’t care enough for encryption to keep your key in a safe place,
It will never work for you, no matter how well you have designed your round corners.
If you expect some service out there to make things easier for you, well
then obviously, privacy is not for you.

Tools that allegedly aim at improving the user friendliness of PGP,
e.g. https://www.mailvelope.com/
often do so at the expense of further corroding the very principle of end-to-end security,
by exposing private keys to browsers (known as insecure) or, worse, your webmail provider.

Tools that bring high quality security to mobile messaging (like TextSecure) do so on operating systems
that are so insecure in themselves that even the suggestion of privacy is misleading.

(It should be noted though that placing trust somewhere might be a viable strategy –
just not an ultimately private one).

  3/ key management

problems are best illustrated by what all PGP users experience frequently:

“oh could you send me that unencrypted? i ve changed computer and dont have my key anymore”
“ooooh thats not REALLY my key anymore …”
“ooh … which of my 13 keys DID you use?”

4/ social / cultural issues –

it is true to say that after decades of existence, PGP still has not been able to truly break into the mainstream,
and its user group tends to be nerdy.

PGP is not cool – but it has to be added, for many users email is no longer the preferred choice of communications. Email is not cool.
Even at IT and technical universities, the use of mail clients is far from natural,
and (inherently insecure) webmail, FB messaging, WhatsApp, Kik etc etc is often the norm.

Even SMS – once thought to be THE universal messaging standard –
has been overtaken by WhatsApp –
taking mobile messages into the Facebook platform,
and adding to a surveillance system impressive in its all-inclusiveness.
Further reading:
An illustration of why OpenPGP isn’t mainstream yet: PGP best practices
https://help.riseup.net/en/gpg-best-practices

The BIG SEVEN problems with security
https://leap.se/en/docs/tech/hard-problems

Moxie Marlinspike’s (of Whispersystems/TextSecure) attack on GPG
http://www.thoughtcrime.org/blog/gpg-and-me/

A rebuttal: GPG Criticism Reaches New Low As Use Cases Expand
http://qntra.net/2015/02/gpg-criticism-reaches-new-low-as-use-cases-expand/

Comments

Leave a Reply