Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Encryption Communications Security

Moxie Marlinspike: GPG Has Run Its Course 309

An anonymous reader writes: Security researcher Moxie Marlinspike has an interesting post about the state of GPG-encrypted communications. After using GPG for much of its lifetime, he says he now dreads getting a GPG-encrypted email in his inbox. "Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible. It's up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish. The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words. Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the "strong set," and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today's standards, that's a shockingly small user base for a month of activity, much less 20 years." Marlinspike concludes, "I think of GPG as a glorious experiment that has run its course. ... GPG isn't the thing that's going to take us to ubiquitous end to end encryption, and if it were, it'd be kind of a shame to finally get there with 1990's cryptography."
This discussion has been archived. No new comments can be posted.

Moxie Marlinspike: GPG Has Run Its Course

Comments Filter:
  • Same error, repeated (Score:5, Interesting)

    by Anonymous Coward on Wednesday February 25, 2015 @05:43AM (#49125739)

    I suspect some of the cruft is due to its PGP heritage, but really, all the options aren't the problem. The length of the manpage, neither. Here you have a decently documented piece of software and you complain about the volume? Psah. No, that really isn't the issue. Nor is the ability to have multiple algorithms, as the state of the art keeps on advancing and so you need to replace algorithms now and then.*

    The issue is that the interface, the way it packs up crypto for ease of use, is something only a crypto-nerd could love. The basic principles aren't hard to explain to an intelligent lay(wo)man, but understanding how the web of trust works, nevermind make intelligent decisions that make sense, that even crypto-using nerds usually don't manage. And that's just the model; the implementation is clunky to the point that even programs employ intermediate libraries that then barely work for this or that ill-conceived reason.** And then there's the interface as ment for humans. Again, it's nerd-only.

    That nerd-only-ness is an obstacle to uptake, and that again is a problem. We desperately need crypto in email, but what bank even publishes GPG and S/MIME keys for securing email? I know of one, and it's a central bank so mere mortals cannot open accounts.

    So for a long time GPG has only been supported by a single person, props to him, who evidently doesn't know much about usable user interfaces, not even CLI ones. Yet I'm not blaming just him for it, either. Look at openssl: Again a bit of crypto software that turns out to be pretty damn important, and there's only a few boobs holding down the fort. That is actually poorer documented and even clunkier to use. The code, starting from the APIs, isn't so hot either. No wonder it came crashing down spectacularly. But that too is a problem.

    So we have a couple real problems, yet this security expert managed to pin only non-problems. And that itself is again a problem.

    * One thing that is a problem is the headers inserted on top of the message that really ought to've been encoded in the signature, since they belong there and moreover there's no real need to put them anywhere else. In fact, the current practice causes transport problems making the format more brittle than it needs to be.
    ** Work out why gpgme doesn't work so well on 64-bit windows, especially where the individual programs may or may not actually be fully 64bit. It literally doesn't work because some maintainer disabled the workaround that made it work because that somehow "does not make sense" to him.

    • by AmiMoJo ( 196126 ) * on Wednesday February 25, 2015 @05:55AM (#49125767) Homepage Journal

      I know quite a few people who have started using GPG via the Enigmail plug-in for Thunderbird lately. The length of the man page is irrelevant and they never publish their keys so are effectively invisible to the statistics. That doesn't mean that it isn't an extremely useful, valuable piece of software though.

      Now more than ever we need GPG, and I bet adoption has gone up a lot in the last year.

      • by rvw ( 755107 ) on Wednesday February 25, 2015 @06:12AM (#49125801)

        I know quite a few people who have started using GPG via the Enigmail plug-in for Thunderbird lately. The length of the man page is irrelevant and they never publish their keys so are effectively invisible to the statistics. That doesn't mean that it isn't an extremely useful, valuable piece of software though.

        I use Thunderbird with Enigmail, mostly to sign my emails to get other people used to seeing signed mails, with an attachment with the signature in it. I've got one question about this, a friend asking what that mysterious attachment was and I explained it. I created an IMAP mail account that I only use to make notes that I can easily share among different computers. All these notes are encrypted using my public key. I can open them on the computer which has my private key.

        Your comment about being invisible to statistics does not mean being invisible to NSA and GCHQ. As they and several other agencies scan all mail, they will see these attachments, they will see mail headers and other signs that mail being encrypted, whatever method you use. So they will know that your friends use GPG.

        • by AmiMoJo ( 196126 ) *

          So they will know that your friends use GPG.

          Sure, but we are already on the terrorist watchlist anyway. Some of us are into flight simulators, some of us have Islamic sounding names, some of us just complain about surveillance a lot. I use a VPN constantly which is enough to make you interesting to them. At this stage encryption can only help.

          To clarify, I was talking about Moxie's claim that there were not that many GPG users because there are only about 2 million public keys on known key servers. I'm sure there are loads of people like us who don't

          • by mlts ( 1038732 )

            There are also different keyservers. For example, Symantec has its own for its commercial PGP Desktop.

            Then there is the need for a key for a transaction. For example, when helping a client out, he already had my key's fingerprint and ID, so there would be no need to publish that for an interchange that was just between the both of us.

            Moxie might have a point... maybe it might be wise for some time to be spent improving the PGP/gpg keyserver network, adding more servers, working on better ways to propagate

      • I know quite a few people who have started using GPG via the Enigmail plug-in for Thunderbird lately. The length of the man page is irrelevant and they never publish their keys so are effectively invisible to the statistics. That doesn't mean that it isn't an extremely useful, valuable piece of software though.

        Now more than ever we need GPG, and I bet adoption has gone up a lot in the last year.

        Why use gpg instead of s/mime, which has native support in most e-mail programs, with no need for plugins? Thunderbird included.

        • by pthisis ( 27352 ) on Wednesday February 25, 2015 @08:44AM (#49126393) Homepage Journal
          Why use gpg instead of s/mime, which has native support in most e-mail programs, with no need for plugins? S/MIME relies on centralized key servers or opens itself to man-in-the-middle attacks. You can hand-authenticate individual CAs with some effort, but there's no equivalent to PGP's web of trust. And CAs are single points of failure, making them extremely desirable points of attack. Marlinspike, of course, has developed his own proposed solution to the CA problem: http://en.wikipedia.org/wiki/C... [wikipedia.org] It's up to the reader whether this contributes to his credibility on the issue because he knows what he's talking about and has taken the time to contribute code to help fix the problem, or whether he's someone with his own personal dog in the fight and hence has an ulterior motive in denigrating PGP's trust model.
      • I use Enigmail daily and hate it because it makes my mail unsearchable. They've made the decision that all mail at-rest should remain encrypted. That's a great default because it's secure but I think there should be an option to store mail locally in plain text.

    • by mlts ( 1038732 )

      The problem is that OpenPGP products fill a need, and adding additional, usable features is hard, other than new algorithms.

      However, nothing fills the role OpenPGP does with as much reliability, interoperability, and trust. I can encrypt a message on AIX, sign it on a Solaris box, validate the signature on a FreeBSD box, then decrypt and read the file on a QNX embedded machine.

      The problem with people bashing PGP and gnupg is that usually they have their own encryption solution they want to peddle. There i

    • Oblig... (Score:4, Funny)

      by inasity_rules ( 1110095 ) on Wednesday February 25, 2015 @08:58AM (#49126481) Journal
      • by TWX ( 665546 )
        This hits the nail on the head for a lot of things-computing.

        For e-mail encryption to be practical it needs to be extremely simple to use. It's not simple to use, so there's not much encouragement to use it, so it doesn't get adopted for wide use.
    • Original poster stated, "... it'd be kind of a shame to finally get there with 1990's cryptography."

      The RSA encryption algorithm has been around a lot longer than the 1990s. In fact, it was released in 1977. Still, the technology and algorithm continue to work. However, due to advances in computing and hardware, the encryption keys have had to be extended. So, there is nothing wrong with the older technology.

      When my brother and I started a business in 1994 to provide a secure communications platform for

  • gpg (Score:4, Insightful)

    by l3v1 ( 787564 ) on Wednesday February 25, 2015 @05:55AM (#49125763)
    I've used GPG since... I don't even know, for a very long time. However, since I communicate a lot internationally, and I don't know (and I don't want to know) about every country's regulations regarding encryption, I gave up sending encrypted e-mails at the very beginning, but I still always sign my mails. I never even thought about how many people use or don't use GPG, it's just been there, ever so useful - and I think that's good so. I think "run its course" is harsh though. Why? Because one Moxie Marlinspike says so? Bollocks. If it's useful - and it is -, it's good to have it.
    • by rvw ( 755107 )

      I've used GPG since... I don't even know, for a very long time. However, since I communicate a lot internationally, and I don't know (and I don't want to know) about every country's regulations regarding encryption, I gave up sending encrypted e-mails at the very beginning, but I still always sign my mails. I never even thought about how many people use or don't use GPG, it's just been there, ever so useful - and I think that's good so. I think "run its course" is harsh though. Why? Because one Moxie Marlinspike says so? Bollocks. If it's useful - and it is -, it's good to have it.

      Not only that, but look at the Enigmail interface. Once it's installed and configured, it's only clicking the icons in the status bar and entering a password. I sign all mail as well.

    • How do you know how useful it is if you've never thought about how many people use it?

      It could very well be for the most people you talk to your GPG signature would be about as useful as a disclaimer asking someone to delete the email if they were the wrong recipient, or the "Please think of the environment and don't print this mail" sign-off.

      • by pthisis ( 27352 )
        How do you know how useful it is if you've never thought about how many people use it?
        It's still potentially useful even if nobody else uses it; you can at least show later on that you or someone with access to your private key signed something.
  • It really is just an alphabet soup of acronyms with security systems. No wonder the average person just doesn't bother.

  • by wonkey_monkey ( 2592601 ) on Wednesday February 25, 2015 @06:00AM (#49125775) Homepage

    ...what do the other characters from Harry Potter think?

  • by qwijibo ( 101731 ) on Wednesday February 25, 2015 @06:03AM (#49125781)
    It's a bad sign when those who care about security lose interest. The NSA is doing their part to eradicate secure crypto. Law enforcement agencies are commonly breaking the law to fish for potential criminals. The only protection available is what's written by people who are not subject to influence from the NSA. That's increasingly meaning open source or non-US-based companies.

    Crypto is hard to get right. It's hard for the average person to know what ciphers or tools to use and which are just snake oil. It's hard to implement correctly so that it is secure. New ciphers are written by people who have a lot of experience in breaking the old ones. As the old guard ages out, I don't see the same depth of interest in the next generation. With crypto, there's no quick fix, and the new hotness doesn't come overnight.

    On the other hand, the 1990s cryptography he mentions would be a huge improvement over many things we have today. Since the 90s, I've wanted the ability to have cryptographically signed financial transactions. Instead of financial institutions and credit reporting agencies using shared secrets, I'd like to have the ability to authenticate with a public key. I'd like to provide my public key in person to my bank so they know I'm authorizing transactions. Instead, they rely on secrets which are available to anyone who's willing to spend a few bucks and maybe break a few laws. Identity theft is so prevalent because we're basically relying on writing (at least a 4000BC technology) for security instead of good crypto. Hell, bad crypto would be an improvement over most of what's being done today.

    I hope his opinion isn't representative of more people who have been involved with security and privacy issues, but unfortunately, I think it will resonate with a lot of us.
    • by Kjella ( 173770 ) on Wednesday February 25, 2015 @07:13AM (#49125965) Homepage

      Crypto is hard to get right. It's hard for the average person to know what ciphers or tools to use and which are just snake oil. It's hard to implement correctly so that it is secure. New ciphers are written by people who have a lot of experience in breaking the old ones. As the old guard ages out, I don't see the same depth of interest in the next generation. With crypto, there's no quick fix, and the new hotness doesn't come overnight.

      Crypto is easy. Ciphers are easy. Here's a key you can use it to sign and verify messages, open and seal envelopes.

      Using crypto is hard. People lose keys, forget passwords, don't transmit keys in a secure way, don't store keys in a secure way, revoking keys, checking for revocation, using third party services like webmail and so on. Strong crypto is like losing your house key and being told that sucks, but since it's an impenetrable bunker with an unpickable lock there's nothing you can do but start from scratch.

      People want recovery options. If my house burns down to the ground and I escape with no passport, no driver's license, no identification of any kind the government will get me a new one. Work will find a way to get me a new access badge and key fob. That's why all those ways to recover your account exist, they're not necessary per se and you don't have to answer the security questions seriously. But when you have fucked up big and the answer is just gibberish you're pretty screwed. That's why people answer those with actual facts.

    • by jbolden ( 176878 )

      I agree with your post. In the 1990s there was a lot of enthusiasm around crypto.

      I think what's happening though is groups like Apple and Google have made crypto pretty easy. Since the original article mentions email, for example in Apple's standard / free / included mail.app I can easily:

      a) self sign a certificate and include the public key in my email
      b) send an encrypted email to anyone who has ever sent me their certificate

      Similarly with the iPhone / iPad application. That's a pretty good implement

  • git blame (Score:5, Insightful)

    by Anonymous Coward on Wednesday February 25, 2015 @06:05AM (#49125787)

    Blame Google for not implementing it in Gmail -- Then they wouldn't be able to get ad revenue and user metrics from their "free" email service.

    Blame MS for not integrating it into Outlook, but why would we expect MS to actually want security in any of their products?

    Blame Mozilla for the creaky plugin and cumbersome import/export publish keys interface in Thunderbird, and support for SMIME over GPG by default.

    Blame the users mostly for not giving a fuck about encryption.

    Personally, I don't give a fuck. Most people don't care about encryption but the ones that do, do. Some take the time to setup GPG with an email client and it actually works quite well despite my complaints about the clunky interfaces.

    I can tell you this much: Fuck publishing ANY open source software without signed and verified GPG signatures. You better have a replacement for the "experiment" that's securing the world's biggest open source projects source code, buddy, or you can GTFO for being a sensationalist maroon.

    TL;DR: People who need GPG use GPG. Those that don't give a fuck don't give a fuck. Seriously, if the average person can figure out how to use the bullshit set-top box with horrible remote control interfaces, they COULD use GPG if they wanted to, but they don't.

    • by _merlin ( 160982 )

      Outlook and Apple Mail have supported S/MIME for years, and the UI for using it is way nicer than any GPG plugin I've used. But the trouble is, no-one else uses it so I ended up only ever doing encrypted e-mail to/from my wife.

    • by jbolden ( 176878 )

      Blame MS for not integrating it into Outlook

      Exchange has an easy to use encryption feature so that's not true.

      • by jandrese ( 485 )
        Kind of. Exchange's system works great if you are sending mail to someone else on your domain, but send mail to someone on a different domain or even just some guy on the internet and it gets really complicated in a hurry.
    • Re:git blame (Score:5, Insightful)

      by Tom ( 822 ) on Wednesday February 25, 2015 @10:33AM (#49127323) Homepage Journal

      Blame the users mostly for not giving a fuck about encryption.

      That is stupid. It's like saying blame the drivers for not giving a fuck about fuel injection. Users should not have to care about encryption. They should care about having secure and private communication, and how to make that happen is our job, it's why we are being paid more than burger flippers.

  • I use GnuPG (Score:4, Interesting)

    by AndyCanfield ( 700565 ) <andycanfield@NoSpam.yandex.com> on Wednesday February 25, 2015 @06:18AM (#49125823) Homepage

    My GnuPG public key is on my web site (www.andycanfield.com). It is not on any "KeyServer"; I don't believe in key servers, that's just another layer that the hackers can break and the NSA can subvert.

    I use Thunderbird; the interconnection between that and encryption is clumsy [ e.g. if you haven't got a key for somebody, don't encrypt the message, dummy!]. But it works. As long as it's smarter than Keith Alexander and Vladimir Putin, I'm satisfied. The important thing is that PGP is a ***standard***. Any idiot can come up with something better, but he can't make it a standard, so my correspondant on the other end of the wire can't use it.

    Oh, and my e-mail address is on Yandex, which is in Moscow.

    • by DarkOx ( 621550 )

      My GnuPG public key is on my web site (www.andycanfield.com). It is not on any "KeyServer"; I don't believe in key servers

      So how does someone like me obtain your key securely? if you send me a message that is signed and say goto this link to get the pubkey so you can check the signature, I don't know the message is really from you and all the attacker needs to do is put his pubkey at the message url, assuming the message came from the attacker impersonating you.

      Even if the message was legit how can I know my routing or DNS isn't be tampered with? How do I verify andycanfield.com is really yours? Am I supposed to use SSL/TLS

      • Good points.

        I rely on the domain name www.andycanfield.com. If somebody is faking that on your network then there is nothing I can do about it. However, I point out that if the message "from me" is signed, then it was signed by my PRIVATE key and the public key you get from my web site should confirm the signature.

        You left off the top level: Who the H* is "Andy Canfield" anyway? This body? That site? My passport? Police in this town wave to me every morning, but can't spell my name in English. I have d

        • by DarkOx ( 621550 )

          Thanks for the reply.

          I point out that if the message "from me" is signed, then it was signed by my PRIVATE key and the public key you get from my web site should confirm the signature.

          Sure but what if I create a key pair, and send a message that claims to be from you but says please go download my public key at http://attackersite.com/andyca... [attackersite.com]

          See the problem is I have this unauthenticated message and the only information I have about how I can authenticate the message is in the message. That is my biggest problem with your method.

    • by _merlin ( 160982 )

      PGP isn't a standard, but S/MIME is. And S/MIME is implemented in plenty of serious mail clients, including mutt, Outlook, Apple Mail, Kmail, Thunderbird, and even web-based shit like Horde.

  • by SkunkPussy ( 85271 ) on Wednesday February 25, 2015 @06:20AM (#49125829) Journal

    Forward secrecy is desirable as we see the NSA hoover up messages then store them until they crack the keys.

    Has anybody attempted to bolt forward secrecy on top of SMTP? I would assume that it would need some kind of session key exchange between sender and recipient which would preclude the use of SMTP.

  • Back office (Score:5, Insightful)

    by Minupla ( 62455 ) <minupla@gmail.PASCALcom minus language> on Wednesday February 25, 2015 @06:48AM (#49125893) Homepage Journal

    I partially agree with Moxie, GPG/PGP as an email encryption standard is never going to reach the "my mother uses it" point of say Skype. That doesn't mean its run its course. I also think it's disingenuous to imply that the number of keys on the public key servers is a useful proxy for utilization rates.

    In my company we use GPG every day. Most people who work there have no idea that we do. It's used in sensitive communications at high levels between organizations, e.g. to send documents to auditors. It's also used in a huge number of automated processes to encrypt data during the DB extract process so we can move that data out of the DB network and send it to partners.

    We don't send those keys to a public keyshare. That would provide attackers information and we don't do that (ya, security through obscurity sucks if it's your only line of protection. If you're using it to make life just a bit more difficult for an attacker tho, well I'm always for that!)

    Now all that having been said, I have great respect for Moxie, and maybe he has the Next Great Thing up his sleeve. I hope to see it at Defcon :).

    Min

    • It's also used in a huge number of automated processes to encrypt data during the DB extract process so we can move that data out of the DB network and send it to partners.

      I can buy encrypting email communications, but for this you should just use SFTP. Why would you ever use email for important data transmission? It's not a matter of encryption, it's everything else. It relies on DNS. It doesn't confirm the remote server's identity. Delivery is best effort and does not succeed or fail immediately. An

  • by Burz ( 138833 ) on Wednesday February 25, 2015 @06:52AM (#49125897) Homepage Journal

    I simply asked him -- in a private email -- if there was a signature for Convergence someplace because I didn't see any online.

    He accused me of being "inflammatory" and stated it was necessary to "take a leap of faith" (i.e. download and run it without verification). This was back in 2012, mind you. He appeared to be oddly anti-PGP back then, too.

    Frankly, after that I had no appetite for any more of his, erm, style and forgot about Convergence. Years later, I had to abandon DoNotTrackMe (by a Moxie-run company, Abine) nee 'Blur' for Ghostery instead when the former got an update that kept hogging the CPU. An email to Abine just yielded a response to keep updating Blur, but the problem never went away.

    • by Burz ( 138833 )

      I'd like to add that I hate PGP signatures in email messages, too.

      There is a lot that's wrong with the UI elements surrounding the crypto. For one, the operating systems and apps do not treat keys and sigs as first-class objects; they always end up looking like inlined ASCII barf, or little text files that have no informative icon + tooltips or associated apps. The presentation of crypto to the user practically begs the user to ignore it.

      This is even true when you look as certs in web browsers. They are a m

      • For one, the operating systems and apps do not treat keys and sigs as first-class objects; they always end up looking like inlined ASCII barf,

        Or you could install enigmail, which turns it into informative text [enigmail.net].

        Your use of "always" is fail, as usual

        • by Burz ( 138833 )

          I'll grant that Enigmail rectifies the display problem ...but Enigmail is neither the OS nor the application. By default, the uninitiated will see gross text and that is because (as I said) crypto isn't given first-class treatment in UIs.

          TB sans Enigmail could at a bare minimum parse the guard lines and fold the contents into something like the UI for attachments. Or it could just incorporate Enigmail functions in the main program.

      • I'd like to add that I hate PGP signatures in email messages, too.

        For one, the operating systems and apps do not treat keys and sigs as first-class objects; they always end up looking like inlined ASCII barf,,/quote>

        pgp-mime is supposed to be preferred over pgp-inline, at least for e-mail/newsgroups.

        or little text files that have no informative icon + tooltips or associated apps.

        For the e-mail client I use, they do have a little key icon and a tooltip that says
        Type: application/pgp-signature
        Size: xxx
        Description: OpenPGP Digital Signature"

        No application is assigned to them though, but I don't really need it in my e-mail application.

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Wednesday February 25, 2015 @06:53AM (#49125903)

    I was saying all this 14 years ago.
    FOSS Encryption is a mess. It is basically impossible for a regular user to set up encrypted mail.
    I'm an expert, and I never even managed too. (The K-Mail crew basically lying about their GPG-features didn't help back then)

    Furthermore, the actual, underlying problem is E-Mail.

    That this piece of crap protocol/service could survive for so long totally amazes me. I remember using Fidonet and Crosspoint, back in the 90ies (which actually is a superiour solution to E-Mail) and then learning about E-Mail and thinking "Why is everybody using this and thinking it's great?".

    The fact that E-Mail is so shitty is the sole reason Facebook has north of a billion users - for the simple reason that Facebook actually is a *better* user experience than E-Mail. Think about that for a moment.

    Bottom line:
    E-Mail needs a complete redo/replacement with hard asymetric encryption and zero-fuss key handling and exchange built in as a core specification. Top-notch FOSS clients for all major platforms included. That this whole field is in such a sad and sorry state is to the largest part the fault of us, the FOSS community.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      ... *better* user experience than E-Mail.

      I wanted to post something on the Facebook pages about my town: A Facebook search which would bring up a couple of pages, I'd go to those pages, which would show a couple of associated pages. I'd click on join for each one and wait.

      Then I went to the phone-book: Type in the town and a selection criteria; all the names appear, with a large percentage showing email addresses. I could immediately push my post to a large percentage of my target audience.

      Facebook may be a better experience (Aside: I disagre

    • by AmiMoJo ( 196126 ) *

      Enigmail is very easy to install and use in Thunderbird, and there are similarly easy plug-ins for other popular mail clients. It really isn't hard to set up and use at all.

      What is holding adoption back is webmail. Until someone comes up with a really good solution for webmail the number of users will never get above some subset of the small minority who still use email clients.

      • by wierd_w ( 1375923 ) on Wednesday February 25, 2015 @08:15AM (#49126199)

        webmail is ideologically incompatible with the very notion of secure communication that using encryption embodies.

        To whit--

        A webmail service holds not only the inbox itself, but also holds the contact list, and the presentation code. If one were to integrate encryption as well, then the webmail service would also have to manage keys, both private and public. Handing out BOTH keys is the very essence of insecure, but would be necessary. (The webmail service would need the private key to decrypt messages sent to you, coded with your public key, so it can display them! It would also need your public key if you wanted to read what was in your "sent" folder.) It would also need to hold all the public keys of all your contacts.

        That's just one national security letter away from "Oh, sorry, we gave all those keys we had on file to the NSA, and couldnt tell you about it!" and one data breach away from a massive chain of trust catastrophe by identiy thieves (or worse).

        Webmail is fundamentally incompatible with the very idea of secure communication of this type. This is something that you simply CANT put "In the cloud", because the main feature of webmail is being able to check it anywhere you can use a web browser. That feature goes away if the service does security correctly, and security goes away if the feature is retained. (To keep the keys outside of the webmail service, the keys would have to be stored on trusted workstations, or on a personal keystore on a portable device, like a USB keyfob-- Not all places with browser access will have provisions for this, and the added complexity will make users pissy. Putting the keys on the webmail server side fixes that problem, but destroys the security model fundamentally.)

        • by AmiMoJo ( 196126 ) *

          There are secure webmail services where only the client can decrypt the message content. They are not perfect but the people running them are at least protected from being forced to decrypt messages since they don't have the keys.

          Of course, you lose two of the most valuable aspects of webmail. You can't log in from any random location because you need to have a copy of your key on you. The service probably won't be free, because the service provider can't datarape your email account.

          • by DarkOx ( 621550 )

            That isn't really any better. Either the client has to have software the webserver does not control ( and then its not web mail anymore ) or you a couple of minor alterations to the Javascript that runs the thing from the client just posting the private keys back up to the server or anywhere else.

            So if the service is compromised by an attacker be with an NSL or some technical means and they can alter the application even slightly you are totally boned.

            Either you need to personally be in control of the cont

        • webmail is ideologically incompatible with the very notion of secure communication that using encryption embodies.

          Not really.

          To whit--

          No. That's one whit, or to wit.

          Don't use words you don't understand. It helps. It really helps.

          A webmail service holds not only the inbox itself, but also holds the contact list, and the presentation code.

          The government already knows where you send your mail. They know where packets go over the internet. That's why they have taps at all the backbone providers, specifically so they can do that sort of thing.

          • The pedant pedant's antecedant was to see the point but fail to heed it.

            Or

            How getting bent out of shape over a simple and common mispelling exposes you as little more than a jackass that cant parse slightly malformed inputs.

            ------------

            The government most certainly does track that messages were sent, and to what mail servers. (That's what they get at the backbone level). However, actually reading the messages sent requires a key. Correctly providing keys for security purposes implies a secure method of deli

            • How getting bent out of shape over a simple and common mispelling exposes you as little more than a jackass that cant parse slightly malformed inputs.

              You have to be spectacularly stupid to believe that someone can't parse malformed inputs when they provided the correct substitution. But I knew that about you.

              Putting the keys on the webmail server allows the NSA to send that central point of contact a single national security letter demanding those keys,

              And isn't required for encrypting webmail. Don't be such an idiot.

              • by wierd_w ( 1375923 ) on Wednesday February 25, 2015 @10:27AM (#49127257)

                And yet you contine to be bent out of shape about it. Fancy that.

                ----

                I already addressed this. TWICE.

                The option is binary. Either the webmail server has the keys, or the messages are decrypted on the client side using keys stored on the client side for presentation.

                If the keys are stored on the wemail server, the NSA can demand them.

                If the keys are stored on the client, then the main feature of webmail is broken.

                They keys have to be stored SOMEPLACE for the messages to be encrypted and decrypted. The primary statement in my postings has been that properly secured encrypted email is not compatible with the use case of webmail. Webmail's use case is "email access that is independant on client platform, as long as a suitable browser is present" As soon as you put the keys on the client side, this goes away, because now the browser has to probe the local filesystem for the key store, or the browser itself has to have the keystore. This has all the problems of Enigmail for Thunderbird, (Or the GPG plugins for any of the other capable mail clients out there.) The keys are stored on a trusted workstation, that you cant just lug around with you-- OR-- if stored on a keyfob, accessing those keys requires extra steps above and beyond just logging in and checking your mail. This breaks the use case for webmail.

                Rather than being an argumentative troll, you could explain your position instead of arguing impotently. Instead, you chose to complain about spelling mistakes, confabulate, and hurl ad-hominems.

                To return your trite quip, I already knew that this is what you would do. Resorting to arguments about improper grammar, spelling mistakes, or improper word use is the hallmark of somebody with nothing of real substance to contribute, who instead just likes to feel superior. Congratulations.

      • What is holding adoption back is webmail. Until someone comes up with a really good solution for webmail

        The solution is to use a proper e-mail client with your webmail service. I use gmail but I use it via IMAP with a real e-mail client.

    • If you're comparing email to Facebook then you have a completely miss-guided view of one of the two applications. They are nothing alike, don't target the same group, don't do the same thing, don't do it in the same way, and don't do it for the same purpose either.

      People have email to send text and small files around.
      People have Facebook to send a one line message attached to the bottom of a picture of dinner with an Instagram filter.

      Comparing the two is senseless. Facebook would actually have more in commo

    • I was saying all this 14 years ago.
      FOSS Encryption is a mess. It is basically impossible for a regular user to set up encrypted mail.
      I'm an expert, and I never even managed too. (The K-Mail crew basically lying about their GPG-features didn't help back then)

      First things first, there are easy button ways to create your keys. I used GPA for my first key, but that's deprecated/no longer used. We have KGPG and Seahorse now. (Seahorse might be the Passwords & Keys application in your menu)

      But it's not that hard to do it on the command line. All you do is:

      [code]
      gpg --gen-key
      [/code]

      Then follow the prompts/instructions, which are actually fairly clear with reasonable defaults.

      Then you need an e-mail client with good support for it. I personally recommend eit

  • by account_deleted ( 4530225 ) on Wednesday February 25, 2015 @06:55AM (#49125911)
    Comment removed based on user account deletion
  • by gjh ( 231652 ) on Wednesday February 25, 2015 @06:55AM (#49125913)

    This isn't entirely a mystery. For a technology to be widely adopted, it needs to be easy for everyone and provide demonstrable benefits. OR, it needs to provide benefits for a business who already has your custom. And there we begin to see the problem. There are two massive disincentives:

    - Crypto doesn't play well with webmail
    - Encrypted email can't be scanned for advert keywords

    So you will never see the likes of Google or Microsoft championing this. Apple - just maybe, as they would rather promote devices, and I gather they actually DO have decent end to end crypto on iMessage and so on. But even then, it's VERY hard to do in a way that customers would actually appreciate. No-one wants to get email working 95% of the time. It needs to be 100%. If you can't read 5% of your email, you're in trouble. Or you can't read email on the 5% of time that you need to access from a borrowed PC.

    It seems to me that the keys to making this work are:

    - Concentrate on signing before crypto. Get banks to sign email. Have different security levels; get to a stage where by default, only signed email will download embedded images, make links clickable without a warning, etc..
    - Find a way to make it work with webmail. Can we do this with JS? Or do we need browser support? End to end crypto It would require a way for a part of a page to be sandboxed, accept a secret to decrypt your keys, and not allow the plaintext info out. End to end signing is a little easier. This might also include retrieving the private keys from a distinct cloud service.
    - Solve the centralized trust issue. Probably derive a format from S/MINE rather than GPG for email, but critically, signing of certs needs a community trust system so you can see who trusts who, and people can get their identities signed by people they know.

    Finally, if that's widely deployed for signing then people can begin to encrypt with a hope of the other end being able to decrypt.

    • "End to end [github.com]" is a project which creates that sandbox you speak about.
      Also, see its "gossip protocol [github.com]" wiki page on how to solve the key distribution issue.

    • by jbolden ( 176878 )

      I've always thought the best people to handle community signatures is banks. Banks are already trusted. Banks are used to and setup for verifying identity. Generate a key on USB and submit to a bank which verifies your real life keys for a marginal fee. They could also optionally store a copy of the private key for you in case of loss.

      For not tied to your real life accounts... there is no need for verification the email provider can just self sign.

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        I've always thought the post office would be a great place to get your keys signed.

    • - Crypto doesn't play well with webmail
      - Find a way to make it work with webmail.

      It does already work with webmail, if you use a proper e-mail client to access your webmail, which is what people should be doing anyway.

    • As you point, out, the way we use email has changed. I could try to set up gpg again, but I'm much less likely to do so now, even though I feel the need for encryption more strongly than ever.. Fifteen years ago I accessed my email through an email program on one computer. I now use webmail almost exclusively (when using PCs) and/or any number of different mobile device clients to get to my email. I don't even know how I would approach trying to set up an encrypted email system that works on 'everything' fr
    • by Tom ( 822 )

      - Crypto doesn't play well with webmail

      But you've heard of Hushmail, yes?

      We have the technology. If we want, we can make strong crypto work. Problem is that most of the big players with the money to make it happen don't want, and the small guys either don't understand the technology and complexity (users) or are incapable of making it actually usable (techies).

  • by DrXym ( 126579 ) on Wednesday February 25, 2015 @07:41AM (#49126051)
    The first mistake made by email clients is they added support for a broken-by-design protocol called S/MIME which used asymmetric encryption through the entire message and was thus cripplingly slow. The ciphers were also covered by patents and had weak key lengths. Messages were signed with a cert like https, and were required to be signed by a CA. And you couldn't get a key unless you paid a CA for one. Oh and keys expired meaning you might have multiple dead keys to maintain if you wanted to open an old email. And no email client or ISP actually offered to give you a key or set you up with one so you had to figure this all out for yourself. And functionality like search / filtering broke on encrypted mail because the client never bothered to maintain an encrypted index of the plaintext that could have allowed it to work.

    Then PGP / GPG solved a lot of this bullshit, starting with generating keys for free but email clients never bothered to give it proper support. Instead they offered up some plugin APIs and unsurprisingly PGP / GPG ended up with half assed implementations too. Even fairly good extensions like Enigmail didn't integrate with the client as closely as they should.

    And by this point cloud based email took off and crypto fell by the way side. If you want to use crypto in GMail then you have to cut and paste and clearly it's too much effort.

    So I really don't blame GPG here. If the first thing an email did during setup was ENCOURAGE a user to create a key; and by default published that key; and attached the key sig to outgoing emails; and automatically looked up incoming email addresses; and automatically encrypted content when all recipients had their own key; and didn't hobble functionality for any of this (e.g. search still worked). THEN this wouldn't even be a problem. Encryption would have been the default and it would be an irrelevance if it was PGP or GPG was under the covers.

    • The first mistake made by email clients is they added support for a broken-by-design protocol called S/MIME which used asymmetric encryption through the entire message and was thus cripplingly slow.

      Who says it uses asymmetric encryption through everything? It makes up a symmetric key, and encrypts only that key with the public keys of all recipients.

    • The first mistake made by email clients is they added support for a broken-by-design protocol called S/MIME which used asymmetric encryption through the entire message and was thus cripplingly slow.

      Slow? Who gives a shit? We're talking about email. I have never noticed the time it takes to encrypt anything, actually. Not even a little bit. The only time I've never noticed being taken by encryption was during key generation.

      You're right about how PGP/GPG didn't do enough for integration. That is sad.

      • by DrXym ( 126579 )
        You might not give a shit now but 15 years ago, the speed of S/MIME was so cripplingly slow it DID matter.
    • If you want to use crypto in GMail then you have to cut and paste and clearly it's too much effort.

      You don't have to cut and paste...if you access your Gmail with a real e-mail client over IMAP or POP3, which is what you should be doing anyway...no advertisements that way.

  • Metadata (Score:3, Insightful)

    by Meneth ( 872868 ) on Wednesday February 25, 2015 @07:53AM (#49126115)
    GPG is nearly useless because it doesn't protect metadata. A properly secure communication system should prevent all attackers from learning:
    • Sender
    • Recipient
    • Subject
    • Timestamp
    • Message length
    • The fact that a message was sent.

    In short, everything except the fact that you're using the system.

    • Re:Metadata (Score:5, Insightful)

      by Zero__Kelvin ( 151819 ) on Wednesday February 25, 2015 @07:57AM (#49126129) Homepage
      You clearly don't understand what GPG does, what Metadata is, what the phrase "nearly useless" means, or all three. You may as well have claimed that the 4th amendment is pretty useless because they can still see who lives there, and who enters and leaves the premises.
    • by gjh ( 231652 )

      You underestimate the value of signing. It's not all about secrecy.

    • by ledow ( 319597 )

      To protect the metadata of the recipient is daft. How are intermediary servers ever supposed to know? And if you and the other end of the connection both set up a connection and know who it's for, that blows out the "fact that a message was sent" before you start.

      Message length is also stupid to try to hide. Sure, it may not be exact but if I send a 200Mb email and you send 20 characters, how are you supposed to encrypt those to be indistinguishable without literally padding to the nearest 200Mb? And pa

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...