Slashdot Mirror
Can GnuPG Deliver?
jso888 writes "After Network Associates decided to halt further development of PGP, I'm sure that many users like myself who use non-CLI platforms most of the time, wondered "what next?" (PGP Freeware is not an option, since it's tied into the Network Associates product). Salon today has a nice article on GnuPG, the Open PGP/GNU alternative. The article highlights one of the problems with Open Source software today: its "by the geek, for the geek" nature, which by and large places barriers to mass adoption of OSS, especially important capabilities like personal encryption. One of the nice things about NAI PGP was its ease of use and commercial polish. It was easy to install and use, and integrated nicely with Windows software like Eudora and ICQ. GnuPG, admittedly, isn't quite there yet, the article concludes. That's too bad; given the privacy-hostile world we live in, the last thing we need is another barrier to widespread cryptography adoption."
http://www.gnupg.org/frontends.html
:)
WinPT is quite good.
http://www.winpt.org/
But I've only found one "free software" package which is up to scrach with it's windows counterparts (in easy to install etc), and thats Apache Tomcat, and that needs some work.
Ahh well, maybe one day.
Wow, I should not post when knackered.
Good email clients will automatically check the signature for you and display the identity verification.
So, yes, in a way I check them all the time.
Everyone has secrets .. financial information for example.
Do you use secure websites to order online, or do you use sites with no encryption?
Do you email your bank account information to family members using PGP, or in plain text?
0xB
Mutt has built-in PGP support. All you have to do is configure it.
Check out Trillian, which claims to do this. Caveat: it's not open source, and I haven't looked to hard at its security features, but it does list encryption over ICQ and AIM as features. I use it more because it's a unified client that does ICQ, AIM, Yahoo!, MSN, and IRC all in one.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
The article stringly infers that PGP (I use the NAI Freeware distro) does not work with OSX or WinXP. I can't speak to OSX, but I know that 6.5.8 works just fine with Windows XP Pro.
Ummm, err, say what, now?
I finished a W2K upgrade to all desktops in 2001. The schedule is that we don't do anything till 2005. I've already verified that I can use pgp in outlook to encrypt something that gpg from the shell can decrypt. Though I like the NA product, if they're done, they're done, and I have something workable for 3 more years, after which I'll just switch to a gpg infrastructure. End of problem.
The problem isn't S/MIME per se. Anyone who can use OpenPGP libraries can easily use S/MIME, and vice versa. The problem is Outlook, pure and simple.
I don't remember the details, but it's been discussed on the OpenSSL lists recently. Outlook has totally dropped the ball on multi-part S/MIME messages. Because they're the 800-pound special-ed gorilla their incompetence means that few people are interested in using correctly working multi-part S/MIME tools that can't interoperate with the majority of people, while the coders understand how much damage is being done by the broken Outlook implementation and refuse to be involved in any effort that gives it credence.
I'm rarely see black hats hiding in shadows, but this is one of those exceptions. It's too easy to imagine some spook taking advantage of the fact that MS can kill the market for secure communications, while ensuring that the tools are still available for their users.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The german government(!) is sponsoring a project to use GNUPG. Details (Achtung! German!) can be found here:
0 91 -eng.exe
http://www.gnupp.de/start.html
Roughly translated:
Security for e-mail, e-commerce and e-government. The goal of this project is to deliver free encryption software that's easy to use.
The fun thing is this:
http://www3.gdata.de/gpg/download.html
and if you don't understand those strange words, you can download here:
http://gdataspace.de/download/gpg/GDATA_plugin_
This is an Outlook-Plugin for GnuPG. Using this plugin GNUPG is easy as 1-2-3.
HTH
Jan Wildeboer
Go to www.gnupp.org, home of the GNU Privacy Project. GnuPP is (currently) only for Windows and consists of an easy installer for GPA, GPG and WinPT. This is being sponsored by the German government (like GnuPG itself too), fully GPL'ed, and at least for us Germans, there's a good manual available from the Wirtschaftsministerium too. Anybody can order it for _free_. They gave printed documentations including an installer CD away for free at CeBIT. Anybody who can get this, should. The page there is still in German, but there's an english version of GnuPP too.
I'm one of those many recent OS X converts who just bought my first Mac, after years of having used Unix and Windows.
PGP is something I've played with over the years, like a lot of geeks, but never used religiously. But I decided a few months ago that it was something I should start using regularly, so I sought out a mail client with built-in PGP (or variant) support. I found a neat little (non-free) Windows e-mail client called The Bat! (that's their exclamation point, not mine), which had not only built-in support, but you can configure it to use PGP, GnuPG, and even their own OpenPGP implementation. That and many other cool features persuaded me to buy that e-mail client, after which time I decided to throw the switch and begin signing all e-mail that I send.
Along the way I discovered WinPT (Windows Privacy Tray), which is a decent little frontend for GPG. Remember, GPG is a backend -- how you interface with it is up to you.
The came my Titanium PowerBook. I got it for all the reasons mentioned around Slashdot and elsewhere, but I didn't really expect to find cool things like a good GPG frontend, let alone e-mail with GPG support. Boy was I wrong! I went to the GPG site and found a link to the Mac GPG site, which ports GPG to OS X. Not only the backend, but a frontend that integrates with the "Finder" (that's Mac-speak for the "Explorer" equivalent), right in the "Services" menu (which is much like the global right-click menu in Windows Exploror.
But that's not all! I saw further down on the same page that somebody else has written an extension to the OS X default mail client (which ain't as bad as you might think) that provides very good GUI GPG support for mail.
So, even though switching over to the Mac isn't the easiest thing in the world (I say that as I sit here typing on my Windows machine for reasons I won't go into), I can say that GPG is among the least of my problems.
RP
For all of you, who want to use GnuPG with Outlook there is a plugin at Gdata AG. The latest version includes an english version, too.
About once or twice a year a bug of security significance is uncovered in PGP (e.g. the ADK bug, the RNG on UNIX bug, the keystorage bug etc) and this would render the latest 7.02 next to useless.
Why can't people amend the source code and recompiler themselves? They don't have access to the source code.
Also remember that PGP is now very (over-) complicated and includes various drivers and kernel hooks. Every new version of an MS operating system (Win2k, WinME, WinXP) breaks compatibility.
The best current hope is the CKT builds of PGP, that are based on the 6.5.8 code. These have all known bugs fixed and still work on all Win32 operating systems. This is also the only version that is actively maintained!
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
PGP is too hard to use, as the Carnegie-Mellon study showed. Users need a simpler metaphor for understanding the roles of public and private keys. For example, in the study, some users emailed their private keys by mistake. Another example, even so-called "geeks" boast about how they frequently change their PGP password. But if their private key is accessible, what good does that do?
The easiest public key solution I've seen is Hushmail http://hushmail.com which now actually adheres to the OpenPGP standards. Using Java, the browser encrypts the message locally. Sure, private keys are stored on the server, requiring an extremely good passphrase to ensure any level of protection. I guess that's always the trade-off, security vs. ease-of-use. The other disadvantage of Hushmail, of course, is that it is a private mail network. You can be notified via SMTP email that you've received a message, but you can't just spontaneously communicate with another person until they have a Hushmail account. Hushmail needs a "password-only" method of encryption where the message is encrypted and a URL is emailed to anyone you like. When they click on the URL, they're given the option to sign up for a full Hushmail account, where only 1 passphrase is needed to decrypt all messages.
Hushmail is in Java. I'd rather see an ActiveX implementation. ActiveX would be faster and also able to encrypt/decrypt files locally on your computer. That's the problem with GnuPG. It does not have an SDK that would allow it to be made into an ActiveX control. A Java version would also be useful. NAI's PGP had a great SDK, which they used to license at $1 per copy and later changed their mind and started extorting much more.
...only most people are too blind to notice.
Timo Schultz's WinPT is an all-in-one encryption frontend which sits in the system tray and does EVERYTHING. Even safely wipes data from the drive. And for convenience, he has an Outlook Express plugin (which works!) and a Windows Explorer plugin (which I don't need and thus haven't tried yet).
Give it a try and see...
http://www.winpt.org
FWIW, NAI posted the source for PGP Freeware, for peer review purposes. It is still available from the MIT Distribution center for PGP. It's copyright NAI, of course, but it makes for a good read, if nothing else. IANAL, but I wouldn't think it would be illegal to peruse and learn. Certainly lots of integration tips to glean in there (Eudora, Lotus Bloates, LookOut Express, etc). No cut and pasting tho! :>