[svlug] Security & PGP: "Why Johnny Can't encrypt"

Ivan Sergio Borgonovo mail at webthatworks.it
Sat Jan 31 16:50:45 PST 2015


On 01/31/2015 11:22 PM, Scott DuBois wrote:
> On Sat, Jan 31, 2015 at 12:38:33PM -0800, Michael Eager wrote:
>> The article may be interesting, but it was published in 1999, 15 years ago.  There may
>> have been significant changes during this time.  The article discusses PGP 5.0;
>> the current version is 8.0.
>>
>> A much more recent critique of PGP can be found here:
>> http://blog.cryptographyengineering.com/2014/08/whats-matter-with-pgp.html
> 
> Yeah, I read that one and it is disappointing to know that not a lot of effort
> has been put into the system for a long time. However, when we really consider
> the adoption rate, where is the motivation? The "Snowden effect" has created a
> level of awreness that was not as prominant as it once was sure, but how many
> people do we know can _actually_ set up encryption easily?

> We're not talking about tech circle people either, I'm talking the average
> office. If Sony had been using encryption, what stolen data would have been
> useful? What are the legalities _against_ encrypting the average office data
> even when people _know_ the benefits?

In Sony case encrypting stuff wouldn't have made much difference.

Actually one of the things that prevent me from using gpg at large is
making the keys easily available and protecting them at the same time
together with no forward secrecy.

The other one is deniability.

Last but not list signing keys is a pain for me, I bet is 10x a pain for
the average Joe.

Without forward secrecy and deniability any small mistake in dealing
with keys can be disastrous, even when they are not your mistakes.

Even if everything was simpler and pgp had forward security and
deniability I would think that it would give the average Joe a sense of
false security even if I'd be happy more people used encrypted
communications just to make it harder to spot valuable communications.

To get an idea of what I mean...

https://freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces-hard-get-right-and-increasingly-inconsistent/

or what about CA breach...

Security is hard enough to get right, it gets even harder if the people
involved don't value it.
Did the "Snowden effect" had any effect at all?

-- 
Ivan Sergio Borgonovo
http://www.webthatworks.it




More information about the svlug mailing list