Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Encryption Security Software

PGP Turns 30 (philzimmermann.com) 50

prz writes: PGP just hit its 30th birthday. Before 1991, the average person had essentially no tools to communicate securely over long distances. That changed with PGP, which sparked the Crypto Wars of the 1990s. "Here we are, three decades later, and strong crypto is everywhere," writes PGP developer Phil Zimmermann in a blog post. "What was glamorous in the 1990s is now mundane. So much has changed in those decades. That's a long time in dog years and technology years. My own work shifted to end-to-end secure telephony and text messaging. We now have ubiquitous strong crypto in our browsers, in VPNs, in e-commerce and banking apps, in IoT products, in disk encryption, in the TOR network, in cryptocurrencies. And in a resurgence of implementations of the OpenPGP protocol. It would seem impossible to put this toothpaste back in the tube."

He continues: "Yet, we now see a number of governments trying to do exactly that. Pushing back against end-to-end encryption. [...] The need for protecting our right to a private conversation has never been stronger. Many democracies are sliding into populist autocracies. Ordinary citizens and grassroots political opposition groups need to protect themselves against these emerging autocracies as best as they can. If an autocracy inherits or builds a pervasive surveillance infrastructure, it becomes nearly impossible for political opposition to organize, as we can see in China. Secure communications is necessary for grassroots political opposition in those societies."

"It's not only personal freedom at stake. It's national security," says Zimmermann. "We must push back hard in policy space to preserve the right to end-end encryption."
This discussion has been archived. No new comments can be posted.

PGP Turns 30

Comments Filter:
  • Congratulations! (Score:5, Insightful)

    by gweihir ( 88907 ) on Monday June 07, 2021 @07:13PM (#61464340)

    It is pretty rare for somebody to make this much difference in the world. Learned a lot from the original PGP manual too. Thanks!

  • by Impy the Impiuos Imp ( 442658 ) on Monday June 07, 2021 @07:17PM (#61464348) Journal

    Many democracies are sliding into populist autocracies.

    This is the most important sentence you will read this decade. Maybe since the end of WWII.

  • by JcMorin ( 930466 ) on Monday June 07, 2021 @07:17PM (#61464352)
    It's great to see something after 30 years still fighting for a very noble cause!
  • Unfortunately... (Score:4, Interesting)

    by emil ( 695 ) on Monday June 07, 2021 @07:19PM (#61464360)
    ...PGP has not aged well. The original ciphers are deprecated to the point of danger, the interface feature creep easily traps the unwary, and cleaner designs are easily found. Why go back to IDEA, as I would have to on CentOS 7? https://latacora.micro.blog/20... [micro.blog]
    • Re:Unfortunately... (Score:5, Informative)

      by mamba-mamba ( 445365 ) on Monday June 07, 2021 @08:06PM (#61464478)

      By my reading, the point is not to use PGP as written 30 years ago. The point is that strong crypto and end-to-end encryption in the hands of ordinary users is more important than ever. And the threat from autocratic governments is growing. Therefore there is need to be vigilant and fight the good fight on strong end-to-end encryption.

      • Re: (Score:3, Informative)

        by AmiMoJo ( 196126 )

        Indeed, back in the early 70s public key crypto was known to the British intelligence services but not to the public. Diffie and Hellman then independently discovered the same thing and finally Zimmerman created PGP, the first practical application implementing it that was available to the public.

        Zimmerman was an anti-nuclear activist and intended PGP for use by activists from the start. He was willing to stand up to the government investigation and take considerable risks to thwart their attempt to preven

    • by Anonymous Coward on Monday June 07, 2021 @08:13PM (#61464492)

      The blog is written by someone that has a drum to beat, either by wanting to move people to platforms that are monetized, or with encryption that is not separable from the transport mechanism.

      Yes, PGP is old... but it has been proven and audited secure enough. You don't have to use IDEA, and it supports modern algorithms like ED25519. Yes, GnuPG has its issues, but it is F/OSS, and if one doesn't like it, then one can donate to the developers, or fork something. PGP does need something like forward secrecy, and the key server code needs a facelift to minimize denial of service attacks. But the perfect is the enemy of the good here.

      PGP and GPG do one thing that most of the .com people don't like: It separates the encryption of the message from the transport layer. I can send a PGP message via email, Signal, stuff the file in a S3 public bucket, post it on USENET under alt.anonymous.messages, or create a QR code. The actual message contents are secure no matter what. The problem is that so many companies want to own that last-mile encryption layer, so they can either monetize it, see what it in the file either directly via "bugs", or indirectly via metadata.

      PGP also allows for a web of trust. No other security program does this. SSL is built on having a root that is 100% trustworthy, which has been proven to be a faulty framework over and over again, while PGP's web of trust has stood the test of time, where if you have doubts about a public key, you can try several sources, and if you are 100% sure, you can sign the key, and other people can take your word. This is a LOT more secure than the "just STFU and trust us" which is the entire SSL/TLS model. This also is something the big money guys hate, because there is no single point of failure in a web of trust, and that one doesn't need to pay big bucks to some random joe with a root certificate to sign a PGP/gpg key.

      Yes, PGP/gpg show their age, but they do something that a lot of well-moneyed interests want to kill off with fire... and that is to bring distributed freedom and security to the masses. PGP did this 30 years ago (ever see the garbage out back then? Hell, stuff trying to use "DES" only used 1-2 rounds at most... if they even used DES, and not some encryption just hacked up.) PGP continues to do the same thing now. Don't like it, write a new standard that can do what OpenPGP does.

      tl;dr, OpenPGP isn't perfect, but it offers privacy and distributed protection in a world of "security has no ROI" companies and "just trust us... ooops" security issues.

      • Re:Unfortunately... (Score:4, Interesting)

        by The Evil Atheist ( 2484676 ) on Monday June 07, 2021 @09:09PM (#61464620)

        because there is no single point of failure in a web of trust

        Of course there is. You identify a target, beat them up and hold them somewhere secure, impersonate them to maintain the illusion of trust, and gather intel at your leisure.

    • Re: (Score:3, Insightful)

      by bwalzer ( 708512 )
      Something with an old algorithum in it somewhere is not automatically insecure. I have an MD5 command in my operating system. Is my operating system insecure? It would be virtually impossible for a modern day user to somehow use IDEA in a contemporary OpenPGP based system without meaning to. The old "The PGP Problem" article comes up often enough that I generated a critique that I can link to to save time:

      The PGP Problem: A Critique [59.ca]

    • The original ciphers are deprecated to the point of danger

      I really don't think you mean the original. [wikipedia.org]

  • by Beeftopia ( 1846720 ) on Monday June 07, 2021 @08:10PM (#61464486)

    There is a usability crisis in encryption. Everything around the encryption user interface needs help. The layperson has no idea about any of this stuff. It's the vaguest of black boxes.

    The crypto nerds are happy but no one else is.

    If there's going to be broader adaption of encryption, it has to:
    1) Be gamified and
    2) The gamification concepts standardized

    Think Windows Explorer or any other desktop environment. It took the command line directory listing for a user's home directory and turned it into this wacky desktop view, turning directories into folders, introducing drag and drop, the recycle bin, etc. That's the way to improve usability. Encryption needs that. Explaining it in terms of logarithms and exponents doesn't really help the layperson.

    • Think about HR emailing people's personal information, SSNs, passports, bank account numbers.

      Think about the front desk nurse / receptionist at the doctor's office scanning in your personal information and putting it in email.

      A field investigator for high level clearances putting your personal information in email.

      Executives trading corporate secrets over all kinds of communication channels.

      The lack of tech savvy of these groups cannot be overstated. Yet they are sharing so much key information. This is why

      • And here's where I think an answer may lie: take encryption from the purely software world and make it hardware.

        Like a private key that's actually a plastic key. It has a standard private key shape with a credit-card style number encoded in it.
        And a public key, that's another standard shape.
        A USB device that you have to plug the keys into.
        A software program that detects the device and keys.
        Other people want you to have their public keys, they express snail-mail you a public key
        A software program that allows

      • Think about HR emailing people's personal information, SSNs, passports, bank account numbers.

        Think about the front desk nurse / receptionist at the doctor's office scanning in your personal information and putting it in email.

        A field investigator for high level clearances putting your personal information in email.

        Executives trading corporate secrets over all kinds of communication channels.

        The lack of tech savvy of these groups cannot be overstated.

        Agreed. That is why you now find security mandates instead of mere recommendations.

        In every single one of your examples, I can find a security mandate within that industry that turns every theoretical employee into an ex-employee.

        Every single one.

        Those who give a shit about privacy, will be employed in the future. Those who are THAT careless and could give a fuck about personal data, will be relegated to asking if you would like fries with that.

        • Agreed. That is why you now find security mandates instead of mere recommendations.

          In every single one of your examples, I can find a security mandate within that industry that turns every theoretical employee into an ex-employee.

          It has to be easy for the head of HR or for the doctor before they lean on their people to do it.

          • Agreed. That is why you now find security mandates instead of mere recommendations.

            In every single one of your examples, I can find a security mandate within that industry that turns every theoretical employee into an ex-employee.

            It has to be easy for the head of HR or for the doctor before they lean on their people to do it.

            Security violations can sometimes be easy. But in reality layers of monitoring should be set up so when these people screw up and create a violation, it is detected.

    • You are greatly overestimating the demand for that "black box", and the only true crisis going on right now, is the one around privacy. Or more specifically, getting the average layperson to respect and value it again.

      For that reason and that reason alone, I could give a shit how complex an encryption UI really is. The layperson either wants to learn it and figure it out because they still respect and want privacy, or they don't.

      Besides, the instant you try and make encryption idiot-proof, society will co

    • > The crypto nerds are happy but no one else is.

      No, we're really not.

      We're quite frustrated because most users, developers, and sysadmins are doing encryption wrong (or not at all) for exactly the reasons you mentioned.

      The interfaces suck. In some cases, that's because of fundamental problems that may be unsolvable. For example, if a user's files / data are encrypted totally transparently, with no effort from the user, and transparently decrypted for use with no effort by the user, they are are transpare

      • As an example, in games the items you seek are hidden in caves, which can only be unlocked with the key from sea serpent. You get 5,000 for finding the first item, but the second is harder to find.

        They are not handed you to in a nice folder structure, with a search bar at the top where you can type "ruby key" and just get it. :) Windows Explorer the exact opposite of gamification.

        • Realize it doesn't have to be a super-cool game. It can be an ultra mundane game, designed by a boring teacher. What the boring game does is to make the abstractions and tasks with those abstractions much easier to 1) understand and 2) execute.

          That's it. Nothing more. It's just supposed to make the abstractions and tasks less abstract and more concrete by creating visual representations and doing tasks with those visual representations.

          Think about git. And then think about git GUIs. Same kind of thing.

          IMO T

      • by Entrope ( 68843 )

        Gamificarion generally doesn't involve intentionally making something more difficult -- it's done for a task that is already difficult or tedious. Gamificarion is about attaching rewards (in the worst case, with enough randomness to trigger addictive behavior) to some behavior that is not inherently rewarding, to get people to do it more often or better.

        Whether that's a good trade-off for encryption, and who would be providing those rewards, is another question.

      • > Think Windows Explorer or any other desktop environment. It took the command line directory listing for a user's home directory and turned it into this wacky desktop view, turning directories into folders, introducing drag and drop, the recycle bin, etc. That's the way to improve usability

        Absolutely. And ... you used that as an example of *gamification*? I think you have a different definition of "gamification" than the rest of the world uses.

        With desktop environments, they took the output of "ls" or "

        • > By gamification, I mean creating simple visual representations (i.e. virtual objects)

          People like visual representations. One common term for that is "GUI".

          "Gamification" means making it a game; gamification involves challenges to earn points and competition.

    • by endus ( 698588 )

      Could not agree more.

      There was a point where there was a PGP implementation developed by...I think it was Norton, of all companies...that seemed like it might actually be creeping towards usability by the average person. It never quite got there and it has fallen off the map again.

      It's good that there are apps that are trying to incorporate end to end encryption, but I think there is still a pretty big gap out there for email and other messaging.

    • by AvitarX ( 172628 )

      I'm not sure that good encryption CAN be usable.

      I suspect that dataloss with the loss of a password (or physical key) counts as usable for the average person.

      Google sync does OK with their passphrase for the cloud storage (on passwords at least) and using Windows for local storage (so that if you reset the passkey you'll be OK if you still have access to the local computer).

      Encrypted data at rest seems to be handled pretty well as long as nobody loses their password and/or fob, it's not the user experience

  • I appreciate the historical signicance of PGP. But "tools for the average user?" No, not really.
    • I appreciate the historical signicance of PGP. But "tools for the average user?" No, not really.

      Well that's rather fitting for society today, since privacy isn't for the average narcissist anyway.

  • PGP turns 30 (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Monday June 07, 2021 @09:13PM (#61464626)

    and the 30 year olds of today just don't give a shit about privacy anymore. How ironic.

  • Well .. I tried to post a PGP public key but was stopped by the Slashdot ascii art filter.

  • If I may say, nonsense. cryptography dates back millennia, and the "one-time pad" has always worked well. It's burdensome to transfer the pad to the recipient. PGP wasn't unheard of technologically, it was publicly available, easy to use, required no more than typical computing power when published.

    • PGP wasn't unheard of technologically, it was publicly available, easy to use, required no more than typical computing power when published.

      Perhaps the concept of encryption wasn't unheard of, but I'd put money on the fact that out of 100 randos grabbed off the street, 95 of them have probably never heard of PGP, and don't have a clue what it is.

  • by DrXym ( 126579 ) on Tuesday June 08, 2021 @05:02AM (#61465260)
    End to end encryption does stop governments from eavesdropping but it also emboldens criminals and causes them to make stupid mistakes. For example, by them flocking onto some dodgy crypto service, or dark web which then becomes rich target for law enforcement to take down. But not before they've compromised the service and been listening on it for a very long time to build a list of perps to snatch. We've seen that repeatedly happen and it will continue to happen.
  • Funny how none of the cunts on the Notepad++ story has whinged here about Phil Zimmerman making his software political. Hint: the very notion of privacy, and also that privacy is a necessary right, is a POLITICAL position.
  • "Cryptonomicon," by Neal Stephenson is 22 years old now. *startled look*
  • I still think, that any politician who is pushing for "the people" to be denied access to secure, encrypted, internet communications, should be the first to be banned from being able to use SSL/TLS for things like their online banking, email, etc. Then, lets see how long they keep spewing their nonsense.

    Many of the leaders (well, politicians, as they can't really be called leaders as they truly believe "tis for thee, not for me") cannot understand that correlation does not imply causation.

    Criminals use enc

One small step for man, one giant stumble for mankind.

Working...