12 votes

The PGP Problem

9 comments

  1. mrnd
    (edited )
    Link
    While I appreciate the article actually offering the alternatives, it's very sad to me that they're practically all centralized offerings. There's really nothing for communication that's free...

    While I appreciate the article actually offering the alternatives, it's very sad to me that they're practically all centralized offerings.

    There's really nothing for communication that's free software, decentralized/open protocol and with good crypto. Maybe Matrix gets there at some point, but it's not really ready yet. And they really would need to make encryption mandatory to qualify for this discussion.

    Besides, the recommended alternatives (Signal etc) don't even try to do key verification beyond trust-on-first-use. If web-of-trust doesn't work, there needs to be something better, not worse. Keybase with its social media proofs seems like a right direction, but even it is centralized. My best hope is that projects like Sequoia can innovate in this space.

    6 votes
  2. [3]
    acdw
    Link
    I don't really know anything about PGP or cybersecurity. I mean, I've heard of PGP and GPG, I've set up gpg-agent on my computers, and I have some keys floating around keyservers, but I don't ever...

    I don't really know anything about PGP or cybersecurity. I mean, I've heard of PGP and GPG, I've set up gpg-agent on my computers, and I have some keys floating around keyservers, but I don't ever use PGP. I really like reading these kinds of articles (and it seems like there's been a lot of them lately) though, because they're really fascinating looks into a problem space that I know is important but is also mysterious, and I like reading people's strong opinions about those.

    4 votes
    1. [2]
      feigneddork
      Link Parent
      This is exactly why I shared it - over the years I kept hearing about PGP but not in a "oh this is so good you gotta try this out" but in more like "it exists if you want encryption/encrypted...

      This is exactly why I shared it - over the years I kept hearing about PGP but not in a "oh this is so good you gotta try this out" but in more like "it exists if you want encryption/encrypted emails". I always figured it was a really good security protocol that just went over my head but reading this has opened my eyes a bit.

      I'm glad you got something out of it too, like I did!

      3 votes
      1. acdw
        Link Parent
        Yeah, thanks for sharing! The one problem with the space now is that, for the layperson (anyone who isn't a crypto expert), there's no "one-stop shop" to make everything "safe" -- and as someone...

        Yeah, thanks for sharing! The one problem with the space now is that, for the layperson (anyone who isn't a crypto expert), there's no "one-stop shop" to make everything "safe" -- and as someone on the discussion for this post elsewhere mentioned, there's no solution for email. And I personally don't want to use Signal, since I've heard some sketchy things about it, which means I'm not sure what to use messaging-wise.

        3 votes
  3. [5]
    HanakoIsBestGirl
    Link
    Can someone explain to me how pgp is actually insecure though? This article seems to suggest that the cryptography itself is flawed and can be broken. The usability and compatibility points are...

    Can someone explain to me how pgp is actually insecure though? This article seems to suggest that the cryptography itself is flawed and can be broken.

    The usability and compatibility points are valid.

    Use Signal. Or Wire, or WhatsApp

    WhatsApp? Seriously? It's owned by Facebook and is non-free, no thanks.

    4 votes
    1. cfabbro
      (edited )
      Link Parent
      If you're curious about the reasons why PGP is considered fundamentally flawed, there is pretty much no better source than cryptographer/Prof. Matthew Green's related blog posts:...

      If you're curious about the reasons why PGP is considered fundamentally flawed, there is pretty much no better source than cryptographer/Prof. Matthew Green's related blog posts:

      https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/
      https://blog.cryptographyengineering.com/2018/05/17/was-the-efail-disclosure-horribly-screwed-up/

      And there was also a decent summary of all the issues written on Github by RJH, a prominent OpenPGP/GnuPG contributor who was one of the targets of the recent SKS keyserver network poisoned certificate attack:
      https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

      The HN post on the above write-up also has a bunch more related info too:
      https://news.ycombinator.com/item?id=20312826

      4 votes
    2. [3]
      feigneddork
      Link Parent
      I mean, surely that is the reason why it is insecure? If I'm making a cryptograpy tool which relies on insecure crytography by default, then it is essentially insecure unless I go out of my way to...

      Can someone explain to me how pgp is actually insecure though? This article seems to suggest that the cryptography itself is flawed and can be broken.

      I mean, surely that is the reason why it is insecure? If I'm making a cryptograpy tool which relies on insecure crytography by default, then it is essentially insecure unless I go out of my way to secure it. And one could argue that if you go through the hoops then you can use PGP, but I think this article is aimed at newbies such as myself who aren't up to date on the security world but is trying to keep a pulse on it. And for people like myself, having someone explain "don't bother using email for secure messaging" and explaining why is really helpful.

      1 vote
      1. [2]
        HanakoIsBestGirl
        Link Parent
        Sorry I don't understand? By "that" do you mean the cryptography is flawed or are you talking about me mentioning the usability and compatibility.

        I mean, surely that is the reason why it is insecure?

        Sorry I don't understand? By "that" do you mean the cryptography is flawed or are you talking about me mentioning the usability and compatibility.

        1 vote
        1. feigneddork
          Link Parent
          Sorry, I meant the cryptography is flawed and can be broken in PGP, as the article explains.

          Sorry, I meant the cryptography is flawed and can be broken in PGP, as the article explains.

          1 vote