Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

PGP Is 15 Years Old

Posted by samzenpus on Wed Nov 15, 2006 08:08 PM
from the happy-secure-birthday dept.
Encryption Security News
An anonymous reader writes "PGP Corporation salutes the 15th anniversary of PGP encryption technology. Developed and released in 1991 by Phil Zimmermann, Pretty Good Privacy 1.0 set the standard for safe, accessible technology to protect and share online information."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

PGP Is 15 Years Old 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Congratulations, PGP! Now legal [ageofconsent.com] in Bulgaria, France, Monaco, and Thailand.

    Oh, and I almost forgot Poland!

    • Re:Finally Legal! (Score:5, Funny)

      by dubbreak (623656) on Wednesday November 15 2006, @09:41PM (#16863556)
      In Canada it can get jiggy with other encryption technology as long as it isn't >5years senior (and was able to last year as well). It'll have to wait until 16 to consent for any age and 18 if it is interested in encryption with influential power over them. I'm not sure if there are laws about related algorithms. In my neck of the woods we don't code that way.

  • First encrypted post (Score:5, Funny)

    by Anonymous Coward on Wednesday November 15 2006, @08:09PM (#16862748)
         -----BEGIN PGP MESSAGE-----
         Version: 2.6.2

         hIwDY32hYGCE8MkBA/wOu7d45aUxF4Q0RKJprD3v5Z9K1YcRJ 2fve87lMlDlx4Oj
         eW4GDdBfLbJE7VUpp13N19GL8e/AqbyyjHH4aS0YoTk10QQ9n nRvjY8nZL3MPXSZ
         g9VGQxFeGqzykzmykU6A26MSMexR4ApeeON6xzZWfo+0yOqAq 6lb46wsvldZ96YA
         AABH78hyX7YX4uT1tNCWEIIBoqqvCeIMpp7UQ2IzBrXg6Gtuk S8NxbukLeamqVW3
         1yt21DYOjuLzcMNe/JNsD9vDVCvOOG3OCi8=
         =zzaA
         -----END PGP MESSAGE-----

    • Re:First encrypted post (Score:4, Funny)

      by Anonymous Coward on Wednesday November 15 2006, @08:36PM (#16863008)
      hIwDY32hYGCE8MkBA/wOu7d45aUxF4Q0RKJprD3v5Z9K1YcRJ 2fve87lMlDlx4Oj
      eW4GDdBfLbJE7VUpp13N19GL8e/Aqbyyj HH4aS0YoTk10QQ9n nRvjY8nZL3MPXSZ
      g9VGQxFeGqzykzmykU6A26MSMexR4Apee ON6xzZWfo+0yOqAq 6lb46wsvldZ96YA
      AABH78hyX7YX4uT1tNCWEIIBoqqvCeIMp p7UQ2IzBrXg6Gtuk S8NxbukLeamqVW3
      1yt21DYOjuLzcMNe/JNsD9vDVCvOOG3OC i8=
      =zzaA
      Yup, It tastes exactly like chicken.

      Regards,
          The NSA.

    • Re:First encrypted post (Score:4, Funny)

      by mattwarden (699984) on Wednesday November 15 2006, @09:05PM (#16863270) Homepage
      Leave my mother out of this.
  • That there's still no equivalent to the old PGPphone.

    That thing ROCKS ;)

    • Re:It's sad... (Score:5, Informative)

      by Noksagt (69097) on Wednesday November 15 2006, @08:25PM (#16862898) Homepage
      PGPfone does still run under Windows and the source is available [pgpi.org]. Zfone [zfoneproject.com] (also by Phil Zimmerman, is a new secure VoIP program. Gizmo and Skype also have encryption (though they're closed source).
    • It had very clear full-duplex quality, was simple to set up and use, and was largely platform independent. I was in a long distance relationship in college at the time, and my girlfriend had a mac (I had a PC). PGPfone was the only VOIP solution in 1999 that allowed us to voice chat for free (remember, this is before unlimited minute cell phones). Absolutely amazing as a voice chat program, let alone all its privacy features.
    • Starium fizzled, SpeakFreely was abandoned, STU-III prohibitively overpriced, GSM crypto pathetic, Skype has secret crypto which means nobody savvy will trust it for serious work, and SIP/SRTP: well, a typical comment about that is "Are there any SIP implementations currently supporting SRTP?".

      • Re: (Score:2, Informative)

        by gnoshi (314933)
        Yes, yes there are.

        Twinkle [twinklephone.com] (Linux) supports both SRTP and ZRTP.
        Minisip [minisip.org] and Minisplat [minisplat.org] (both Linux) presently support SRTP and are working toward ZRTP support.
        Eyebeam [counterpath.com] (Windows) supports SRTP
        ZFone [zfoneproject.com] (Windows, Linux, MacOSX) uses ZRTP and can work with any SIP-based software (because it intercepts and encrypts the stream).
        OpenWengo [openwengo.org] (Windows, Linux) is in the process of implementing SRTP, with some automated key exchange, and later ZRTP is planned.

        So really, the answer is: yes, yes there are implementations.

  • too bad (Score:3, Interesting)

    by Lord Ender (156273) on Wednesday November 15 2006, @08:12PM (#16862770) Homepage
    Unfortunately, in the real world, 99% of email users can not or do not want to maintain a web of trust. That is why S/MIME is going to kill the PGP market. PGP/MIME is only big because it was first on the scene.

    Hell, even mutt supports S/MIME. Imagine SSL with a web of trust--yuck!. PKI is the way to go...

    • Re:too bad (Score:5, Interesting)

      by poliopteragriseoapte (973295) on Wednesday November 15 2006, @08:20PM (#16862852)
      I checked, via pgp.mit.edu. In my university, with 16000+ people, I am the only one with a PGP key signed by someone outside of my university, and I think that no more than 20 people have a PGP key uploaded to pgp.mit.edu. And there is simply NO WAY I can convince staff (or pretty much anyone) to accept my PGP-signed emails as something especially valuable (and as a replacement for a paper signature), or to send me confidential information via encrypted email instead of having me go pick up paper folders somewhere. On the other hand, everybody seems to accept as "signed" the pdf letters I produce, which include a photographed copy of my signature. I have given up.

    • Re:too bad (Score:5, Informative)

      by technicalandsocial (940581) on Wednesday November 15 2006, @08:23PM (#16862876)
      I think you're confusing a few things.

      Web of Trust (WoT) is a PKI model. Certificate Authorities (CA) is a competing PKI model, and the one apparently you prefer. Have you taken a look at the CA list of trust in your browser lately? I for one prefer WoT, although more work on the part of the user to maintain, the trust model is based on me, not "Staat de Nederlanden" or any other company I've never heard of. Not to mention the stolen Microsoft certificates of a few years ago. There is nothing to stop us from moving to a WoT model for our browser PKI, just as there is nothing stopping us from using the CA model for email, it's just how it's been implemented for us thus far, and which we choose to use.

      MIME vs Inline are competing ways of using PKI in email, it appears you prefer MIME which does appear to be the merging standard.

    • Re: (Score:3, Interesting)

      by // (81289)
      "PKI - there is no P and no I.... in practice it is just a bunch of K...." - me

      S/MIME is great. Inside a single organisation. But beyond that.... forget it. And I have seen many MANY attempts across MANY serious organisations.

      Webs of trust are not the only trust model PGP can implement. In the serious business world, PGP Universal is making steady progress; policy driven, nice and easy for the users. Of course, it supports S/MIME too for all the poor souls in external organisations stuck with that :-)

    • S/MIME has been around a long time too (Score:5, Interesting)

      by Beryllium Sphere(tm) (193358) on Wednesday November 15 2006, @08:30PM (#16862952) Homepage Journal
      And it has not killed the PGP market or even gotten major traction. What percentage of your legitimate incoming email is S/MIME signed? Even from your bank?

      Also, bear in mind that CA-based PKI is a strict subset of web of trust.

      The lesson is that crypto goes nowhere in the market unless it's as transparent as TLS.

      >can not or do not want to maintain a web of trust

      PKI shouldn't be difficult, but from what I've seen it does seem to be beyond human comprehension.

  • Thanks, Phil!!! (Score:3)

    by jamstar7 (694492) on Wednesday November 15 2006, @08:14PM (#16862790)
    I used PGP back in the day when it was still illegal due to the 'fact' that it was considered a 'munition'. Thanks, Phil, for giving me the amount of encryption enjoyed by many small governments of the day...
    • Damn straight.

      If I met him, Id buy him a few drinks (well, as many as he wants. he deserves it).

      • Re: (Score:2, Funny)

        by pegr (46683)
        If I met him, Id buy him a few drinks (well, as many as he wants. he deserves it).
         
        No lie, a lesbian friend of mine once shared drinks in a hot tub with Phil in Colorado. She said he was a bit of a jerk. Of course, she hates all men so I really can't go by her opinion.
         
        Ya know, I've been waiting a long time to share that factoid with somebody who would know who Phil Zimmerman is. Never thought for a moment it would be a Slashdot post...

    • Re: (Score:3, Informative)

      by tomstdenis (446163)
      Um, it was illegal to EXPORT not use. Get your fud straight.

      That not withstanding he [and people like him] went through hell to free up crypto projects for the rest of us. I, myself, give out a crypto library that slips through relaxed regulations on free software.

      Kudos to Phil, his supporters, and PGP as a whole. [except Jon Callas, he's a jerk and I still hate him]

      Tom
        • The munitions clause was for EXPORTED software. It wasn't, and isn't, illegal to use or publish domestic cryptographic software.

          For crying out loud it's NBS (defunct, now NIST) who solicited for and published DES and 3DES in the first place!

          Tom

  • it's too bad... (Score:5, Insightful)

    by technicalandsocial (940581) on Wednesday November 15 2006, @08:15PM (#16862796)
    It's too bad after 15 years, probably > one percent of internet users have even used it, or any of its OpenPGP standard derivatives (GnuPG) for example. Sort of like the NSA telephone spying fiasco this year in the U.S, you know the various bureacracies are watching all the packets they can. If you want privacy, now is the time to take control of your own. Encrypt your emails and files, IPSEC, SSH, HTTPS wherever possible, and demand it where it is not yet available for you.

    • Re:it's too bad... (Score:5, Informative)

      by SEAL (88488) on Wednesday November 15 2006, @08:21PM (#16862864)
      While your points are on-target, it is easy to forget how much the U.S. government locked down encryption prior to Phil's efforts. We take for granted being able to make purchases over a 128-bit encrypted connection with SSL-enabled webbrowsers. Secure global e-commerce is a direct result of political change brought around by Phil Zimmerman.

      So even though use of PGP / GPG have not penetrated the mainstream, there were other beneficial aspects of its existence.

    • Don't forget to use OTR [cypherpunks.ca] for your GAIM [sourceforge.net] sessions...

  • Too bad it isn't better integrated into things (Score:5, Interesting)

    by Soong (7225) on Wednesday November 15 2006, @08:55PM (#16863204) Homepage Journal
    Once upon a time I generated a key, and discovered there was no one around to swap keys with. My best guess is that it has never been common enough or easy enough to get started. It needs to be as easy as hitting send on an email, automatically sign it, and if the recipient is known to have a key then encrypt it to them. I could be bothered to go through some hassle to get this going, but I think most people don't care enough and probably most of their email doesn't matter enough to bother with encrypting or signing. I still wish it was more common though.
    • It's sort of a chicken and egg problem (why should I bother to encrypt *my* email if there is no one to exchange it with?), and the answer is definitely integration. Imagine if gmail integrated PGP - we'd suddenly have a whole bunch of PGP users to exchange messages with.

      I know there are sites like hushmail.com but we need to get an existing userbase setup with encryption, and everything has to be automatic.

      Unfortunately, I'm in no position to organize such a thing.
    • This point isn't original with me. Ian Griggs, and probably others, have been making it for years. (I'm not even sure I agree).

      The use case you want is prevented by existing public key systems. They consider it insecure because there wouldn't be any proof that you were really encrypting to your friend's public key, as opposed to a public key belonging to whoever is wiretapping you. Hence the whole need for directory systems, trust systems, signers and "CA"s (signers you don't know but who are supposed to do
    • Once upon a time I generated a key, and discovered there was no one around to swap keys with.

      That is exactly the issue. Most people have pretty boring lives, and don't need encryption. While many of us could make at least a business case that it would be a good thing to encrypt our mail, at the end of the day, expedient convenience wins out over The Right Thing.

      Until strong encryption is seemlessly and effortlessly incorporated for a critical mass of users, it isn't going to happen.

      This is where you n

    • It needs to be as easy as hitting send on an email, automatically sign it, and if the recipient is known to have a key then encrypt it to them.

      You obviously haven't tried lately.

      Both Enigmail for Thunderbird and also the mail client for OSX have pgp and key management built in. They have methods for downloading, signing and uploading keys to the key servers. I've been signing my email for years, very automatically. Also, the few individuals that have keys get their email encrypted automatically. It's v

      • Just a small correction. The Mail client for OS X (aka "Apple Mail" or whatever you want to call it) doesn't have PGP capabilities built in.

        It has some S/MIME capabilities built in (and almost totally undocumented, as far as I can tell, and it's a bit of a bear to set up), but to get anything related to PGP, you need to install the excellent set of plugins from Sente, called GPGMail [sente.ch]. It is basically an interface between Apple Mail, and the CLI gpg tools.

        It relies on some undocumented and unsupported APIs in
        • I had forgotten how I installed gpg on my mac... but I've been using it almost as long as I've had this MBP. Haven't had any problem with the pgp stuff.

          The only problem I've had is with the IMAP client not seeing new messages in various folders. I have to go upstairs to my workstation to get an accurate view of my new email. :(

    • Once upon a time I generated a key, and discovered there was no one around to swap keys with.

      You do send email, right? When people ask you about that funny little attachment to all your emails, explain PGP to them and help them generate their own key. As long as they understand that the public key must be securely verified, most people (even nontechnical people) do alright with the concept.

      It needs to be as easy as hitting send on an email, automatically sign it, and if the recipient is known to have a ke

      • "Personally, I've given up"

        Indeed, it's just too much trouble, which show you and I both agree with the parent to your post. It's one thing being a highly competent email user and setting your own PGP up, but can we really be bothered setting up all our friends, work colleagues and family? I can't. And why don't they set up PGP? Because it's too much work and too difficult for the average user.

        As one of the parent posts noted, the same people understand and happily use secure payment methods over the web. S

  • Speaking of PGP... (Score:3, Interesting)

    by FooAtWFU (699187) on Wednesday November 15 2006, @09:04PM (#16863256) Homepage
    ... can anyone recommend any good Windows XP PGP/GPG-type tools? You used to be able to download a little cute PGP program as freeware to sit in your tray, hold your key, and encrypt/decrypt a window or the clipboard. Now all I can find like that is WinPT, and while it's serviceable for me, it's also incredibly ugly and not very refined, and is confusing by comparison. Gak! You can still download the old PGP freeware versions but they refuse to run on WinXP - there's just a 30-day trial out there now.

    If there's one thing that annoys me it's when a program disappears like that...

    • The free trial is for the version with all the extras.. just install it in lite or whatever mode, you get encryptions and the tray and it works great and its free

      • Re: (Score:3, Informative)

        by billstclair (470179)
        The free trial is also hard to find, likely intentionally so.

        http://www.pgp.com/downloads/desktoptrial2.php [pgp.com]

        It's fully functional for 30 days, then falls back to the functionality of the old PGP Freeware product, i.e. you can encrypt and decrypt files, windows, and the clipboard, and you can create, import, and manage keys.
    • Not easy to setup, granted, but it's free, it does what you want, and it's actually pretty easy to use.

  • The title is wrong. Quit perpetuating the myth (Score:5, Informative)

    by Anonymous Coward on Wednesday November 15 2006, @09:17PM (#16863362)
    Jeez, will this fairy tail never end? Phil NEVER released PGP. Crap, I was there and I remember it. Phil had to be browbeaten and bribed to give up the software (for which he had already been paid to develop).

    There were two people who were hauled up in front of the Federal Grand Jury. Phil was one. Kelly Goen was the other. It was Kelly who paid Phil, who researched the law (so that the release could be done legally) and who had been pushing for developing public key cryptography for years before he ever met Phil. And it was Kelly who had the guts to do the actual release. Phil thought he was completely safe at the time (and legally speaking he probably was, not that innocence has ever stopped the Feds before).

    If you want to search, you might be able to find the original Jim Warren articles in Microtimes around, who Kelly kept in touch with during the actual release. Jim thought Kelly was paranoid as hell until the FBI showed up on his door, and he wrote at least one article about it.

    For your amusement, Kelly went around the San Francisco Bay area with an old acoustic coupler modem to various pay phones and would upload it onto a different server. Then he'd call Jim to tell him where it was at, in case something happened to him. He was under the impression that the single best thing the NSA could do was to knock him off before he put it on those servers. Looking back at it now, he was quite right.

    And no, this isn't being posted by Kelly. Just someone else who was there at the time.

    So please, get your facts straight and give Kelly some credit while he's still alive. Thanks.
  • and still almost nobody uses it. There's a real trade off between security and convince. How many people do you think would use SSL if they had to download a separate program beyond the web browser and setup certificates to support it? Probably about 10% of the general internet population, and those would be the ones who realized their credit card numbers weren't be passed encrypted. General rule of thumb.. If it's not (relatively) easy for the end user it will never become popular.
  • a good thing Larry David was busy on other projects (and isn't a famous cryptographer on the side) otherwise the project may have been dubbed PPPPPPPGP, with the first couple of Ps in italics, probably. [youtube.com]
  • "When I find myself in times of trouble, PRZ, he comes to me, speaking words of wisdom, 'PGP, PGP!'"
  • I remember watching an English documentary about 5 or so years ago on the history of encryption and cyphers. One thing I remember was how the RSA public and private key encryption wasn't invented by PGP even though they were awarded a patent , it was invented by an english researcher while working for one of the many U.K government secret service shadow projects at the time. The UK security services have been using RSA encryption for many years before PGP ever figured it out but wouldn't admit to this fact
  • ...would be to say "My e-mail server, my key server". Use SSL certs or whatever to verify that you're talking to a legitimate server, and a way to connect securely to request a key is a must. I presume it's quite feasible to verify that you're talking to a legitimiate @domain.com server when trying to get the public key for a @domain.com address. So if I have a yahoo.com address, you can ask SMTP server "PUBK name@yahoo.com" and get either "no keys, sorry" or "uploaded key follows". Your email client should

  • Inappropriate PGP usage: my sin. (Score:3, Funny)

    by dotmax (642602) on Thursday November 16 2006, @04:06AM (#16866382)
    In the early 90s i spent (way too much of) my energy in the marijuana movement. Not wholly surprisingly, i got a little paranoid about marajuana-movement organizations' mailing lists being confiscated in various busts around the country.

    So i relentlessly harangued a national organization to distribute a windows/DOS/Mac PGP release to all of their chapters.

    I felt pretty good about it until i got a call from someone in another state:

            "duuuude. i forgot my passphrase..."

    How did you do that?

              "we were rilly baked ..."

    i've always wondered how much damage i did to the marijuana movement by handing a bunch of stoners a tool that required memorizing a passphrase...

    my bad!

    • I believe thawte offers a viable and professional alternative to PGP.

      Open up your IE browser, Internet Options->Content->Certificates and then click on the intermediate and root trusted authorities. Each of these you must trust. Further, another weak point, someone else has the keys that can gerate other keys to spoof domains.

      Rememeber, there are devices that can do SSL in the middle. Don't believe me, see http://www.bluecoat.com/downloads/support/BCS_tb_ r everse_proxy_with_SSL.pdf [bluecoat.com] Your best d

      • Sure, SSL in the middle is possible, but you need a properly signed certificate to set it up. It can't be used for man-in-the-middle attacks unless the CA or the certificate are compromised. Essentially, you are just moving the secure communication endpoint.

        As for the big list of pre-trusted CAs, just remove the ones you don't trust.

        PGP may be more secure for point to point, but shared secret or one-time pad is even better. If all you want is secure communications with someone you already have a rela

        • As for the big list of pre-trusted CAs, just remove the ones you don't trust.

          And suddenly, I can't visit any https URLs except my own.

          Really, the PGP concept of "trust" is important. There are multiple levels of trust, from simply "I trust that this key actually belongs to this person" to "I fully trust this person to be competent at signing keys, and will trust any key they sign"...

          Generally, trust is earned, based on experience. Really, what has Thawte, VeriSign, or any other root CA done to earn my tru

      • Not to mention (Bruce Schneier may have been the first to publish about this):

        What guarantees the integrity of IE's list of trusted root certificate authorities? In other words, what stops a piece of malware from installing its own public key as an ultimately trusted one?

        Hint: they're stored in the registry.
    • When signing, in fact, the exact opposite happens.

      Public and private isn't too bad, it's just that no one ever, EVER bothers to learn them. I mean, come on, if people can learn words like "clutch", "gearshift", "ignition", and so on, why can't they understand that the PUBLIC key is what you send to everyone, and the PRIVATE key is what you don't even share with your lover?

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.