At one point in this essay, Matt suggests that every successful end-to-end encryption scheme has employed transparent (or "translucent") key management. What he's referring to is the idea behind, say, OTR: two people can use it without the key handshake required by PGP.
Matt is wrong about this. He's being victimized by a pernicious fallacy.
It certainly appears that the most "successful" cryptosystems have transparent keying. But that's belied by the fact that, with a very few exceptions (that probably prove the rule), cryptosystems aren't directly attacked by most adversaries... except the global adversary.
In the absence of routine attacks targeting cryptography, it's easy to believe that systems that don't annoy their users with identity management are superior to those that do. They do indeed have an advantage in deployability! But they have no security advantage. We'll probably find out someday soon, as more disclosures hit the press, that they were a serious liability.
There is a lot wrong with PGP! It is reasonable to want it to die. But PGP is the only trustworthy mainstream cryptosystem we have; I mean, literally, I think it might be the only one.
Hi Thomas. I used to think this way too. I think this is certainly a fine way to think about things if your goal is to keep encrypted email deployment limited to the 3-4% of email users who are either technical experts with nothing to say and/or people who are sending obviously sensitive documents. It doesn't scale much beyond that.
Moreover, I would argue that a 'translucent' key management infrastructure /can/ be better in all ways than PGP. For example, imagine that Google provided a transparent key distribution service for all its users, but also allowed you to verify key fingerprints manually before sending messages. Congratulations -- for users who care, you've got something that works every bit as well as PGP. Everyone else isn't sending plaintext! Sure an attacker can compromise them, but it requires an expensive MITM attack. They have to be targets a priori, not after the fact. I'm struggling to see how anyone is worse off here, except through the nebulous reasoning that 'making things easy' makes people careless. Making things hard definitely makes people careless -- I've seen this firsthand.
But more to the point, even paranoid users have a lot of options that are better than PGP. Using ZRTP to establish secure channels is a very safe way to do things, assuming your attacker can't really forge voiceprints (and this seems hard, even for the NSA). From that point you can push strong public keys out to a dedicated text/email app. That we don't do this is not so much because it's a bad idea -- it's because so far people haven't tried it.
>They do indeed have an advantage in deployability!
Deployability is worth more than might be immediately obvious. The question of deployment is directly related to the business of availability. If 99% of people used a crypto system that provided no real security beyond thwarting a global adversary, which also had the option for further measures to confirm identity when necessary, we would be in a much better position than we are now because it would mean that when I do have contacts I would prefer to use encryption with the software will already be on their system and I only need to instruct them in how to use it.
There's a fallacy in saying that no measures are better than imperfect measures 'because then you don't have a false sense of security'. Regardless of security measures or not the false sense of security is baked into how people use computers.
I challenge you to go explain to anyone you know who does not identify as a 'computer person' how email routing works and why it's quite possible for a 3rd party to read their mail. If they even understand what you're talking about, the response is an almost universally cool 'Oh but so many other people do it, and what am I supposed to do stop using email?'
The vast majority of people will not stop talking just because in the abstract they might be overheard.
EDIT: As a note, I think any centralized system of key distribution is fundamentally insecure.
PGP is only trustworthy if both parties treat key management with the utmost severity, and if everyone in the conversation maintains the integrity of a given thread (in the email case).
There are a precious few individuals for whom I have that level of trust in their management of their private key. I could not even trust my wife to manage a hardware key that I gave her, it would fall apart immediately; "I cannot use this key on my chrome book? I cannot use this key on my Galaxy? I cannot use this key on my iPad? Give me a soft key that I can use, or a cloud service..."
Therefore, PGP is not mainstream. There is a large population of people doing it incorrectly, and they must because they have no other real choice.
I think the argument is that PGP is so difficult to use that by and large people just won't bother.
Yes, transparent key systems would likely be less secure than PGP. If the usability were significantly better and people used them, that is better than the alternative of using nothing. For many of these solutions, there is a window of vulnerability surrounding the key exchange that closes if you aren't snooping traffic at that moment, so it's not like they're completely insecure options; just that their attack vectors that may be considered acceptable risks in many situations.
You nailed it. I stopped reading and started laughing when iMessage was hailed as a successful platform addressing these issues. The only thing securing iMessage is the procedure for processing law enforcement requests.
PGP is a tool that requires expertise to operate effectively. That isn't good or bad, it just is.
> In the absence of routine attacks targeting cryptography, it's easy to believe that systems that don't annoy their users with identity management are superior to those that do. They do indeed have an advantage in deployability! But they have no security advantage. We'll probably find out someday soon, as more disclosures hit the press, that they were a serious liability.
You're probably talking about the PKI here. However, after a year's worth of Snowden leaks (and perhaps other leakers too) there have been zero documents discussing routine or even occasional sabotage of the PKI.
You suggest that we'll "probably" find out "someday soon" that only PGP works and everything else sucks, but we already went through that acid test. PGP was such an epic failure Snowden and Greenwald failed to connect entirely, and there were no big reveals about certificate authorities.
That doesn't mean the CA system is infallible, just that attacking endpoint security is easier. But as Matt's GPG example shows, GPG endpoint security is just as pathetic. Heck I didn't realise that GPG couldn't safely import public keys by fingerprint. How the hell does software like that, which has been around so long, fail to do such a basic check? QUANTUM would have made mincemeat of anyone trying to communicate securely using mainstream PGP implementations, whereas most S/MIME implementations I know of wouldn't have been fooled so easily.
Hand-waving about how anything other than PGP is trustworthy doesn't fly with me: there's too much real world evidence from real world adversaries that it sucks and other systems work better.
I strongly agree with Matt that a transparent key exchange is crucial to boost PGP adoption. In fact, a few weeks ago I proposed a mechanism to do precisely that, over automated email responses, see http://blog.zorinaq.com/?e=76 (the mechanism I describe also solves a bunch of problems regarding how to share other personal information).
I gotta back Matt here. While none of the three of us would endorse the iMessage key exchange model, the truth is that the team that implemented iMessage crypto have kept more communications safe from dragnet surveillance than everybody commenting on this HN article combined.
I personally think there is a good middle ground where identity management is invisible to most users and customizable by users with more challenging threat models. That is what we are aiming for.
Just an idea that might not be very practical but what if there was X number of "master" public keys managed by trusted groups that could be used to verify other public keys and they were posted in plain text on billboards across towns (maybe could replace CAs?)... just like you can use the Debian keys to verify the Tails OS key..
Learning to drive a car is hard. You have to watch the road, coordinate hands and feet, anticipate other drivers' moves and so on. No one bats an eye about this, because "it's a skill you have to learn". If you don't play by the rules of the road, you'll end up killing someone, or getting killed.
But for some reason (maybe because it's generally less life-threatening), people seem to expect deeply complex subjects, like e-mail encryption and identity management, to be easy. "Yeah, if you can just give me a fancy, easy-to-use GUI with forward secrecy, that'd be great!" Sure, it'd be great. But it's not going to happen. And that's not because PGP is broken -- of course, it does have its weak points. It's because people are too lazy to bother to learn.
What's the old addage? You can have quick, cheap and reliable. Pick two? Same here. You can have secure, easy to use, and reliable. Pick two.
I seemingly can't develop the the muscle memory of unintuitive (to me) concepts like "clockwise is right" and "counter-clockwise is left", nor can I get used to the way a gas pedal actuates non-linearly. These are just two examples of a long list of problems that I have with the controls.
Then there is the utterly confusing signage.
I just can't do any of it, not without sweating like a pig. And I definitely can't be doing all of it at the same time. That's just nuts.
Every time I pick up a PS3 controller I have to learn to use it again, which depending on my withdrawal period can take anywhere from a couple of minutes to like half an hour. The only reason I can touch-type is because I'm doing it every day.
Please don't make the assumption that other's experience of the man-made world around us is in any way similar to yours, that's just not true.
Oh, and I have had absolutely no problem figuring out PGP encryption usage.
The analogy to learning to drive is flawed, because we learn to drive with muscle memory, and our intuitions about the physical world serve use well when driving.
Neither of these obtains with cryptography. Mistakes are not obvious and you have to concentrate to get it right.
It is a matter of skills which people find useful.
Learning to fly a plane is much harder than learning to drive a car, and almost no-one learns how to fly a plane because it just isn't a useful skill for most people.
I did spend time learning all about PGP, and I wish I hadn't bothered, as the skill of learning PGP has zero value to me. On the other hand, learning to drive a car, which took longer, is much more useful.
I don't agree. I use GPGtools on OSX with the openpgp smartcard and it works flawlessly and is truly convenient. Furthermore I can use 4096 bit RSA keys.
One thing I have learned watching the crypto forums over the years is that there are well calculated misinformation campaigns trying to dissuade people from using secure methods. I see it again and again and the people on this forum need to think carefully before swallowing this as sincere.
I would never never never trust a solution from Google or any large American corporation. They have just been caught lying about prism (Google) and taking bribes (RSA). These companies are now and always will be totally untrustworthy.
I haven't used the "original" PGP program for a very long time, but IIRC it had the option to use RFC 1751 or a similar scheme. A quick web search finds to options to use this scheme in GnuPG. Strange!
In my opinion, mail crypto needs to become mainstream usable. E.g. even trivial contents should be encrypted by default and this should be usable by default. Currently, S/MIME does a better job than PGP.
While the CA-model seems to be broken in most X.509 use cases, like TLS/SSL, where a duplicate certifcate can be used to do a man-in-the-middle-attack, this does not really affect S/MIME, especially after both parties started a "conversion". People that need to communicate "really" secure, should therefore be able to ignore all "CA-Trust" and white-list certificates on a per user basis (e.g. like PGP).
Ordinary communication still can by default fall-back to the existing CA-model to keep it usable (but not secure).
2. We need CAs that are usable. StartSSL is nice and free, but it's not easy to use. Lower the entry barrier for getting and renewing/recreation of certificates
3. (most important) Make it easy to manage local CA-trust. On each new system, the user should be able to select a "trust no CA/whitelist only" approach and then be responsible for trusting other parties. No vendor (Microsoft, Apple, Google, Mozilla) should silently distribute and trust new CAs without users consent.
I don't understand why we don't just apply the OTR model to email.
OTR's big latency is the initial handshake. After that, you can persist the session. But email is intrinsically a high latency medium anyway! We can afford 1 or 2 days delay to setup an initial encrypted connection. In fact, we can display a big "not encrypted!" message to users, while still letting them exchange email, until we've done the handshake and socialist millionaire protocol (or verified keys by some other means) setup.
I am willing to bet like 70-80% of people who send email to each other physically have their email clients online at the time they do it, even if they take a lot longer to answer - especially with the number of smartphones out there. So we can setup an OTR session after 1 message the vast majority of the time, and then reuse the same session as much as possible.
The "global CA" model is bust. How it was ever considered usable is beyond me, but we now have more than a decade of experience seeing just how bad it is. It is utterly, fundamentally broken and easily subverted by state actors.
For now, the only reasonably usable secure key exchange method seems to be what WhisperSystems are doing on their phone app (safe against MITM if the parties know each other, and very hard to MITM even if not - especially not automatically).
They can be generated and installed into the OS keystore by your browser automatically. By the low standards of crypto it works pretty well. Any old email client supports it out of the box.
> If the NSA is your adversary just forget about PGP.
Why? Last I heard, breaking PGP was equivalent to being able to factor large integers into a product of prime numbers. So, NSA is able to do that, and no one else can, no one in the public heard about it, no university research mathematician published about it, NSA has mathematicians who figured out how to do that but their major profs back in grad school don't know how, no one got a Fields Medal for it, etc.? I don't believe that.
What's going on here?
He means I need a Faraday cage? Okay, tell the NSA I have one; put it in place this afternoon.
He means the NSA has trained cockroaches that can wiggle into my hard drives while I sleep and steal all my data? If so, then fine. I'll spray bug killer.
Otherwise, why should I believe that the NSA could crack my PGP encrypted e-mail?
If the NSA can't attack the crypto (not saying they can, but maybe) they'll attack endpoint. Systems like QUANTUMINSERT allow them to selectively MitM your plaintext HTTP connections, directing your browser to load some asset that exploits a browser vulnerability, and using that to install persistent malware.
Yes, usability is the problem. But none of these proposed solutions manage to actually solve the usability problem without throwing out the security.
We really do need to let users manage trust, because trust is a rich concept. And humans are actually really good at trust, because we've been thriving and competing with each other in complex social situations for a long time.
The trick is finding ways to recruit people's evolved trust behaviors into an electronic context. That is, can we build meaningful webs of trust through repeated social interactions, just like in real life?
So it's not the mail client vendors who are best positioned to solve the problem, it's the social networks.
(Whether they want to solve the problem is a separate question.)
I'm using TextSecure on my Android phone as a Messaging replacement and it is great. However it appears to me that the service is not decentralised in any way. Is that assumption correct?
I like the email model such that anyone can install and run an email server. I'd actively push friends, family and colleagues to use a decentralised email replacement that was as easy to use and secure as TextSecure.
From what I understand, there's some federation baked into the protocol and it works with Cyanogenmod (they run a server for their users), but it's not really documented anywhere in detail.
I don't trust TextSecure. It's too transparent. It is entirely unclear what happens if it can't send an encrypted message. It's unclear where and how much I'll be billed (important to those of us outside the US). And sans user authentication, there's no real trust model there.
The user needs to control the encryption, not Google or Yahoo. Surely Google is not proposing a system that prevents them from reading your email and serving you ads? Until we have something that actually prevents Google and Yahoo from getting the plaintext, none of the other problems matter that much.
The NSA isn't my concern, Google etc. are. I don't want to bother going to the lengths necessary to secure myself from the NSA since that just isn't practical. But it would be nice if google and its employees didn't have access to the plaintext of my email. If I send an email to anyone using gmail and they decrypt it in a way that lets google see my text when they reply, all of my own security steps are worthless.
Just a random thought - maybe there is a way to nail hard the point that "you cannot have security if you're lazy"? The society expects people to do driving licenses before getting behind the wheel. Why not expect people to put some amount of effort to be able to get mortgage or interact with court, etc.? Sure, many people will screw this up, but maybe this will be enough to secure majority.
I started this project https://github.com/abemassry/wsend-gpg and while it's not the easiest to use I'm sure it can be improved. There's no key exchange either but there has to be a quick and easy solution that people can use if we work on it a little more.
PGP is about identity and privacy. We are not going to get that from Email. Email isn't worth fixing. Its time to move on.
In the last few years we have seen IM and SMS merge into an almost seamless experience. Surely we could engineer a UI that also copes with larger bodies of text at the same time?
We need clients or servers that are multi-protocol. That way we can experiment with new ways of communicating.
Good article. However if your adversary is a three or four letter agency then by all accounts it seems that PGP/GPG still does work. Snowden and Greenwald used it, apparently successfully after some tuition.
The article also doesn't mention Bitmessage, which addresses a lot of the concerns. Bitmessage isn't forward secret though.
Also, about “terrible mail client implementations”, — the problem is, to not be terrible for many is to be built-in to GMail (and work transparently there). The consequences of that are obvious I hope. So no, thanks.
This could perhaps be made easier to use if you had a UI like this:
You phone pops up a message saying: "Hey, I notice you seem to be in the same room with Bob! We can increase security of Bob's messages to you my exchanging a fingerprint. Do this now? (Yes/No/Woah, Bob isn't here!)
If you click yes, you then exchange fingerprints using eg QR codes, and the authenticity of messages from Bob are retrospecively checked
Problem is, it's not obvious this can be done without compromising privacy of location.
> Adding forward secrecy to asynchronous offline email is a much bigger challenge, but fundamentally it's at least possible to some degree.
Is it really fundamentally possible? The author asserts this without really backing it with anything. I can understand how OTR-like systems can work between a static pair of clients, but it is not entirely clear if it is possible at all to extend such scheme to work in scenarios where message delivery is async and I might be using a set of clients/devices for messaging.
Matt links to a paper on forward-secure public key encryption in the notes. While this shows it is possible in principle, the actual procedure is pretty awkward, and probably not usable in this current state.
PGP needs to onboard themselves with Elliptic Curve Crypto... significantly smaller makes them more distributable which solves a few of the problems mentioned.
Most systems should switch from simple multiplicative group crypto to elliptic curve, but it's hard to make an argument that doing that would resolve any of the problems Matt is referring to.
It's in GNUPG 2.1, but it's been in beta forever. Also, at least my smart token can only do RSA. It's disappointing that it's taking this long, but it's not people are throwing money at the GNUPG team.
These are largely problems with email, not PGP - which btw is not just by email, in fact I almost never use it with email.
SMTP is not meant to be secure. You insist in communicating through an insecure channel-protocol and making it secure as an afterthought, and it's always going to be inconvenient or otherwise suck. I say PGP is pretty good at what it does, and it's nice in that it doesn't promise what it doesn't do.
[+] [-] tptacek|11 years ago|reply
Matt is wrong about this. He's being victimized by a pernicious fallacy.
It certainly appears that the most "successful" cryptosystems have transparent keying. But that's belied by the fact that, with a very few exceptions (that probably prove the rule), cryptosystems aren't directly attacked by most adversaries... except the global adversary.
In the absence of routine attacks targeting cryptography, it's easy to believe that systems that don't annoy their users with identity management are superior to those that do. They do indeed have an advantage in deployability! But they have no security advantage. We'll probably find out someday soon, as more disclosures hit the press, that they were a serious liability.
There is a lot wrong with PGP! It is reasonable to want it to die. But PGP is the only trustworthy mainstream cryptosystem we have; I mean, literally, I think it might be the only one.
[+] [-] matthewdgreen|11 years ago|reply
Moreover, I would argue that a 'translucent' key management infrastructure /can/ be better in all ways than PGP. For example, imagine that Google provided a transparent key distribution service for all its users, but also allowed you to verify key fingerprints manually before sending messages. Congratulations -- for users who care, you've got something that works every bit as well as PGP. Everyone else isn't sending plaintext! Sure an attacker can compromise them, but it requires an expensive MITM attack. They have to be targets a priori, not after the fact. I'm struggling to see how anyone is worse off here, except through the nebulous reasoning that 'making things easy' makes people careless. Making things hard definitely makes people careless -- I've seen this firsthand.
But more to the point, even paranoid users have a lot of options that are better than PGP. Using ZRTP to establish secure channels is a very safe way to do things, assuming your attacker can't really forge voiceprints (and this seems hard, even for the NSA). From that point you can push strong public keys out to a dedicated text/email app. That we don't do this is not so much because it's a bad idea -- it's because so far people haven't tried it.
[+] [-] unimpressive|11 years ago|reply
Deployability is worth more than might be immediately obvious. The question of deployment is directly related to the business of availability. If 99% of people used a crypto system that provided no real security beyond thwarting a global adversary, which also had the option for further measures to confirm identity when necessary, we would be in a much better position than we are now because it would mean that when I do have contacts I would prefer to use encryption with the software will already be on their system and I only need to instruct them in how to use it.
There's a fallacy in saying that no measures are better than imperfect measures 'because then you don't have a false sense of security'. Regardless of security measures or not the false sense of security is baked into how people use computers.
I challenge you to go explain to anyone you know who does not identify as a 'computer person' how email routing works and why it's quite possible for a 3rd party to read their mail. If they even understand what you're talking about, the response is an almost universally cool 'Oh but so many other people do it, and what am I supposed to do stop using email?'
The vast majority of people will not stop talking just because in the abstract they might be overheard.
EDIT: As a note, I think any centralized system of key distribution is fundamentally insecure.
[+] [-] bdamm|11 years ago|reply
There are a precious few individuals for whom I have that level of trust in their management of their private key. I could not even trust my wife to manage a hardware key that I gave her, it would fall apart immediately; "I cannot use this key on my chrome book? I cannot use this key on my Galaxy? I cannot use this key on my iPad? Give me a soft key that I can use, or a cloud service..."
Therefore, PGP is not mainstream. There is a large population of people doing it incorrectly, and they must because they have no other real choice.
[+] [-] exelius|11 years ago|reply
Yes, transparent key systems would likely be less secure than PGP. If the usability were significantly better and people used them, that is better than the alternative of using nothing. For many of these solutions, there is a window of vulnerability surrounding the key exchange that closes if you aren't snooping traffic at that moment, so it's not like they're completely insecure options; just that their attack vectors that may be considered acceptable risks in many situations.
[+] [-] Spooky23|11 years ago|reply
PGP is a tool that requires expertise to operate effectively. That isn't good or bad, it just is.
[+] [-] mike_hearn|11 years ago|reply
You're probably talking about the PKI here. However, after a year's worth of Snowden leaks (and perhaps other leakers too) there have been zero documents discussing routine or even occasional sabotage of the PKI.
You suggest that we'll "probably" find out "someday soon" that only PGP works and everything else sucks, but we already went through that acid test. PGP was such an epic failure Snowden and Greenwald failed to connect entirely, and there were no big reveals about certificate authorities.
That doesn't mean the CA system is infallible, just that attacking endpoint security is easier. But as Matt's GPG example shows, GPG endpoint security is just as pathetic. Heck I didn't realise that GPG couldn't safely import public keys by fingerprint. How the hell does software like that, which has been around so long, fail to do such a basic check? QUANTUM would have made mincemeat of anyone trying to communicate securely using mainstream PGP implementations, whereas most S/MIME implementations I know of wouldn't have been fooled so easily.
Hand-waving about how anything other than PGP is trustworthy doesn't fly with me: there's too much real world evidence from real world adversaries that it sucks and other systems work better.
[+] [-] mrb|11 years ago|reply
I would love to hear input from HN readers...
[+] [-] secalex|11 years ago|reply
I personally think there is a good middle ground where identity management is invisible to most users and customizable by users with more challenging threat models. That is what we are aiming for.
[+] [-] sorbits|11 years ago|reply
Off topic and pedantic but exceptions do not prove rules.
A specific exception like “you are allowed to do X when Y is true” may be used as proof of an (unwritten) rule about X being forbidden.
I.e. here we use the exception (when Y is true we are allowed to do X) to prove that there is a general rule saying that X is forbidden.
[+] [-] nktr1|11 years ago|reply
[+] [-] Tharkun|11 years ago|reply
But for some reason (maybe because it's generally less life-threatening), people seem to expect deeply complex subjects, like e-mail encryption and identity management, to be easy. "Yeah, if you can just give me a fancy, easy-to-use GUI with forward secrecy, that'd be great!" Sure, it'd be great. But it's not going to happen. And that's not because PGP is broken -- of course, it does have its weak points. It's because people are too lazy to bother to learn.
What's the old addage? You can have quick, cheap and reliable. Pick two? Same here. You can have secure, easy to use, and reliable. Pick two.
[+] [-] godDLL|11 years ago|reply
I seemingly can't develop the the muscle memory of unintuitive (to me) concepts like "clockwise is right" and "counter-clockwise is left", nor can I get used to the way a gas pedal actuates non-linearly. These are just two examples of a long list of problems that I have with the controls.
Then there is the utterly confusing signage.
I just can't do any of it, not without sweating like a pig. And I definitely can't be doing all of it at the same time. That's just nuts.
Every time I pick up a PS3 controller I have to learn to use it again, which depending on my withdrawal period can take anywhere from a couple of minutes to like half an hour. The only reason I can touch-type is because I'm doing it every day.
Please don't make the assumption that other's experience of the man-made world around us is in any way similar to yours, that's just not true.
Oh, and I have had absolutely no problem figuring out PGP encryption usage.
[+] [-] idlewords|11 years ago|reply
Neither of these obtains with cryptography. Mistakes are not obvious and you have to concentrate to get it right.
[+] [-] CJefferson|11 years ago|reply
Learning to fly a plane is much harder than learning to drive a car, and almost no-one learns how to fly a plane because it just isn't a useful skill for most people.
I did spend time learning all about PGP, and I wish I hadn't bothered, as the skill of learning PGP has zero value to me. On the other hand, learning to drive a car, which took longer, is much more useful.
[+] [-] blueking|11 years ago|reply
One thing I have learned watching the crypto forums over the years is that there are well calculated misinformation campaigns trying to dissuade people from using secure methods. I see it again and again and the people on this forum need to think carefully before swallowing this as sincere.
I would never never never trust a solution from Google or any large American corporation. They have just been caught lying about prism (Google) and taking bribes (RSA). These companies are now and always will be totally untrustworthy.
[+] [-] blueking|11 years ago|reply
[+] [-] nktr1|11 years ago|reply
[+] [-] acqq|11 years ago|reply
http://www.ietf.org/rfc/rfc1751.txt
used to provide the fingerprints that are readable? Verifying would be much more convenient than now.
"For example, the 128-bit key of:
would become Likewise, a user should be able to type in as a key, and the machine should make the translation to:[+] [-] cpach|11 years ago|reply
[+] [-] rmoriz|11 years ago|reply
While the CA-model seems to be broken in most X.509 use cases, like TLS/SSL, where a duplicate certifcate can be used to do a man-in-the-middle-attack, this does not really affect S/MIME, especially after both parties started a "conversion". People that need to communicate "really" secure, should therefore be able to ignore all "CA-Trust" and white-list certificates on a per user basis (e.g. like PGP).
Ordinary communication still can by default fall-back to the existing CA-model to keep it usable (but not secure).
Some steps:
1. We need more love by the MUA-vendors, who mostly support S/MIME but it's still a PITA to use. Google e.g. still does not support S/MIME on android, see https://code.google.com/p/android/issues/detail?id=34374
2. We need CAs that are usable. StartSSL is nice and free, but it's not easy to use. Lower the entry barrier for getting and renewing/recreation of certificates
3. (most important) Make it easy to manage local CA-trust. On each new system, the user should be able to select a "trust no CA/whitelist only" approach and then be responsible for trusting other parties. No vendor (Microsoft, Apple, Google, Mozilla) should silently distribute and trust new CAs without users consent.
[+] [-] XorNot|11 years ago|reply
OTR's big latency is the initial handshake. After that, you can persist the session. But email is intrinsically a high latency medium anyway! We can afford 1 or 2 days delay to setup an initial encrypted connection. In fact, we can display a big "not encrypted!" message to users, while still letting them exchange email, until we've done the handshake and socialist millionaire protocol (or verified keys by some other means) setup.
I am willing to bet like 70-80% of people who send email to each other physically have their email clients online at the time they do it, even if they take a lot longer to answer - especially with the number of smartphones out there. So we can setup an OTR session after 1 message the vast majority of the time, and then reuse the same session as much as possible.
[+] [-] beagle3|11 years ago|reply
For now, the only reasonably usable secure key exchange method seems to be what WhisperSystems are doing on their phone app (safe against MITM if the parties know each other, and very hard to MITM even if not - especially not automatically).
[+] [-] mike_hearn|11 years ago|reply
http://www.comodo.com/home/email-security/free-email-certifi...
They can be generated and installed into the OS keystore by your browser automatically. By the low standards of crypto it works pretty well. Any old email client supports it out of the box.
[+] [-] micro-ram|11 years ago|reply
[+] [-] graycat|11 years ago|reply
Why? Last I heard, breaking PGP was equivalent to being able to factor large integers into a product of prime numbers. So, NSA is able to do that, and no one else can, no one in the public heard about it, no university research mathematician published about it, NSA has mathematicians who figured out how to do that but their major profs back in grad school don't know how, no one got a Fields Medal for it, etc.? I don't believe that.
What's going on here?
He means I need a Faraday cage? Okay, tell the NSA I have one; put it in place this afternoon.
He means the NSA has trained cockroaches that can wiggle into my hard drives while I sleep and steal all my data? If so, then fine. I'll spray bug killer.
Otherwise, why should I believe that the NSA could crack my PGP encrypted e-mail?
[+] [-] bascule|11 years ago|reply
[+] [-] ef4|11 years ago|reply
We really do need to let users manage trust, because trust is a rich concept. And humans are actually really good at trust, because we've been thriving and competing with each other in complex social situations for a long time.
The trick is finding ways to recruit people's evolved trust behaviors into an electronic context. That is, can we build meaningful webs of trust through repeated social interactions, just like in real life?
So it's not the mail client vendors who are best positioned to solve the problem, it's the social networks.
(Whether they want to solve the problem is a separate question.)
[+] [-] junto|11 years ago|reply
I like the email model such that anyone can install and run an email server. I'd actively push friends, family and colleagues to use a decentralised email replacement that was as easy to use and secure as TextSecure.
[+] [-] drdaeman|11 years ago|reply
[+] [-] XorNot|11 years ago|reply
[+] [-] Teodolfo|11 years ago|reply
The NSA isn't my concern, Google etc. are. I don't want to bother going to the lengths necessary to secure myself from the NSA since that just isn't practical. But it would be nice if google and its employees didn't have access to the plaintext of my email. If I send an email to anyone using gmail and they decrypt it in a way that lets google see my text when they reply, all of my own security steps are worthless.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] TeMPOraL|11 years ago|reply
</dream>
(confession: I myself am too lazy to use PGP)
[+] [-] Someone1234|11 years ago|reply
Maybe if email encryption was more like HTTPS more people would use it? Just transparent and easy.
[+] [-] abemassry|11 years ago|reply
[+] [-] nextw33k|11 years ago|reply
In the last few years we have seen IM and SMS merge into an almost seamless experience. Surely we could engineer a UI that also copes with larger bodies of text at the same time?
We need clients or servers that are multi-protocol. That way we can experiment with new ways of communicating.
[+] [-] motters|11 years ago|reply
The article also doesn't mention Bitmessage, which addresses a lot of the concerns. Bitmessage isn't forward secret though.
[+] [-] gkop|11 years ago|reply
[+] [-] jolan|11 years ago|reply
https://help.riseup.net/en/security/message-security/openpgp...
[+] [-] lelf|11 years ago|reply
Also, about “terrible mail client implementations”, — the problem is, to not be terrible for many is to be built-in to GMail (and work transparently there). The consequences of that are obvious I hope. So no, thanks.
[+] [-] ajb|11 years ago|reply
If you click yes, you then exchange fingerprints using eg QR codes, and the authenticity of messages from Bob are retrospecively checked
Problem is, it's not obvious this can be done without compromising privacy of location.
[+] [-] marcosdumay|11 years ago|reply
That's a problem for Free Software running on local machines!
[+] [-] zokier|11 years ago|reply
Is it really fundamentally possible? The author asserts this without really backing it with anything. I can understand how OTR-like systems can work between a static pair of clients, but it is not entirely clear if it is possible at all to extend such scheme to work in scenarios where message delivery is async and I might be using a set of clients/devices for messaging.
[+] [-] pbsd|11 years ago|reply
[+] [-] exabrial|11 years ago|reply
[+] [-] tptacek|11 years ago|reply
[+] [-] Torgo|11 years ago|reply
[+] [-] muyuu|11 years ago|reply
SMTP is not meant to be secure. You insist in communicating through an insecure channel-protocol and making it secure as an afterthought, and it's always going to be inconvenient or otherwise suck. I say PGP is pretty good at what it does, and it's nice in that it doesn't promise what it doesn't do.