Slashdot Mirror
Moxie Marlinspike: GPG Has Run Its Course
An anonymous reader writes: Security researcher Moxie Marlinspike has an interesting post about the state of GPG-encrypted communications. After using GPG for much of its lifetime, he says he now dreads getting a GPG-encrypted email in his inbox. "Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible. It's up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish. The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words. Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the "strong set," and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today's standards, that's a shockingly small user base for a month of activity, much less 20 years." Marlinspike concludes, "I think of GPG as a glorious experiment that has run its course. ... GPG isn't the thing that's going to take us to ubiquitous end to end encryption, and if it were, it'd be kind of a shame to finally get there with 1990's cryptography."
Show us your work. Talking is easy Moxie: PRODUCE SOMETHING USEFUL.
I've used GPG since... I don't even know, for a very long time. However, since I communicate a lot internationally, and I don't know (and I don't want to know) about every country's regulations regarding encryption, I gave up sending encrypted e-mails at the very beginning, but I still always sign my mails. I never even thought about how many people use or don't use GPG, it's just been there, ever so useful - and I think that's good so. I think "run its course" is harsh though. Why? Because one Moxie Marlinspike says so? Bollocks. If it's useful - and it is -, it's good to have it.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
It's a bad sign when those who care about security lose interest. The NSA is doing their part to eradicate secure crypto. Law enforcement agencies are commonly breaking the law to fish for potential criminals. The only protection available is what's written by people who are not subject to influence from the NSA. That's increasingly meaning open source or non-US-based companies.
Crypto is hard to get right. It's hard for the average person to know what ciphers or tools to use and which are just snake oil. It's hard to implement correctly so that it is secure. New ciphers are written by people who have a lot of experience in breaking the old ones. As the old guard ages out, I don't see the same depth of interest in the next generation. With crypto, there's no quick fix, and the new hotness doesn't come overnight.
On the other hand, the 1990s cryptography he mentions would be a huge improvement over many things we have today. Since the 90s, I've wanted the ability to have cryptographically signed financial transactions. Instead of financial institutions and credit reporting agencies using shared secrets, I'd like to have the ability to authenticate with a public key. I'd like to provide my public key in person to my bank so they know I'm authorizing transactions. Instead, they rely on secrets which are available to anyone who's willing to spend a few bucks and maybe break a few laws. Identity theft is so prevalent because we're basically relying on writing (at least a 4000BC technology) for security instead of good crypto. Hell, bad crypto would be an improvement over most of what's being done today.
I hope his opinion isn't representative of more people who have been involved with security and privacy issues, but unfortunately, I think it will resonate with a lot of us.
Blame Google for not implementing it in Gmail -- Then they wouldn't be able to get ad revenue and user metrics from their "free" email service.
Blame MS for not integrating it into Outlook, but why would we expect MS to actually want security in any of their products?
Blame Mozilla for the creaky plugin and cumbersome import/export publish keys interface in Thunderbird, and support for SMIME over GPG by default.
Blame the users mostly for not giving a fuck about encryption.
Personally, I don't give a fuck. Most people don't care about encryption but the ones that do, do. Some take the time to setup GPG with an email client and it actually works quite well despite my complaints about the clunky interfaces.
I can tell you this much: Fuck publishing ANY open source software without signed and verified GPG signatures. You better have a replacement for the "experiment" that's securing the world's biggest open source projects source code, buddy, or you can GTFO for being a sensationalist maroon.
TL;DR: People who need GPG use GPG. Those that don't give a fuck don't give a fuck. Seriously, if the average person can figure out how to use the bullshit set-top box with horrible remote control interfaces, they COULD use GPG if they wanted to, but they don't.
I partially agree with Moxie, GPG/PGP as an email encryption standard is never going to reach the "my mother uses it" point of say Skype. That doesn't mean its run its course. I also think it's disingenuous to imply that the number of keys on the public key servers is a useful proxy for utilization rates.
In my company we use GPG every day. Most people who work there have no idea that we do. It's used in sensitive communications at high levels between organizations, e.g. to send documents to auditors. It's also used in a huge number of automated processes to encrypt data during the DB extract process so we can move that data out of the DB network and send it to partners.
We don't send those keys to a public keyshare. That would provide attackers information and we don't do that (ya, security through obscurity sucks if it's your only line of protection. If you're using it to make life just a bit more difficult for an attacker tho, well I'm always for that!)
Now all that having been said, I have great respect for Moxie, and maybe he has the Next Great Thing up his sleeve. I hope to see it at Defcon :).
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
I was saying all this 14 years ago.
FOSS Encryption is a mess. It is basically impossible for a regular user to set up encrypted mail.
I'm an expert, and I never even managed too. (The K-Mail crew basically lying about their GPG-features didn't help back then)
Furthermore, the actual, underlying problem is E-Mail.
That this piece of crap protocol/service could survive for so long totally amazes me. I remember using Fidonet and Crosspoint, back in the 90ies (which actually is a superiour solution to E-Mail) and then learning about E-Mail and thinking "Why is everybody using this and thinking it's great?".
The fact that E-Mail is so shitty is the sole reason Facebook has north of a billion users - for the simple reason that Facebook actually is a *better* user experience than E-Mail. Think about that for a moment.
Bottom line:
E-Mail needs a complete redo/replacement with hard asymetric encryption and zero-fuss key handling and exchange built in as a core specification. Top-notch FOSS clients for all major platforms included. That this whole field is in such a sad and sorry state is to the largest part the fault of us, the FOSS community.
We suffer more in our imagination than in reality. - Seneca
This isn't entirely a mystery. For a technology to be widely adopted, it needs to be easy for everyone and provide demonstrable benefits. OR, it needs to provide benefits for a business who already has your custom. And there we begin to see the problem. There are two massive disincentives:
- Crypto doesn't play well with webmail
- Encrypted email can't be scanned for advert keywords
So you will never see the likes of Google or Microsoft championing this. Apple - just maybe, as they would rather promote devices, and I gather they actually DO have decent end to end crypto on iMessage and so on. But even then, it's VERY hard to do in a way that customers would actually appreciate. No-one wants to get email working 95% of the time. It needs to be 100%. If you can't read 5% of your email, you're in trouble. Or you can't read email on the 5% of time that you need to access from a borrowed PC.
It seems to me that the keys to making this work are:
- Concentrate on signing before crypto. Get banks to sign email. Have different security levels; get to a stage where by default, only signed email will download embedded images, make links clickable without a warning, etc..
- Find a way to make it work with webmail. Can we do this with JS? Or do we need browser support? End to end crypto It would require a way for a part of a page to be sandboxed, accept a secret to decrypt your keys, and not allow the plaintext info out. End to end signing is a little easier. This might also include retrieving the private keys from a distinct cloud service.
- Solve the centralized trust issue. Probably derive a format from S/MINE rather than GPG for email, but critically, signing of certs needs a community trust system so you can see who trusts who, and people can get their identities signed by people they know.
Finally, if that's widely deployed for signing then people can begin to encrypt with a hope of the other end being able to decrypt.
I wanted to post something on the Facebook pages about my town: A Facebook search which would bring up a couple of pages, I'd go to those pages, which would show a couple of associated pages. I'd click on join for each one and wait.
Then I went to the phone-book: Type in the town and a selection criteria; all the names appear, with a large percentage showing email addresses. I could immediately push my post to a large percentage of my target audience.
Facebook may be a better experience (Aside: I disagree) but phone and email provide the superior networking function. Social networking means only that I do less 'pushing' of the message.
Then PGP / GPG solved a lot of this bullshit, starting with generating keys for free but email clients never bothered to give it proper support. Instead they offered up some plugin APIs and unsurprisingly PGP / GPG ended up with half assed implementations too. Even fairly good extensions like Enigmail didn't integrate with the client as closely as they should.
And by this point cloud based email took off and crypto fell by the way side. If you want to use crypto in GMail then you have to cut and paste and clearly it's too much effort.
So I really don't blame GPG here. If the first thing an email did during setup was ENCOURAGE a user to create a key; and by default published that key; and attached the key sig to outgoing emails; and automatically looked up incoming email addresses; and automatically encrypted content when all recipients had their own key; and didn't hobble functionality for any of this (e.g. search still worked). THEN this wouldn't even be a problem. Encryption would have been the default and it would be an irrelevance if it was PGP or GPG was under the covers.
In short, everything except the fact that you're using the system.
webmail is ideologically incompatible with the very notion of secure communication that using encryption embodies.
To whit--
A webmail service holds not only the inbox itself, but also holds the contact list, and the presentation code. If one were to integrate encryption as well, then the webmail service would also have to manage keys, both private and public. Handing out BOTH keys is the very essence of insecure, but would be necessary. (The webmail service would need the private key to decrypt messages sent to you, coded with your public key, so it can display them! It would also need your public key if you wanted to read what was in your "sent" folder.) It would also need to hold all the public keys of all your contacts.
That's just one national security letter away from "Oh, sorry, we gave all those keys we had on file to the NSA, and couldnt tell you about it!" and one data breach away from a massive chain of trust catastrophe by identiy thieves (or worse).
Webmail is fundamentally incompatible with the very idea of secure communication of this type. This is something that you simply CANT put "In the cloud", because the main feature of webmail is being able to check it anywhere you can use a web browser. That feature goes away if the service does security correctly, and security goes away if the feature is retained. (To keep the keys outside of the webmail service, the keys would have to be stored on trusted workstations, or on a personal keystore on a portable device, like a USB keyfob-- Not all places with browser access will have provisions for this, and the added complexity will make users pissy. Putting the keys on the webmail server side fixes that problem, but destroys the security model fundamentally.)
Here, let's have an example.
GNU findutils:
find(1) from OpenBSD:
Which one is easier to read?
And yet you contine to be bent out of shape about it. Fancy that.
----
I already addressed this. TWICE.
The option is binary. Either the webmail server has the keys, or the messages are decrypted on the client side using keys stored on the client side for presentation.
If the keys are stored on the wemail server, the NSA can demand them.
If the keys are stored on the client, then the main feature of webmail is broken.
They keys have to be stored SOMEPLACE for the messages to be encrypted and decrypted. The primary statement in my postings has been that properly secured encrypted email is not compatible with the use case of webmail. Webmail's use case is "email access that is independant on client platform, as long as a suitable browser is present" As soon as you put the keys on the client side, this goes away, because now the browser has to probe the local filesystem for the key store, or the browser itself has to have the keystore. This has all the problems of Enigmail for Thunderbird, (Or the GPG plugins for any of the other capable mail clients out there.) The keys are stored on a trusted workstation, that you cant just lug around with you-- OR-- if stored on a keyfob, accessing those keys requires extra steps above and beyond just logging in and checking your mail. This breaks the use case for webmail.
Rather than being an argumentative troll, you could explain your position instead of arguing impotently. Instead, you chose to complain about spelling mistakes, confabulate, and hurl ad-hominems.
To return your trite quip, I already knew that this is what you would do. Resorting to arguments about improper grammar, spelling mistakes, or improper word use is the hallmark of somebody with nothing of real substance to contribute, who instead just likes to feel superior. Congratulations.