Slashdot Mirror
Phil Zimmerman and PGP at CNN.com
rick_campbell writes "CNN is carrying an article about Phil Zimmerman and the fact that Network Associates is dropping support for the commercial version of Pretty Good Privacy. The article includes a little bit of Phil's take on the situation, a little history and some discussion of why this happened and what alternatives exist."
I looked at PGP a while back and actually installed it. Unfortunately -- and perhaps because of my own carelessness -- it started causing issue(s) with my network connection and I ended up removing it. As the person responsible for the web/email servers where I work I know first hand how unsecure and public email is; yet I've not found a solution that I'm comfortable using. PGP seemed (at least to my knowledge) to be the most widespread, but even at that I couldn't name 3 people who I regularly exchange emails with who use it -- in fact I'm not sure if I could name anyone other than my wife who did. The only way I could ever see something like this widespread were if it were integrated into Outlook/Outlook Express/AOL/etc. and I don't see that happening. :(
I was talking to a company about orders the other day and one of the ways you could place an order with them was to E-Mail them your credit card number. I told them I wasn't sending my credit card number over the open internet and asked if they had a PGP key I could encrypt to. They had no idea what I was talking about. After that I wasn't particularly willing to entrust my credit card number to them at all...
The old US Crypto regulations did a pretty good job of stunting crpto-enabled mailers in the US, too. Since you couldn't export encryption or even an "Encryption enabling API" there wasn't a lot of integration work going on. Sure you could get a set of scripts to use PGP or GPG with Pine, Mutt or XEmacs, but most of the people using those mailers didn't even go to the effort. We won't even go into the happy fun GUI mailers that Joe Average User wants to use. PGP did do a good job of integrating into Outlook, at least.
The upshot of all that is I think it'll be a long while before encrypted E-mail is the norm.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
To which I say fine. Alternatives for most of the stuff we use here, messaging systems, web based stuff, etc. can be found in open source projects or written in house. This is just another golden opportunity for open source software. Maybe my boss will hear my pleas now.
Do many people truly use this technology? I understand many "geeks" use it, just for the cool factor, but I have yet to send email to someone who refuses to read/accept it because it was not PGP encrypted. I understand the use is for encrypting email and validating that it is, in fact, from the person who sent it...but really, does anyone use this for anything more than sending thier friends email that doesnt really need to be encrypted?
I SURVIVED THE GREAT SLASHDOT BLACKOUT OF 2002!
If Microsoft were serious about their "Trustworthy Computing" initiative, they'd buy PGP and integrate it into Outlook/Outlook Express and their Mac equivalents and make it mind numbingly easy to use. Within just a few years millions of people would be using PGP.
Now who wouldn't celebrate something like that?
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
HIPPA is some legislation that has portions going into effect now and in the next few years. It requires those who handle medical information electronically to do so in a secure manner.
I work for a collection agency and since we collect for hospitals sometimes we have been looking at this. We were going to use PGP as clients have specifically mentioned that they require it. Now I am not sure what we will do. Much of what is available out there has restrictions on being used for business.
The movement towards being more secure information delivery seems slow but it is moving forward.
I am just real interested in seeing what kind of alternatives surface for businesses like ours.
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Until it gets simpler, easier, better integrated with email systems, it won't be widely accepted.
Come out with a local system proxy that resides on the local machine, and have all email route through there. Have IT check to see if there is a public key for the email address, and let IT encrypt and forward onto the "real" email server. Have it handle simple text mail ... and voila ... you have a simple system that EVERY email system could use (POP3/IMAP servers in the proxy) ... and it would be simple, since regardless, it gets sent out encrypted.
BTW, I came up with this system a couple of years ago ... company folded ... I wouldn't want to work on this again since I'm "tainted" ... but ideas are free ...
Karma? Karma? I don't need no stinkin' karma.
there still exist free s/w while do pretty decent job
I've found GPG to be very difficult to use, even as someone who uses the command line a lot, I've neither got the Windows nor the Linux version to encrypt anything yet.
they might not integrate into Outlook
Does anyone know a decent Windows email client (i.e. not Pegasus or Outlook) which does handle PGP messages?
Encrypted email will probably go through essentially the same stages as HTTPS.
First, it will get integrated into mail clients, for those users who insist on it, in a half-hearted way. Then mail clients will pop up a warning when you send something unencrypted, which most people will just click through for most messages, but people might notice when they're sending a message which they wouldn't send by plaintext HTTP. Then it will become normal for sites with HTTPS servers to have PGP keys for email. It probably won't get much beyond that any time soon, though.
As far as implementation, I anticipate PGP and similar software dying out, in favor of PGP-like crypto functionality being supported in OpenSSL. Why OpenSSL? Because it has become the standard security library implementation. OpenSSH uses OpenSSL, even though SSH competes directly with telnet-over-SSL. OpenSSL also has all the cryptographic functions, it's BSD-licensed, and a lot of security-conscious projects beat on it. Once OpenSSL has support for PGP-formatted stuff, it will be easy for email clients to integrate it. Also, since many email clients are integrated with browsers, which need SSL support (and so use OpenSSL already), it's simply a matter of calling the decrypt function when you get an encrypted message, storing public keys in the address book, and encrypting messages to anyone who has a public key in the address book.
It is no longer necessary to have a separate program for encryption. Writing crypto code is hard, but OpenSSL does or will do almost all of it, so you're left with managing the user's private keys (just like managing client certificates), managing other people's public keys (just like managing site certificates), and distributing the user's public key (just like business-card attachments). The only tricky thing is in signing other people's keys, but if you're not worried about active attacks with people who you don't talk to out-of-band and who don't aren't corporate sites, you don't need to bother.
"PGP inventor Phil Zimmermann says PGP.. "
What about Rivest, Shamir, and Adleman? Some guy puts a wrapper around their invention and suddenly he's the inventor -- R,S, and A don't even get a mention.
"Thanks for the technology...now get lost."
Disclaimer: IANIM (I am not in marketing)
As I see it, there are two barriers to widespread adoption of PGP (or GnuPG). The first is usability; the second, more important one, is demand. People do not see the necessity of encryption, and in fact, many associate encryption with criminal activity.
The first problem can be solved through the proper use of technology: create user-friendly interfaces for key generation, key management, etc. The goal should be to make PGP/GPG as easy to use as a word processor, spreadsheet, or video game.
The second problem can be solved by promoting digital signatures as opposed to encrypted email. Most people don't care that their email is as open as a postcard. In addition, a significant chunk of the population associate encrypted email with organized crime and terrorism. These are the factors we have to work against in promoting encryption as a way to keep email private.
Digital signatures are a different matter. There is no social prejudice against digital signatures per se, and the need for digital signatures is easy to demonstrate, as detailed below.
Most people believe the From: headers on their emails without question. Unfortunately, it doesn't take much technical skill to fabricate an email with a fabricated From: header. (Below is a Python script that does just this). It's therefore trivial for a malicious person to send all kinds of forgeries to you, your friends, your co-workers, etc. The social damage can be catastrophic.
Digital signatures solve this problem neatly: if you have any doubts about who actually sent the email, or the actual contents of the email, the digital signature gives you near mathematical certainty that the message and sender are authentic.
In my experience, it only takes a couple of humorous demonstrations to get the point across to your intended audience; after which, they become motivated to learn and use PGP/GPG to sign and verify the signatures of emails. Using PGP/GPG for encryption is a logical next step.
By the way, if you do try to demonstrate the forged From: header trick, please make absolutely sure that your audience is prepared ahead of time, and that you are legally authorized to do this, before you make your demonstration. Otherwise you could unnecessarily end up in a heap of trouble.
It should be noted that PGP and GPG have an advantage in meeting the demand for digital signatures, since they're both relatively mature technologies. The danger is that the government could push hard for their own scheme, with built-in back doors and/or mandatory key-escrow. Selling secure, non-escrowed encryption is going to be much harder in the present political climate than it was before.
Hope this helps.
Finding God in a Dog