Moxie Marlinspike: GPG Has Run Its Course

An anonymous reader writes: Security researcher Moxie Marlinspike has an interesting post about the state of GPG-encrypted communications. After using GPG for much of its lifetime, he says he now dreads getting a GPG-encrypted email in his inbox. "Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible. It's up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish. The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words. Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the "strong set," and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today's standards, that's a shockingly small user base for a month of activity, much less 20 years." Marlinspike concludes, "I think of GPG as a glorious experiment that has run its course. ... GPG isn't the thing that's going to take us to ubiquitous end to end encryption, and if it were, it'd be kind of a shame to finally get there with 1990's cryptography."

Re:Same error, repeated

[rvw]

I know quite a few people who have started using GPG via the Enigmail plug-in for Thunderbird lately. The length of the man page is irrelevant and they never publish their keys so are effectively invisible to the statistics. That doesn't mean that it isn't an extremely useful, valuable piece of software though.

I use Thunderbird with Enigmail, mostly to sign my emails to get other people used to seeing signed mails, with an attachment with the signature in it. I've got one question about this, a friend asking what that mysterious attachment was and I explained it. I created an IMAP mail account that I only use to make notes that I can easily share among different computers. All these notes are encrypted using my public key. I can open them on the computer which has my private key.

Your comment about being invisible to statistics does not mean being invisible to NSA and GCHQ. As they and several other agencies scan all mail, they will see these attachments, they will see mail headers and other signs that mail being encrypted, whatever method you use. So they will know that your friends use GPG.

Re:get to work

[Troed]

Yeah. If only there was an easy to use end2end encrypted mobile phone application for voice calls that Moxie had been involved in creating.

https://en.wikipedia.org/wiki/...

Re:get to work

The point is that Moxie actually *does* something (has the OP done anything? We don't know).

I don't agree on everything with Moxie, but fact is that he's not sitting on his hands, by a long stretch.

Re:I use GnuPG

[CronoCloud]

PGP isn't a standard

It most certainly is:

RFC 1991, 2440, 4880, 5581, 6637, 2015, 3156

http://en.wikipedia.org/wiki/P...

The e-mail client I use has gnupg support by default.

Re:Same error, repeated

[pthisis]

Why use gpg instead of s/mime, which has native support in most e-mail programs, with no need for plugins? S/MIME relies on centralized key servers or opens itself to man-in-the-middle attacks. You can hand-authenticate individual CAs with some effort, but there's no equivalent to PGP's web of trust. And CAs are single points of failure, making them extremely desirable points of attack. Marlinspike, of course, has developed his own proposed solution to the CA problem: http://en.wikipedia.org/wiki/C... It's up to the reader whether this contributes to his credibility on the issue because he knows what he's talking about and has taken the time to contribute code to help fix the problem, or whether he's someone with his own personal dog in the fight and hence has an ulterior motive in denigrating PGP's trust model.