Phil Zimmerman and PGP at CNN.com

rick_campbell writes "CNN is carrying an article about Phil Zimmerman and the fact that Network Associates is dropping support for the commercial version of Pretty Good Privacy. The article includes a little bit of Phil's take on the situation, a little history and some discussion of why this happened and what alternatives exist."

PGP can be saved

[lw54]

PGP inventor Phil Zimmermann says PGP can be saved, and has outlined how in this interviw.

"Anyone interested in helping should contact me," he added.

Actually works in XP

[MasterBlaster]

PGP actually is compatable with XP. Well... compatabile enough anyway. I had a relative install 6.5.8ckt on XP WITHOUT the e-mail plugins and without PGP Net and it works fine.
It is very easy to click on the tray icon and encrypt or decrypt the "current window".
From what I understand, 6.5.8ckt works better with XP than any other PGP version. I undersatnd the plugins and possibly PGP Net causes issues in XP.

Encrypted email alternatives

[Beryllium+Sphere(tm)]

Hushmail (http://www.hushmail.com) is web-based OpenPGP mail. I'm a customer and sent Crypt-o-Gram a review, but have no other connection.

The closest thing to the dream of "just press a button" is the S/MIME in Outlook. That still requires users to get a certificate ("a what?!", they will ask). And S/MIME has drawbacks.

Pushbutton encryption is a delusion anyway. The details of key management are indispensable to security and require out-of-band verification. Unless you've checked a key fingerprint, or totally trust a key signer, you can be attacked by feeding you a fake public key and all the crypto wizardry is irrelevant.

Re:Encrypted email alternatives

[seaan]

The closest thing to the dream of "just press a button" is the S/MIME in Outlook. That still requires users to get a certificate ("a what?!", they will ask). And S/MIME has drawbacks.

Working for a security firm, we decided to use Outlook and S/MIME. We had a policy that we would sign all messages by default, and use encryption where possible. After over a year of problems, we have stopped the default signing. We still use encryption, but not as much. The problems included:

* People not being able to read a S/MIME signed email - includes Hotmail and certain combinations of Outlook/IE (since Outlook gets most of it's crypto libraries from IE, the version of IE is important). Sending people messages that can't be read is a serious barrier!

* Random false-negatives for signed messages. Once in a while, a message would indicate it had an invalid signature, but we could discern no change from the proper message. It does not build confidence to tell people, ignore the error message saying the email has been tampered with!

* Outlook is really lousy when it comes to acquiring and managing certificates. I'm guessing they designed it with Exchange in mind (assuming some corporation puts certificates in Exchange for a closed system). Initializing and managing certificates was a real pain, even for those who knew precisely what they were doing.

* Outlook did not have a "use encryption only if person has certificate" option, which meant that you had to manually select encrypted email every time you wanted to use it. Also, there is no good way to send a single message with encryption to people who have the certificate and ability to read it, and no encryption for people who don't.

* Occasionally we could not read encrypted mail because of a variety of errors. The most common was obscure certificate issues (actually bugs, since most of these errors should not have been transient).

* The level of S/MIME encryption would vary, according to obscure and undocumented reasons (probably bugs too). I always selected 3DES, but more than half of my messages went out with some other form of encryption. Even worse, Outlook does not give you any warning that your message is going out with weak encryption!

Not all of these are S/MIME problems, but as you can see, we are still very far from "just press a button".

Re:Uhhh PKI?

[Xylantiel]

Exactly!!

For those who don't know, PKI=Public Key Infrastructure. It's how you know that a public key you have for someone is actually the right one. Having a working (i.e. secure) PKI is what makes "using" encryption difficult. Everyone always assumes that explaining PKI to anybody is too difficult, so reporters like the one who wrote this article say things like "products aren't easy to use" when really they are and all the difficulty is in having a secure PKI.

It is probably telling that most widespread PKI, used for web certificates is pretty much completely broken in practice. Do YOU look at the company name listed on the certificate before you send you submit your credit card info? I've never seen a browser that by default gets you to at least verify that the company name on the cert is right. This makes man-in-the middle attacks almost easy.

Doesn't anyone use S/MIME?

[Brazzo]

It's easy. I go to VeriSign's site (or Thawte, or any of the other root CAs that offer S/MIME certificates - hell, Thawte even offers a limited, free S/MIME certification program, and a network of virtual notaries... but, I digress) and install an S/MIME certificate.

Then, I go to Outlook, or Outlook Express, or Netscape Communicator, or Mozilla, and I install the certificate. Then, I click the "Digitally sign this email" checkbox to automagically send my certificate to sign the email, and additionally click the "Encrypt this email" once I receive a certificate from an end-user to encrypt the email.

Sure, there are scalability issues, but any good PKI implementation can take care of those for corporate use. And, with a Network of Trust like Thawte is creating, you get the PGP-like ease-of-use with the PKI-class trust-level of a real PKI. All for the home user.

And no, I don't work for VeriSign or Thawte. I did work for a company that used certificates. A lot...

Try The Bat!

[marm]

Does anyone know a decent Windows email client (i.e. not Pegasus or Outlook) which does handle PGP messages?

Might I suggest The Bat!?

Funny name, yes, but it's rapidly become my second-favourite MUA (after KMail) and certainly my favourite on Windows. It has support for both PGP and S/MIME encryption and signing (although it uses its own built-in PGP implementation which I'm not entirely happy about). It's not free in any sense of the word either (it's 30-day trial shareware), but hey, this is Windows we're talking about.

WinPT

[MagicFab]

WinPT is a great toolbar application, a front-end for GnuPG. It lets you ecnrpyt/decrypt from/to any application, including email of cours. That's one of the end-user applications that support OpenPGP that we've been telling our customers to use, when we install our product on their site so they can process forms and encrypt results via email.