Re: [liberationtech] 10 reasons not to start using PGP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/10/13 01:14, carlo von lynX wrote: No one anywhere has solved the problem of asynchronous, forward-secret group cryptography. I think you have to be a bit opportunistic about it. Briar does it somehow, if I understood correctly. Yes and no. I think Elijah's referring to the problem of encrypting a message to a group of recipients, so that any recipient can decrypt it up until a certain time, and nobody can decrypt it after that. We haven't solved that problem, but we do have a different solution for asynchronous forward-secret group communication. No crypto innovation is involved, it's just a matter of group members disseminating the message over forward-secret pairwise links. I think Retroshare might do the same... but who knows? ;) Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSWCifAAoJEBEET9GfxSfM4esH/0kheDnkp2Mo/Y8d7nkPWc0t dhduAGTZg+kDkNyhXvCbrPoQ8yCHca6Os8Tg+yMrtNP2PHrz1w6nmdTLDCfFQ9pt kWAT1klqG0wRMJKGwYXeUfukR2y04gNJvLhpPcE8XUehY2tRtF1myTWLr8CD4CJw XG0E8YmkaUFeIFoH5+tW9uwsM+8Gl81U0zeZ279unAMOSmaxOccirZ4i2eWCqNEP VZ8JWr0C8FHDI2A8PIh6nJGSBALkxADSrSicDdSfF7w1RILyz12+ot5RH4j7nZHv 3nx1GFCvA3wtySqcYsBWXNRZKgbu9JuAIq7LTVgyyPx6mXWzsxg0QdwnB8bpldc= =vWGC -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
Gregory Maxwell: My other big technical complaint about PGP is (3) in the post, that every encrypted message discloses what key you're communicating with. PGP easily _undoes_ the privacy that an anonymity network like tor can provide. It's possible to use --hidden-recipient but almost no one does. i am often a bit confused as to why people take issue with the fact that gpg/pgp isn't anonymous. i don't recall the technology ever being proposed as such. rather, effort was made to have mechanisms to verify the identity of a sender. however, if one creates an identity and keypair that as only been used over tor, what's the problem? creating and maintaining anonymity is an entirely different subject that gpg/pgp was not created to address. i'm going to have to cosign with jillian and others who took issue with this list. i don't think it provided good reasons to not use gpg/pgp. in fact, i struggled with figuring out what threat models the author was addressing in the various points, as it jumped around a bit without providing much detail. that lack of detail made the conclusion a bit irresponsible. - VFEmail.net - http://www.vfemail.net $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
On Fri, Oct 11, 2013 at 10:24 AM, Tempest temp...@tushmail.com wrote: Gregory Maxwell: My other big technical complaint about PGP is (3) in the post, that every encrypted message discloses what key you're communicating with. PGP easily _undoes_ the privacy that an anonymity network like tor can provide. It's possible to use --hidden-recipient but almost no one does. i am often a bit confused as to why people take issue with the fact that gpg/pgp isn't anonymous. i don't recall the technology ever being proposed as such. rather, effort was made to have mechanisms to verify the identity of a sender. however, if one creates an identity and keypair that as only been used over tor, what's the problem? creating and maintaining anonymity is an entirely different subject that gpg/pgp was not created to address. Security is a complicated subject. The exact properties you need to be secure depend on your threat model. You add encryption via PGP because you know you need encryption in order to be secure against your threat model. But without it being very obvious PGP has written a long term identity fingerprint encoded in the opaque base64 data which distinguishes your messages by recipients. This long term identity key can _increase_ your vulnerability to traffic analysis over using nothing at all. It does so invisibly to many users. It may be a very bad thing for your threat model. I think communications security tools ought to avoid increasing vulnerability to any common threats to the greatest extent that they can, and when they must compromise they should make it obvious. Both for non-repudiation and resistance to traffic analysis PGP dramatically reduces user security and does so in a way which is not obvious to any except the most advanced users. Both of these could be fixed with basically no user impact: Make hidden-recipient the default and allow optional clear-text recipient list on ascii armored output; add an authentication mode which is used by default instead of signing for encrypted messages that uses ring signatures (and don't allow unauthenticated encryption, geesh). effort was made to have mechanisms to verify the identity of a sender PGP actually has no mechanism for that. Thats authentication. Instead PGP substitutes non-repudiation for that purpose, which is a superset of authentication which reduces security in many situations. PGP provides basically no way for me to convince you that I'm the author of a message without also making it possible for you to prove it to the whole world. Sometimes you want this— for contracts and such— but usually you just want authentication. if one creates an identity and keypair that as only been used over tor Say you are a famous anonymous developer that creates software for dissidents to help them connect to tor. You have a nice anonymous key that is well known to belong to you. Do you think any of your users should want to send you email to anonymous one time use tech support mailboxes using that key, provably showing they were communicating to you to anyone who can monitor their email? Do you think your users will even realize that sending you messages will expose them? -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
On Thu, Oct 10, 2013 at 3:23 PM, carlo von lynX l...@time.to.get.psyced.org wrote: We had some debate on this topic at the Circumvention Tech Summit and I got some requests to publish my six reasons not to use PGP. Well, I spent a bit more time on it and now they turned into 10 reasons not to. Some may appear similar or identical, but actually they are on top of each other. Corrections and religious flame wars are welcome. YMMV. I love the detail put into this but I think it's a poorly delivered message for multiple reasons: 1) It puts an over-abundance of faith in toolsets in opening and closing You have to get used to learning new software frequently. Realistically if this was a toolsets problem then EFF and EPIC wouldn't exist - it's not. It's a problem of State that can only be fought through OPSEC, policy, and risk management. Since it's not entirely reasonable to have end-users living the spook lifesystem then it leaves ~policy~ as the best out for end-users with tools (like PGP) being the defensive linemen. 2) Combined with (1) - then providing no immediate alternative - it creates the environment in which snake oil fills the gaps. Then we're back out fighting the snakeoil because we were too busy eating our young (or old in this case) to pay attention to the collateral damage to our end-users. 3) It groups multiple problem sets into the responsibilty domain of PGP - when it/they don't have to be, perhaps even undesirable to be so (from both technical and sociological viewpoints). So in terms of broad proclamations I think it's prudent to keep those at a policy level - and the rest behind transparent but loosely narrow doors until the collective geekdom we can get traction on better alternatives. -Ali -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
Gregory Maxwell: Do you think any of your users should want to send you email to anonymous one time use tech support mailboxes using that key, provably showing they were communicating to you to anyone who can monitor their email? Do you think your users will even realize that sending you messages will expose them? a fair point. but one could significantly address this issue by hosting the public key on a tor hidden service. that would greater ensure that, in order to get your key, they would be using a system that protects against such threats. hardly an easy solution. but it can be solved with a little extra planning. - VFEmail.net - http://www.vfemail.net $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
On Fri, Oct 11, 2013 at 12:10 PM, Tempest temp...@tushmail.com wrote: a fair point. but one could significantly address this issue by hosting the public key on a tor hidden service. that would greater ensure that, in order to get your key, they would be using a system that protects against such threats. hardly an easy solution. but it can be solved with a little extra planning. Of course, if you can do this and the HS is secure, then you can just dispense with the PGP altogether. You can work around the limitations I've pointed to here... You messages via hidden services without pgp at all.. or you can create per-recipient symmetric keys which you clearsign then encrypt with hidden-recipent to each person you want to talk to, then symmetrically encrypt your actual messages, and discard once a conversation is done. But no one does, because it's hard, and some of PGP's downsides are subtle. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] 10 reasons not to start using PGP
We had some debate on this topic at the Circumvention Tech Summit and I got some requests to publish my six reasons not to use PGP. Well, I spent a bit more time on it and now they turned into 10 reasons not to. Some may appear similar or identical, but actually they are on top of each other. Corrections and religious flame wars are welcome. YMMV. -- TEN REASONS NOT TO START USING PGP -- Coloured version at http://secushare.org/PGP [01]Pretty Good Privacy is better than no encryption at all, and being [02]end-to-end it is also better than relying on [03]SMTP over [04]TLS (that is, point-to-point between the mail servers while the message is unencrypted in-between), but is it still a good choice for the future? Is it something we should recommend to people who are asking for better privacy today? 1. Downgrade Attack: The risk of using it wrong. Modern cryptographic communication tools simply do not provide means to exchange messages without encryption. With e-mail the risk always remains that somebody will send you sensitive information in cleartext - simply because they can, because it is easier, because they don't have your public key yet and don't bother to find out about it, or just by mistake. Maybe even because they know they can make you angry that way - and excuse themselves pretending incompetence. Some people even manage to reply unencrypted to an encrypted message, although PGP software should keep them from doing so. The way you can simply not use encryption is also the number one problem with [05]OTR, the off-the-record cryptography method for instant messaging. 2. The OpenPGP Format: You might aswell run around the city naked. As Stf pointed out at CTS, thanks to its easily detectable [06]OpenPGP Message Format it is an easy exercise for any manufacturer of [07]Deep Packet Inspection hardware to offer a detection capability for PGP-encrypted messages anywhere in the flow of Internet communications, not only within SMTP. So by using PGP you are making yourself visible. Stf has been suggesting to use a non-detectable wrapping format. That's something, but it doesn't handle all the other problems with PGP. 3. Transaction Data: He knows who you are talking to. Should Mallory not [08]possess the private keys to your mail provider's TLS connection yet, he can simply intercept the communication by means of a [11]man-in-the-middle attack, using a valid fake certificate that he can make for himself on the fly. It's a bull run, you know? Even if you employ PGP, Mallory can trace who you are talking to, when and how long. He can guess at what you are talking about, especially since some of you will put something meaningful in the unencrypted Subject header. Should Mallory have been distracted, he can still recover your mails by visiting your provider's server. Something to do with a PRISM, I heard. On top of that, TLS itself is being recklessly deployed without forward secrecy most of the time. 4. No Forward Secrecy: It makes sense to collect it all. As Eddie has told us, Mallory is keeping a complete collection of all PGP mails being sent over the Internet, just in case the necessary private keys may one day fall into his hands. This makes sense because PGP lacks [12]forward secrecy. The characteristic by which encryption keys are frequently refreshed, thus the private key matching the message is soon destroyed. Technically PGP is capable of refreshing subkeys, but it is so tedious, it is not being practiced - let alone being practiced the way it should be: at least daily. 5. Cryptogeddon: Time to upgrade cryptography itself? Mallory may also be awaiting the day when RSA cryptography will be cracked and all encrypted messages will be retroactively readable. Anyone who recorded as much PGP traffic as possible will one day gain strategic advantages out of that. According to Mr Alex Stamos that day may be closer than PGP advocates think as [13]RSA cryptography may soon be cracked. This might be true, or it may be counter-intelligence to scare people away from RSA into the arms of [14]elleptic curve cryptography (ECC). A motivation to do so would have been to get people to use the curves recommended by the NIST, as they were created using magic numbers chosen without explanation by the NSA. No surprise they are suspected [15]to be corrupted. With both of these developments in mind, the alert cryptography activist scene seems now to converge on [16]Curve25519, a variant of ECC whose parameters where elaborated mathematically (they are the smallest numbers that satisfy all mathematical criteria that were set forth). ECC also happens to be a faster and more compact encryption technique, which you should take
Re: [liberationtech] 10 reasons not to start using PGP
In my opinion, this makes about as much sense as telling people who are already having sex not to use condoms. Consider mine a critique of why this post makes almost no sense to and won't convince any member of the public. I'm sure some of the geeks here will have a field day with it, but some of it is barely in my realm of understanding (and while I'm admittedly not a 'geek', I've been working in this field for a long time, which puts me at the top rung of your 'average user' base). TL;DR: This may well be a solid argument for convincing developers to implement better UIs, etc, but it doesn't work for its intended purpose, which seems to be convincing n00bs not to use PGP. (Detailed snark in-line) On Thu, Oct 10, 2013 at 12:23 PM, carlo von lynX l...@time.to.get.psyced.org wrote: We had some debate on this topic at the Circumvention Tech Summit and I got some requests to publish my six reasons not to use PGP. Well, I spent a bit more time on it and now they turned into 10 reasons not to. Some may appear similar or identical, but actually they are on top of each other. Corrections and religious flame wars are welcome. YMMV. -- TEN REASONS NOT TO START USING PGP -- Coloured version at http://secushare.org/PGP [01]Pretty Good Privacy is better than no encryption at all, and being [02]end-to-end it is also better than relying on [03]SMTP over [04]TLS (that is, point-to-point between the mail servers while the message is unencrypted in-between), but is it still a good choice for the future? Is it something we should recommend to people who are asking for better privacy today? 1. Downgrade Attack: The risk of using it wrong. Modern cryptographic communication tools simply do not provide means to exchange messages without encryption. With e-mail the risk always remains that somebody will send you sensitive information in cleartext - simply because they can, because it is easier, because they don't have your public key yet and don't bother to find out about it, or just by mistake. Maybe even because they know they can make you angry that way - and excuse themselves pretending incompetence. Some people even manage to reply unencrypted to an encrypted message, although PGP software should keep them from doing so. The way you can simply not use encryption is also the number one problem with [05]OTR, the off-the-record cryptography method for instant messaging. Okay, I'm not going to argue that PGP isn't hard or that people don't use it incorrectly at times. But would you say don't use condoms because they're ineffective sometimes? No, you would not. This is a reason to improve the UI of PGP/OTR for sure, but not a reason not to use it. 2. The OpenPGP Format: You might aswell run around the city naked. As Stf pointed out at CTS, thanks to its easily detectable [06]OpenPGP Message Format it is an easy exercise for any manufacturer of [07]Deep Packet Inspection hardware to offer a detection capability for PGP-encrypted messages anywhere in the flow of Internet communications, not only within SMTP. So by using PGP you are making yourself visible. Stf has been suggesting to use a non-detectable wrapping format. That's something, but it doesn't handle all the other problems with PGP. Okay, this part requires more explanation for the layman, methinks. It's not intuitive for a non-tech to understand. 3. Transaction Data: He knows who you are talking to. Should Mallory not [08]possess the private keys to your mail provider's TLS connection yet, he can simply intercept the communication by means of a [11]man-in-the-middle attack, using a valid fake certificate that he can make for himself on the fly. It's a bull run, you know? You're not going to convince anyone with jargony talk. Even if you employ PGP, Mallory can trace who you are talking to, when and how long. He can guess at what you are talking about, especially since some of you will put something meaningful in the unencrypted Subject header. Again, this is a call for better education around email practices, not for people to stop using PGP. Should Mallory have been distracted, he can still recover your mails by visiting your provider's server. Something to do with a PRISM, I heard. On top of that, TLS itself is being recklessly deployed without forward secrecy most of the time. 4. No Forward Secrecy: It makes sense to collect it all. As Eddie has told us, Mallory is keeping a complete collection of all PGP mails being sent over the Internet, just in case the necessary private keys may one day fall into his hands. This makes sense because PGP lacks [12]forward secrecy. The characteristic by which encryption keys are frequently refreshed, thus the private
Re: [liberationtech] 10 reasons not to start using PGP
Also, the premise of your argument, 10 reasons not to start, presupposes the truth of your argument, essentially begigng the question. Not that it makes your other arguments invalid, but I cringed when I saw the title, and also laughed. - Jason Gulledge On Oct 10, 2013, at 9:40 PM, Jillian C. York jilliancy...@gmail.com wrote: In my opinion, this makes about as much sense as telling people who are already having sex not to use condoms. Consider mine a critique of why this post makes almost no sense to and won't convince any member of the public. I'm sure some of the geeks here will have a field day with it, but some of it is barely in my realm of understanding (and while I'm admittedly not a 'geek', I've been working in this field for a long time, which puts me at the top rung of your 'average user' base). TL;DR: This may well be a solid argument for convincing developers to implement better UIs, etc, but it doesn't work for its intended purpose, which seems to be convincing n00bs not to use PGP. (Detailed snark in-line) On Thu, Oct 10, 2013 at 12:23 PM, carlo von lynX l...@time.to.get.psyced.org wrote: We had some debate on this topic at the Circumvention Tech Summit and I got some requests to publish my six reasons not to use PGP. Well, I spent a bit more time on it and now they turned into 10 reasons not to. Some may appear similar or identical, but actually they are on top of each other. Corrections and religious flame wars are welcome. YMMV. -- TEN REASONS NOT TO START USING PGP -- Coloured version at http://secushare.org/PGP [01]Pretty Good Privacy is better than no encryption at all, and being [02]end-to-end it is also better than relying on [03]SMTP over [04]TLS (that is, point-to-point between the mail servers while the message is unencrypted in-between), but is it still a good choice for the future? Is it something we should recommend to people who are asking for better privacy today? 1. Downgrade Attack: The risk of using it wrong. Modern cryptographic communication tools simply do not provide means to exchange messages without encryption. With e-mail the risk always remains that somebody will send you sensitive information in cleartext - simply because they can, because it is easier, because they don't have your public key yet and don't bother to find out about it, or just by mistake. Maybe even because they know they can make you angry that way - and excuse themselves pretending incompetence. Some people even manage to reply unencrypted to an encrypted message, although PGP software should keep them from doing so. The way you can simply not use encryption is also the number one problem with [05]OTR, the off-the-record cryptography method for instant messaging. Okay, I'm not going to argue that PGP isn't hard or that people don't use it incorrectly at times. But would you say don't use condoms because they're ineffective sometimes? No, you would not. This is a reason to improve the UI of PGP/OTR for sure, but not a reason not to use it. 2. The OpenPGP Format: You might aswell run around the city naked. As Stf pointed out at CTS, thanks to its easily detectable [06]OpenPGP Message Format it is an easy exercise for any manufacturer of [07]Deep Packet Inspection hardware to offer a detection capability for PGP-encrypted messages anywhere in the flow of Internet communications, not only within SMTP. So by using PGP you are making yourself visible. Stf has been suggesting to use a non-detectable wrapping format. That's something, but it doesn't handle all the other problems with PGP. Okay, this part requires more explanation for the layman, methinks. It's not intuitive for a non-tech to understand. 3. Transaction Data: He knows who you are talking to. Should Mallory not [08]possess the private keys to your mail provider's TLS connection yet, he can simply intercept the communication by means of a [11]man-in-the-middle attack, using a valid fake certificate that he can make for himself on the fly. It's a bull run, you know? You're not going to convince anyone with jargony talk. Even if you employ PGP, Mallory can trace who you are talking to, when and how long. He can guess at what you are talking about, especially since some of you will put something meaningful in the unencrypted Subject header. Again, this is a call for better education around email practices, not for people to stop using PGP. Should Mallory have been distracted, he can still recover your mails by visiting your provider's server. Something to do with a PRISM, I heard. On top of that, TLS itself is being recklessly deployed without forward secrecy most of the time. 4. No
Re: [liberationtech] 10 reasons not to start using PGP
While there are easy ways to mess up using PGP, I think that a more well-rounded approach is to be mindful of the ways that one can be de-anonymized (by others or themselves) while using it. People who don't have a holistic view of their security, and don't want to learn more about their actual threats and risks/rewards of encryption won't be well-served by PGP or OTR or full-disk encryption. Without informed consent, encryption is meaningless. That is not to say that encryption is always meaningless. ~Griffin On 10/10/2013 03:23 PM, carlo von lynX wrote: We had some debate on this topic at the Circumvention Tech Summit and I got some requests to publish my six reasons not to use PGP. Well, I spent a bit more time on it and now they turned into 10 reasons not to. Some may appear similar or identical, but actually they are on top of each other. Corrections and religious flame wars are welcome. YMMV. -- TEN REASONS NOT TO START USING PGP -- Coloured version at http://secushare.org/PGP -- Cypherpunks write code not flame wars. --Jurre van Bergen #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts are my own, not my employer's. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
Thank you for doing this work! The world needs someone facing the truth, explaining why gpg isn't the solution, advocating positive change. It's a communicative task, a very difficult one. As long there is gpg, most geeks don't see need to create better alternatives. I'd say, gpg's development slowed down. They're qualified but standing in their own way. They should break compatibility with commercial PGP (not because thats good, just because it's easier to implement better solutions), also break compatibility with RFCs, implement better solutions and standardize later. The current first standardize, then maybe implement, and don't implement if it's not standardized approach is much too slow, can't keep up with real developments in real word. (Still don't even have mail subject encryption.) If Bitmessage succeeds (I haven't learned much about it yet), and actually provides better protection than gpg, I am happy with that also if there isn't a RFC. If Bitmessage gets really popular, I am sure they'll somehow work things out and happen to standardize it later. Sometimes I even think, if there wasn't gpg, new approaches had better chances reaching critical mass. carlo von lynX: But what should I do then!?? So that now we know 10 reasons not to use PGP over e-mail, let's first acknowledge that there is no easy answer. Electronic privacy is a crime zone with blood freshly spilled all over. None of the existing tools are fully good enough. I am a gpg user myself, but must say that it has really awful usability. OTR has so much better usability, but it it (yet?) can't be used to sign files or for higher latency communication (e-mail). I agree, the existing tools aren't remotely good enough. Thank you, PGP. Thanks for acknowledging that. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
10 reasons to give up, stop trying, hide in a corner, and die. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
Interesting. But someone should also write a piece called 1 reason not to criticise security tech without clearly stating threat model which serves as basis for that criticism. What if Mallory isn't a well-funded governmental organization but is the admin who runs your employer's email servers? This should actually be two lists: reasons not to use e-mail, and reasons not to use OpenPGP over e-mail. Only reasons 2, 3, 4, 5, 7, 8 are really about OpenPGP (you should've stuck to 6 reasons not to use PGP), and at least three of them are really good reasons to look for alternatives. There are no good alternatives over e-mail: S/MIME unfortunately suffers from many of the same issues as OpenPGP, and then some more. And reason #1 is something that the client should take care of (ideally with default settings), and not the encryption protocol. Why are you attacking OpenPGP and OTR for this? And thank you so much for the comparative chart. It is *very* useful. Why doesn't telephony have SIP? ~ Pranesh carlo von lynX [2013-10-10 15:23]: We had some debate on this topic at the Circumvention Tech Summit and I got some requests to publish my six reasons not to use PGP. Well, I spent a bit more time on it and now they turned into 10 reasons not to. Some may appear similar or identical, but actually they are on top of each other. Corrections and religious flame wars are welcome. YMMV. -- TEN REASONS NOT TO START USING PGP -- Coloured version at http://secushare.org/PGP [01]Pretty Good Privacy is better than no encryption at all, and being [02]end-to-end it is also better than relying on [03]SMTP over [04]TLS (that is, point-to-point between the mail servers while the message is unencrypted in-between), but is it still a good choice for the future? Is it something we should recommend to people who are asking for better privacy today? 1. Downgrade Attack: The risk of using it wrong. Modern cryptographic communication tools simply do not provide means to exchange messages without encryption. With e-mail the risk always remains that somebody will send you sensitive information in cleartext - simply because they can, because it is easier, because they don't have your public key yet and don't bother to find out about it, or just by mistake. Maybe even because they know they can make you angry that way - and excuse themselves pretending incompetence. Some people even manage to reply unencrypted to an encrypted message, although PGP software should keep them from doing so. The way you can simply not use encryption is also the number one problem with [05]OTR, the off-the-record cryptography method for instant messaging. 2. The OpenPGP Format: You might aswell run around the city naked. As Stf pointed out at CTS, thanks to its easily detectable [06]OpenPGP Message Format it is an easy exercise for any manufacturer of [07]Deep Packet Inspection hardware to offer a detection capability for PGP-encrypted messages anywhere in the flow of Internet communications, not only within SMTP. So by using PGP you are making yourself visible. Stf has been suggesting to use a non-detectable wrapping format. That's something, but it doesn't handle all the other problems with PGP. 3. Transaction Data: He knows who you are talking to. Should Mallory not [08]possess the private keys to your mail provider's TLS connection yet, he can simply intercept the communication by means of a [11]man-in-the-middle attack, using a valid fake certificate that he can make for himself on the fly. It's a bull run, you know? Even if you employ PGP, Mallory can trace who you are talking to, when and how long. He can guess at what you are talking about, especially since some of you will put something meaningful in the unencrypted Subject header. Should Mallory have been distracted, he can still recover your mails by visiting your provider's server. Something to do with a PRISM, I heard. On top of that, TLS itself is being recklessly deployed without forward secrecy most of the time. 4. No Forward Secrecy: It makes sense to collect it all. As Eddie has told us, Mallory is keeping a complete collection of all PGP mails being sent over the Internet, just in case the necessary private keys may one day fall into his hands. This makes sense because PGP lacks [12]forward secrecy. The characteristic by which encryption keys are frequently refreshed, thus the private key matching the message is soon destroyed. Technically PGP is capable of refreshing subkeys, but it is so tedious, it is not being practiced - let alone being practiced the way it should be: at least daily. 5. Cryptogeddon: Time to upgrade cryptography itself? Mallory may also be
Re: [liberationtech] 10 reasons not to start using PGP
Agreed. The threat model discussion clearly is too often lost in all the current post-Snowden debates. We need to remember that a lot if solutions might not be enough to protect anyone against NSAish authorities but more than enough against other, most real, threats to peoples personal safety. Regular employers, schools, parents, skiddies, whatever. Marcin 10 okt 2013 kl. 22:11 skrev Pranesh Prakash pran...@cis-india.org: Interesting. But someone should also write a piece called 1 reason not to criticise security tech without clearly stating threat model which serves as basis for that criticism. What if Mallory isn't a well-funded governmental organization but is the admin who runs your employer's email servers? This should actually be two lists: reasons not to use e-mail, and reasons not to use OpenPGP over e-mail. Only reasons 2, 3, 4, 5, 7, 8 are really about OpenPGP (you should've stuck to 6 reasons not to use PGP), and at least three of them are really good reasons to look for alternatives. There are no good alternatives over e-mail: S/MIME unfortunately suffers from many of the same issues as OpenPGP, and then some more. And reason #1 is something that the client should take care of (ideally with default settings), and not the encryption protocol. Why are you attacking OpenPGP and OTR for this? And thank you so much for the comparative chart. It is *very* useful. Why doesn't telephony have SIP? ~ Pranesh carlo von lynX [2013-10-10 15:23]: We had some debate on this topic at the Circumvention Tech Summit and I got some requests to publish my six reasons not to use PGP. Well, I spent a bit more time on it and now they turned into 10 reasons not to. Some may appear similar or identical, but actually they are on top of each other. Corrections and religious flame wars are welcome. YMMV. -- TEN REASONS NOT TO START USING PGP -- Coloured version at http://secushare.org/PGP [01]Pretty Good Privacy is better than no encryption at all, and being [02]end-to-end it is also better than relying on [03]SMTP over [04]TLS (that is, point-to-point between the mail servers while the message is unencrypted in-between), but is it still a good choice for the future? Is it something we should recommend to people who are asking for better privacy today? 1. Downgrade Attack: The risk of using it wrong. Modern cryptographic communication tools simply do not provide means to exchange messages without encryption. With e-mail the risk always remains that somebody will send you sensitive information in cleartext - simply because they can, because it is easier, because they don't have your public key yet and don't bother to find out about it, or just by mistake. Maybe even because they know they can make you angry that way - and excuse themselves pretending incompetence. Some people even manage to reply unencrypted to an encrypted message, although PGP software should keep them from doing so. The way you can simply not use encryption is also the number one problem with [05]OTR, the off-the-record cryptography method for instant messaging. 2. The OpenPGP Format: You might aswell run around the city naked. As Stf pointed out at CTS, thanks to its easily detectable [06]OpenPGP Message Format it is an easy exercise for any manufacturer of [07]Deep Packet Inspection hardware to offer a detection capability for PGP-encrypted messages anywhere in the flow of Internet communications, not only within SMTP. So by using PGP you are making yourself visible. Stf has been suggesting to use a non-detectable wrapping format. That's something, but it doesn't handle all the other problems with PGP. 3. Transaction Data: He knows who you are talking to. Should Mallory not [08]possess the private keys to your mail provider's TLS connection yet, he can simply intercept the communication by means of a [11]man-in-the-middle attack, using a valid fake certificate that he can make for himself on the fly. It's a bull run, you know? Even if you employ PGP, Mallory can trace who you are talking to, when and how long. He can guess at what you are talking about, especially since some of you will put something meaningful in the unencrypted Subject header. Should Mallory have been distracted, he can still recover your mails by visiting your provider's server. Something to do with a PRISM, I heard. On top of that, TLS itself is being recklessly deployed without forward secrecy most of the time. 4. No Forward Secrecy: It makes sense to collect it all. As Eddie has told us, Mallory is keeping a complete collection of all PGP mails being sent over the Internet, just in case the necessary private keys may one day fall into his hands. This makes sense because PGP lacks
Re: [liberationtech] 10 reasons not to start using PGP
On 10/10/2013 03:55 PM, adrelanos wrote: Thank you for doing this work! The world needs someone facing the truth, explaining why gpg isn't the solution, advocating positive change. It's a communicative task, a very difficult one. As long there is gpg, most geeks don't see need to create better alternatives. I'd say, gpg's development slowed down. They're qualified but standing in their own way. They should break compatibility with commercial PGP (not because thats good, just because it's easier to implement better solutions), also break compatibility with RFCs, implement better solutions and standardize later. The current first standardize, then maybe implement, and don't implement if it's not standardized approach is much too slow, can't keep up with real developments in real word. (Still don't even have mail subject encryption.) If Bitmessage succeeds (I haven't learned much about it yet), Bitmessage doesn't have forward secrecy, and AFAICT there's no way to easily add it later on. Best, Jonathan -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
+1 - you said it much better than me. On Thu, Oct 10, 2013 at 1:55 PM, Enrique Piracés enriq...@benetech.orgwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi there, I think this is a good topic for debate among those who can or are currently developing security tools/protocols, and it is one way to further discuss usability as a security feature in communities like this one. That said, I think it is really bad advice and I encourage you to refrain from providing this as a suggestion for users who may put themselves or others at risk as a result of it. Also, I think the title is misleading, as most of the article is about why PGP is not an ideal solution for the future (a point where I think you would find significant agreement). Again, suggesting not to use PGP without providing a functional alternative is irresponsible. Best, Enrique - -- Enrique Piracés Vice President, Human Rights Program Benetech https://www.benetech.org https://www.martus.org https://www.twitter.com/epiraces On 10/10/13 3:23 PM, carlo von lynX wrote: We had some debate on this topic at the Circumvention Tech Summit and I got some requests to publish my six reasons not to use PGP. Well, I spent a bit more time on it and now they turned into 10 reasons not to. Some may appear similar or identical, but actually they are on top of each other. Corrections and religious flame wars are welcome. YMMV. -- TEN REASONS NOT TO START USING PGP -- Coloured version at http://secushare.org/PGP [01]Pretty Good Privacy is better than no encryption at all, and being [02]end-to-end it is also better than relying on [03]SMTP over [04]TLS (that is, point-to-point between the mail servers while the message is unencrypted in-between), but is it still a good choice for the future? Is it something we should recommend to people who are asking for better privacy today? 1. Downgrade Attack: The risk of using it wrong. Modern cryptographic communication tools simply do not provide means to exchange messages without encryption. With e-mail the risk always remains that somebody will send you sensitive information in cleartext - simply because they can, because it is easier, because they don't have your public key yet and don't bother to find out about it, or just by mistake. Maybe even because they know they can make you angry that way - and excuse themselves pretending incompetence. Some people even manage to reply unencrypted to an encrypted message, although PGP software should keep them from doing so. The way you can simply not use encryption is also the number one problem with [05]OTR, the off-the-record cryptography method for instant messaging. 2. The OpenPGP Format: You might aswell run around the city naked. As Stf pointed out at CTS, thanks to its easily detectable [06]OpenPGP Message Format it is an easy exercise for any manufacturer of [07]Deep Packet Inspection hardware to offer a detection capability for PGP-encrypted messages anywhere in the flow of Internet communications, not only within SMTP. So by using PGP you are making yourself visible. Stf has been suggesting to use a non-detectable wrapping format. That's something, but it doesn't handle all the other problems with PGP. 3. Transaction Data: He knows who you are talking to. Should Mallory not [08]possess the private keys to your mail provider's TLS connection yet, he can simply intercept the communication by means of a [11]man-in-the-middle attack, using a valid fake certificate that he can make for himself on the fly. It's a bull run, you know? Even if you employ PGP, Mallory can trace who you are talking to, when and how long. He can guess at what you are talking about, especially since some of you will put something meaningful in the unencrypted Subject header. Should Mallory have been distracted, he can still recover your mails by visiting your provider's server. Something to do with a PRISM, I heard. On top of that, TLS itself is being recklessly deployed without forward secrecy most of the time. 4. No Forward Secrecy: It makes sense to collect it all. As Eddie has told us, Mallory is keeping a complete collection of all PGP mails being sent over the Internet, just in case the necessary private keys may one day fall into his hands. This makes sense because PGP lacks [12]forward secrecy. The characteristic by which encryption keys are frequently refreshed, thus the private key matching the message is soon destroyed. Technically PGP is capable of refreshing subkeys, but it is so tedious, it is not being practiced - let alone being practiced the way it should be: at least daily. 5. Cryptogeddon: Time to upgrade cryptography itself? Mallory may also be awaiting the day when RSA cryptography will be cracked and all
Re: [liberationtech] 10 reasons not to start using PGP
I'm surprised to see this list has missed the thing that bugs me most about PGP: It conflates non-repudiation and authentication. I send Bob an encrypted message that we should meet to discuss the suppression of free speech in our country. Bob obviously wants to be sure that the message is coming from me, but maybe Bob is a spy ... and with PGP the only way the message can easily be authenticated as being from me is if I cryptographically sign the message, creating persistent evidence of my words not just to Bob but to Everyone! When there are only two parties in an encrypted communication this is _trivial_ to solve cryptographically: just use DH to compute a shared secret and use it to authenticate the message. (Multiple parties is solvable too, but requires a ring signature or other more complicated solution). But PGP has no real solutions for that. My other big technical complaint about PGP is (3) in the post, that every encrypted message discloses what key you're communicating with. PGP easily _undoes_ the privacy that an anonymity network like tor can provide. It's possible to use --hidden-recipient but almost no one does. Its also easy to produce a litany of non-technical complaints: PGP is almost universally misused (even by people whos lives may depend on its correct use), the WOT leaks tons of data, etc. In my view the use of PGP is more appropriately seen as a statement about the kind of world we want to have— one where encryption is lawful, widely used, and uncontroversial— and less of a practical way to achieve security against many threats that exist today. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
On 10/10/2013 12:23 PM, carlo von lynX wrote: 1. Downgrade Attack: The risk of using it wrong. Fixed in the new generation of clients (mailpile, LEAP, etc). 2. The OpenPGP Format: You might aswell run around the city naked. Fixed by using StartTLS with DANE (supported in the new version of postfix). Admittedly, this makes sysadmin's job more challenging, but LEAP is working to automate the hard stuff (https://leap.se/platform). 3. Transaction Data: He knows who you are talking to. Fixed in the short term by using StartTLS with DANE. Fixed in the long term by adopting one of these approaches: https://leap.se/en/routing 4. No Forward Secrecy: It makes sense to collect it all. Imperfectly fixed in the short term using StartTLS with only PFS ciphers enabled. This could be fixed in the long term by using Trevor Perrin's scheme for triple EC Diffie-Hellman exchange. This has been implemented by moxie for SMS, and could be for SMTP (https://whispersystems.org/blog/simplifying-otr-deniability/). 5. Cryptogeddon: Time to upgrade cryptography itself? New version of GPG supports ECC, but of course nothing in the snowden leaks suggest we need to abandon RSA of sufficient key length (just the ECC curves that have *always* been suspicious). 6. Federation: Get off the inter-server super-highway. Federated transport with spool-then-forward time delay is likely a much more feasible way to thwart traffic analysis than attempting to lay down a high degree of cover traffic for direct peer to peer transport. This is, of course, an area of active academic research and it would be irresponsible to say that we definitively know how to prevent traffic analysis, either with p2p or federation. 7. Statistical Analysis: Guessing on the size of messages. Easily fixed. 8. Workflow: Group messaging with PGP is impractical. No one anywhere has solved the problem of asynchronous, forward-secret group cryptography. There are, however, working models of group cryptography using OpenPGP, such as SELS (http://sels.ncsa.illinois.edu/). This approach makes key management more difficult, but we need to automate key management anyway for OpenPGP to be usable enough for wider adoption. 9. TL;DR: I don't care. I've got nothing to hide. This critique rests on the assumption that the problems with email are unfixable. 10. The Bootstrap Fallacy: But my friends already have e-mail! Email remains one of the two killer apps of the internet, and is unlikely to vanish any time soon. Simple steps we can take to make it much better seem like a wise investment in energy. There are two approaches to addressing the problems with email: (1) assert that email is hopeless and must be killed off. (2) identify areas where we can fix email to bring it into the 21st century. I think that approach #1 is irresponsible: regardless of one's personal feelings about email, it is certainly not a lost cause, and asserting that it is will make it more difficult to build support for fixing it. Approach #2 is certainly an uphill battle, but there are a growing number of organizations working on it. LEAP's (free software) efforts are outlined here: https://leap.se/email. We have it working, we just need to get it mature enough for production use. -elijah -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
Hello again. I will answer to most comments all in a single mail to avoid clogging libtech. While I wrote this another ten mails have slipped in, so expect another large reply to those. :-) On 10/10/2013 10:00 PM, Richard Brooks wrote: 10 reasons to give up, stop trying, hide in a corner, and die. Sorry if I start talking about the alternatives only at the very end of the document. This is about becoming aware of how serious the problem is and to start directing some energy into fueling the alternatives which are popping up like mushrooms just recently. For the obvious reasons. And I specifically mention peer reviewing them. So the message is: go get yourself new tools and teach your peers to use the new tool of the day. On 10/10/2013 10:11 PM, Pranesh Prakash wrote: Interesting. But someone should also write a piece called 1 reason not to criticise security tech without clearly stating threat model which serves as basis for that criticism. What if Mallory isn't a well-funded governmental organization but is the admin who runs your employer's email servers? That's a good point. The reason why I don't pay attention to lesser threat models is that the loss in quality of democracy we are currently experiencing is large enough that I don't see much use for a distinction of threat models - especially since alternatives that work better than PGP exist, so they are obviously also better for lesser threat models. For example, I don't think that a dissident in Irya (ficticious country) is better off if no-one but Google Mail knows that he is a dissident. Should at any later time in his life someone with access to that data find it useful to use it against the dissident, he can still do it. And who knows what the world looks like in twenty years from now? Not saying give up and die. Saying if you can opt for better security, don't postpone learning about it. If you can invest money in making it a safe option, don't waste time with yet another PGP GUI project. This should actually be two lists: reasons not to use e-mail, and reasons not to use OpenPGP over e-mail. Fine with me. I don't think it makes much difference for the end user whether SMTP federation or actual PGP is failing her. Only reasons 2, 3, 4, 5, 7, 8 are really about OpenPGP (you should've stuck to 6 reasons not to use PGP), and at least three of them are really good reasons to look for alternatives. There are no good alternatives over e-mail: S/MIME unfortunately suffers from many of the same issues as OpenPGP, and then some more. I don't find S/MIME worth mentioning anymore. It has so failed us. But maybe I should for completeness? And reason #1 is something that the client should take care of (ideally with default settings), and not the encryption protocol. Why are you attacking OpenPGP and OTR for this? Because it's not true that the client can handle it. The fact that an email address exists implies that some folks will send unencrypted stuff to it. I experienced this. Just yesterday a friend changed his life plans because of an unencrypted message. Yes, you could enforce PGP once it's configured - but you can't opt out from e-mail. That is evil. Look at any of the alternatives instead. None of them allow you to transmit an unencrypted message. In fact all the modern systems use the public key for addressing, so you can't do it wrong. And thank you so much for the comparative chart. It is *very* useful. My pleasure. I felt the need to do this since I get asked for recommendations frequently - and I don't like to say.. wait until secushare is ready. I don't want to wait for it myself. Why doesn't telephony have SIP? It should. What would the icons be that you would put there? I'm not familiar with end-to-end encryption over SIP for instance. On 10/10/2013 10:33 PM, Marcin de Kaminski wrote: Agreed. The threat model discussion clearly is too often lost in all the current post-Snowden debates. We need to remember that a lot if solutions might not be enough to protect anyone against NSAish authorities but more than enough against other, most real, threats to peoples personal safety. Regular employers, schools, parents, skiddies, whatever. I think if employers, schools, parents, skiddies can find out who you are exchanging encrypted messages with, that can be a very real threat to you. Using a tool that looks like it does something totally different.. on your screen, over the network and even on your hard disk.. can save your physical integrity. On 10/10/2013 09:55 PM, adrelanos wrote: Thank you for doing this work! The world needs someone facing the truth, explaining why gpg isn't the solution, advocating positive change. It's a communicative task, a very difficult one. As long there is gpg, most geeks don't see need to create better alternatives. Glad someone is understanding the positivity in awareness and will to move forward. Ignoring threats just because they are depressing is a bit
Re: [liberationtech] 10 reasons not to start using PGP
Just replying to this bit of your reply to me; the rest made sense On Thu, Oct 10, 2013 at 3:08 PM, carlo von lynX l...@time.to.get.psyced.org wrote: If this is still jargony to you, hmmm... you are unlikely to understand the risks you are exposed to by using the Internet from day to day. These are concepts that anyone in the circumvention business must be aware of. You can choose to not read the Guardian article and not try to understand what's going on, but then you should better just trust that the conclusion is not made up: No, see that's the thing: *I *get it, but I don't think I'm totally your target audience (I've been using PGP for years, you're talking to people who haven't started yet, right?) You want criticism? There it is. Your writing does not work for the general public. You write in a way that feels condescending and assumes that the reader already has a full grasp of why those things are issues. On the one hand, you're telling people that PGP is too hard/broken, while with the other you're expecting them to already understand it/the threat model. Also, I have no idea what is meant by the bull run comment in that sentence. If you want your piece to have any reach beyond the English language, consider tightening up your writing. -- *Note: *I am slowly extricating myself from Gmail. Please change your address books to: jilliancy...@riseup.net or jill...@eff.org. US: +1-857-891-4244 | NL: +31-657086088 site: jilliancyork.com http://jilliancyork.com/* | * twitter: @jilliancyork* * We must not be afraid of dreaming the seemingly impossible if we want the seemingly impossible to become a reality - *Vaclav Havel* * * * * -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
Ah, I see you probably meant BULLRUN. Guess it just wasn't a well-executed pun. On Thu, Oct 10, 2013 at 3:17 PM, Jillian C. York jilliancy...@gmail.comwrote: Just replying to this bit of your reply to me; the rest made sense On Thu, Oct 10, 2013 at 3:08 PM, carlo von lynX l...@time.to.get.psyced.org wrote: If this is still jargony to you, hmmm... you are unlikely to understand the risks you are exposed to by using the Internet from day to day. These are concepts that anyone in the circumvention business must be aware of. You can choose to not read the Guardian article and not try to understand what's going on, but then you should better just trust that the conclusion is not made up: No, see that's the thing: *I *get it, but I don't think I'm totally your target audience (I've been using PGP for years, you're talking to people who haven't started yet, right?) You want criticism? There it is. Your writing does not work for the general public. You write in a way that feels condescending and assumes that the reader already has a full grasp of why those things are issues. On the one hand, you're telling people that PGP is too hard/broken, while with the other you're expecting them to already understand it/the threat model. Also, I have no idea what is meant by the bull run comment in that sentence. If you want your piece to have any reach beyond the English language, consider tightening up your writing. -- *Note: *I am slowly extricating myself from Gmail. Please change your address books to: jilliancy...@riseup.net or jill...@eff.org. US: +1-857-891-4244 | NL: +31-657086088 site: jilliancyork.com http://jilliancyork.com/* | * twitter: @jilliancyork* * We must not be afraid of dreaming the seemingly impossible if we want the seemingly impossible to become a reality - *Vaclav Havel* * * * * -- *Note: *I am slowly extricating myself from Gmail. Please change your address books to: jilliancy...@riseup.net or jill...@eff.org. US: +1-857-891-4244 | NL: +31-657086088 site: jilliancyork.com http://jilliancyork.com/* | * twitter: @jilliancyork* * We must not be afraid of dreaming the seemingly impossible if we want the seemingly impossible to become a reality - *Vaclav Havel* -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
Next collection of answers to replies. Expect yours to be somewhere in here. Thanks for all the feedback! I actually expected harsher religious replies! :) On 10/10/2013 10:55 PM, Enrique Piracés wrote: I think this is a good topic for debate among those who can or are currently developing security tools/protocols, and it is one way to further discuss usability as a security feature in communities like this one. That said, I think it is really bad advice and I encourage you to refrain from providing this as a suggestion for users who may put themselves or others at risk as a result of it. The opening sentence says Pretty Good Privacy is better than no encryption at all ... Also, I think the title is misleading, as most of the article is about why PGP is not an ideal solution for the future (a point where I think you would find significant agreement). Again, suggesting not to use PGP without providing a functional alternative is irresponsible. I am suggesting four alternatives and indicating to work harder to make them viable tools for everyone as we should no longer postpone replacing PGP and e-mail. Of course I would also appreciate attention regarding the fifth, secushare. On 10/10/2013 10:57 PM, Jonathan Wilkes wrote: Bitmessage doesn't have forward secrecy, and AFAICT there's no way to easily add it later on. If I understood the principle correctly it allows you to generate new accounts freely, so you can put your *next* account name into a message. If both sides do this, they can obfuscate their identities a bit. And you can automate it. You could also re-key at each message with PGP, but I presume it would make your implementation incompatible with everybody else's. On 10/10/2013 11:08 PM, Gregory Maxwell wrote: I'm surprised to see this list has missed the thing that bugs me most about PGP: It conflates non-repudiation and authentication. I send Bob an encrypted message that we should meet to discuss the suppression of free speech in our country. Bob obviously wants to be sure that the message is coming from me, but maybe Bob is a spy ... and with PGP the only way the message can easily be authenticated as being from me is if I cryptographically sign the message, creating persistent evidence of my words not just to Bob but to Everyone! I kind-of lumped it mentally together with forward secrecy, because for both problems the answer is Diffie-Hellman. But you are right, it is the eleventh reason. My other big technical complaint about PGP is (3) in the post, that every encrypted message discloses what key you're communicating with. PGP easily _undoes_ the privacy that an anonymity network like tor can provide. It's possible to use --hidden-recipient but almost no one does. Guess what, none of the alternative messaging tools would dream of putting the recipient address close to the message. They just make sure that it somehow gets there. Its also easy to produce a litany of non-technical complaints: PGP is almost universally misused (even by people whos lives may depend on its correct use), the WOT leaks tons of data, etc. Oh yes, I completely forgot to link that long article that recently came out criticizing the PGP web of trust. In my view the use of PGP is more appropriately seen as a statement about the kind of world we want to haveâ one where encryption is lawful, widely used, and uncontroversialâ and less of a practical way to achieve security against many threats that exist today. It is not enough for the purpose of protecting democracy, therefore it's one of those statements that backfire: The adversary doesn't care about you making that statement and can use it against you. On 10/11/2013 12:17 AM, Jillian C. York wrote: Just replying to this bit of your reply to me; the rest made sense Grrreat. On Thu, Oct 10, 2013 at 3:08 PM, carlo von lynX l...@time.to.get.psyced.org mailto:l...@time.to.get.psyced.org wrote: If this is still jargony to you, hmmm... you are unlikely to understand the risks you are exposed to by using the Internet from day to day. These are concepts that anyone in the circumvention business must be aware of. You can choose to not read the Guardian article and not try to understand what's going on, but then you should better just trust that the conclusion is not made up: No, see that's the thing: /I /get it, but I don't think I'm totally your target audience (I've been using PGP for years, you're talking to people who haven't started yet, right?) No, not really. It is for the multipliers and activists. The ones that carry the torch to the people. The Luciphers. You have been carrying PGP to the people and I am suggesting you should consider giving them other tools, and educating them to question those tools and look out for even newer tools. And help make these tools safe, reviewed and usable. Then again I wouldn't mind if normal people /get/ it, too, but I wouldn't want them