Adobe Security Team Accidentally Posts Private PGP Key On Blog (arstechnica.com)

← Back to Stories (view on slashdot.org)

Adobe Security Team Accidentally Posts Private PGP Key On Blog (arstechnica.com)

Posted by BeauHD on Friday September 22, 2017 @10:00AM from the whoopsie-daisy dept.

A member of Adobe's Product Security Incident Response Team (PSIRT) accidentally posted the PGP keys for PSIRT's email account -- both the public and the private keys. According to Ars Technica, "the keys have since been taken down, and a new public key has been posted in its stead." From the report: The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen. Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account. To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT's shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team's blog. But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe's PSIRT blog.

60 comments

Min score:

Reason:

Sort:

another flash in the brain-pan? by macker · 2017-09-22 10:00 · Score: 0

And the hits just keep on coming from our A-list blisters
The team that brought us Flash, to inspire full employment for browser designers, to keep them busy writing disability check boxes.
Oh, so NOW it's going away? After all the breaches, hacks, and violations?
Took their sweet time owning up to the horridity.
Still, better Nate than Clever.

--
(T)he (O)ld (M)an
Impossible! by fuzzyfuzzyfungus · 2017-09-22 10:08 · Score: 4, Funny

This article is clearly a lie. How can a mythological entity have a PGP key?
Revocation by jimprdx · 2017-09-22 10:09 · Score: 2

But they can revoke it, can't they? An embarrassing screw-up, but no harm done. It's not as if the Adobe security team's credibility was particularly stellar to begin with... :)
1. Re:Revocation by gwolf · 2017-09-22 18:53 · Score: 1
  
  Of course - You can revoke it as well. Everybody that holds both the private and the public parts can issue a revocation certificate!
  (and somebody has... Lets assume it was Adobe!)
2. Re:Revocation by thsths · 2017-09-22 23:55 · Score: 2
  
  Yes, but even then, people can decrypt emails previous send to Adobe, right?
How the hell?!?!? by Aethedor · 2017-09-22 10:11 · Score: 1

How the hell did their PGP key even end up on their webserver?!?!?

--
It doesn't have to be like this. All we need to do is make sure we keep talking.
1. Re:How the hell?!?!? by vux984 · 2017-09-22 10:17 · Score: 3, Informative
  
  How the hell did their PGP key even end up on their webserver?!?!?
  The summary was all of 7 sentences; 3 of them were dedicated to the answer to this very question.
2. Re:How the hell?!?!? by rholtzjr · 2017-09-22 10:21 · Score: 1
  
  PEBKAC (Problem Exists Between Keyboard and Chair)
3. Re:How the hell?!?!? by Anonymous Coward · 2017-09-22 10:22 · Score: 0
  
  the summary used the term obviously, meaning they likely guessed how it happened.
4. Re:How the hell?!?!? by udachny · 2017-09-22 10:51 · Score: 0
  
  Who do you think we are here, n00bs, to RTFS? Jizless Kraist, if something is worth knowing it should be clear from the title itself, otherwise that's what the comment section is for - to complain about the title not providing ALL of the information necessary to have a complete and thorough understanding of the issues surrounding the topic and concepts at hand.
  
  --
  MY OTHER COMMENTS
5. Re:How the hell?!?!? by Anonymous Coward · 2017-09-22 19:14 · Score: 0
  
  PEBKAC (Problem Exists Between Keyboard and Chair)
  Thanks for explaining that new-fangled acronym. Someday it will be over a decade old and everyone will know it so it won't need it explained in parenthesis like that
In the Near Future ... by Archangel+Michael · 2017-09-22 10:27 · Score: 2

We will stop seeing these kinds of articles, since it is a daily occurrence, and just assume someone somewhere was hacked in a major data breach.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
1. Re:In the Near Future ... by jellomizer · 2017-09-22 10:40 · Score: 2
  
  At some point I hope there will be major fines against companies that got hacked in a preventable way. And also hopefully more effort to track down the hackers who do the harm and give them 1 volt shock for every mega byte they had stolen.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
2. Re:In the Near Future ... by Anonymous Coward · 2017-09-22 12:40 · Score: 0
  
  At some point I hope there will be major fines against companies that got hacked in a preventable way.
  As long as my data/identity aren't stolen, who gives a fuck? I'm not sure how this affects anyone, frankly. Does anyone actually even use PGP?
3. Re:In the Near Future ... by grep+-v+'.*'+* · 2017-09-22 14:24 · Score: 1
  
  give them 1 volt shock for every mega byte they had stolen.
  I agree with your sentiment, but you've got the wrong idea which is bad for making laws. Even the dictionary only hints at it -- take (another person's property) without permission or legal right and without intending to return it.
  
  Now they don't intend to return it, but that's because it hasn't gone anywhere. The bits are still located exactly where they're supposed to be.
  
  "Return it" indicates a uniqueness, to wit a physical item that the owner is deprived of and needs for it to be returned to make the owner whole again. Bits here ain't no such animal -- somehow someone duplicated a set of bits that was located on someone's computer.
  
  If I break into your house, use my Star Trek replicator to physically duplicate Every Single Item in there, then lick it while putting it back exactly where it was originally, have I stolen anything? No, although you should invest in an entire pallet of paper towels and could get me arrested on a "breaking and entering" charge. You couldn't point to anything that's not there before (besides saliva) so seems it would be hard to have me arrested for stealing even though I built an exact duplicate of your house and placed it next door, with the same creaky floors, flickering lights, and an overflowing trash can under that horrible Velvet Elvis that's on your wall.
  
  "Stealing" is generically correct since someone has access to things they didn't before, but to implement laws we need to be much more exact. And is your MB measurement in MB or MiB? What about compression? qbits? Does XML overhead count? What if it's fixed length records and 99% of it is spaces?
  
  You're going to zap someone to death for copying spaces?? And do you zap the poor slob on the actual keyboard, or his boss who's handed the data on a floppy? Heck, what if someone just pushed GO and a software package connected to available servers, collected what it could, filtered out the junk, and created and sold the data on eBay?
  
  No, really, you COULD set that up where "all" you did was press Go and the background agents did everything else. It needs some setup work on the front-end, but that could really have been an "innocent" person.
  
  Personally, I'm for keeping it nice and easy -- (1 Volt per Second) per Byte for the offender, their family and friends AND computers. Cloud Service vendors gets 10% of the penalty because they should have been watching what you were doing, while Facebook gets 90% of that -- because they're Facebook, not that they were involved. THAT just makes it worse.
  
  --
  If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
There is no security so long as... by TheZeitgeist · 2017-09-22 10:29 · Score: 2

...humanities majors keep getting IT security jobs. No such thing as foolproof if a fool does the proofing.
1. Re: There is no security so long as... by TheZeitgeist · 2017-09-22 10:56 · Score: 1
  
  Oh, I don't know about that. Math is hard, but not for everybody, and certainly not for females the likes of a Lisa Meitner or Emily Noether...those calls can math me up all day long any time they want.
Decryption Server by Anonymous Coward · 2017-09-22 10:31 · Score: 0

This is why you do not allow casual access to the private key. Let authorized users submit ciphertext to a dedicated server for decryption and signing.
"PGP security is harder than it should be." by david.emery · 2017-09-22 10:35 · Score: 1

That's a key point and a key contributor to Internet insecurity. One could argue that, to make it 'perfect', the designers of PKI have made it unusable by the average user. And the OS vendors (Microsoft, Apple and Linux community) have not helped. Nor have the purveyors of PKI credentials, again to make trust "absolute", the cost and 'annoyance overhead' makes getting your own key too difficult for anyone short of a fully qualified IT department with PKI expertise.
1. Re:"PGP security is harder than it should be." by Anonymous Coward · 2017-09-22 10:44 · Score: 0
  
  The difference between public and private key is pretty basic... Like, Comptia Security+ basic. The guy was a noob. End of discussion.
2. Re:"PGP security is harder than it should be." by Anonymous Coward · 2017-09-22 10:52 · Score: 0
  
  There is a certain intrinsic and unavoidable complexity to PKI. In this case, it's more the fault of the GUI that was put *on top of* the PKI, not PGP itself.
3. Re:"PGP security is harder than it should be." by Anonymous Coward · 2017-09-22 10:53 · Score: 0
  
  is a noob.
4. Re:"PGP security is harder than it should be." by gweihir · 2017-09-22 11:18 · Score: 3, Insightful
  
  Actually, it is not. Just as with the functioning of a house-key, there is a minimal understanding that is required for public-key crypto, or security will not be provided. Yes, that means many people cannot have secure encryption. That is just the way things are. Wishing things to be different does not change them.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:"PGP security is harder than it should be." by Anonymous Coward · 2017-09-22 23:44 · Score: 0
  
  So why is the "but it is hard!"-narrative an excuse for the professionals presumably (but apparently not) trained in this sort of thing, yet at the same time those same professionals keep on blaming "users" for getting "security" all wrong, when they've been explicitly told that "computers are easy" and that "they don't need any training"? Isn't it time that we admitted that even the simplest things aren't all that "intuitive" and go back to give people a grounding in the use of computers?
  And spelling. And grammar. And writing readable questions. You know, nicely structured paragraphs with an actual point or specific question at the end. And not trying to use the network for your archive. And so on.
  So many problems that would've been easy to spot if only the luser had had the presence of mind to look what was happening right in front of his nose, on the screen. And yet, the general user base is so low-level that the simplest things turn out to be hard. There's no functional mind in front of the computer at all.
6. Re:"PGP security is harder than it should be." by thsths · 2017-09-22 23:59 · Score: 1
  
  Basic, yes, but not easy. The whole terminology is quite obscure, starting with "public and private key". Only the private key is a key in the usual sense of the word, in that it opens things. The public key is more like a container or envelop, and should have never been called key. And PGP suffers from a complete lack of usability design throughout.
  Arguably the expected usability cannot be achieved in a decentralised serverless system.
7. Re:"PGP security is harder than it should be." by gweihir · 2017-09-23 01:39 · Score: 1
  
  The "computers are easy" statements come from marketing. They have no basis in reality. We all spend several years learning how to read and write. My estimate is that about the same amount of learning and time is needed to use computers competently. Most people are unwilling to spend that time and will stay on low amateur level. Eventually, it will have to become a major subject in school, because the cost of not doing that is just far too high. At the moment tings are still moving too fast for that though.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
8. Re:"PGP security is harder than it should be." by Anonymous Coward · 2017-09-23 03:04 · Score: 0
  
  "Moving too fast"? Hardly. There's been a lot of repainting bikesheds but there's been pretty much no serious advancement in user interface design. Moreover, it's all "building" on top of that quicksand, the assumption of "intuitive"ness that goes much deeper than mere marketeering. Possibly the biggest advancement is the admission of failure dressed up as innovation in the form of powershell. (I really can't help but pity the people touting its merits. "Yeah, so you reinvented the wheel in your usual fashion. I have a score more, all of better design and higher quality. What of it?") GUIs as we use them today may look nice but in thirty years they haven't really made the computer more useful. They do gobble up their fair share of resources; storage, memory, CPU cycles, dedicated graphics hardware, and so on. I don't think they're worth the cost. A little educating the operator would have had far more effect.
  We have made a big show of pretending to move forward. Actual progress has been scant.
  For example, writing my letters in troff, using the macro set that defines my letterhead and style, is faster, easier, more consistent, nicer typeset, and much less resource-hungry than using "modern" WYSIWYG-GUI-crud. It also lets me use my favourite editor, and doesn't bother me with "ribbons" or whatever is hot this week.
  Most of the "moving too fast" isn't moving at all, it's dancing rodents. Like those 90s websites, yes. About as useful and as easy on the eyes. That's lots of action, but no advancement. It isn't going anywhere.
9. Re:"PGP security is harder than it should be." by gweihir · 2017-09-23 10:11 · Score: 1
  
  I did not claim things were moving "forward". It is more like "moving in spirals" (with circles you would at least get back to a sane state one in a while). I pretty much agree with you.
  The problem is that each new "OS" needs a different UI, each new phone needs one, etc. for marketing purposes to give the appearance of "new" and trigger an unwarranted association of "better". Until that quiets down, it does not make much sense teaching this in school, as people will associate UI elements with actual functionality and UI changes will make that "knowledge" useless.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
UI failure by Anonymous Coward · 2017-09-22 10:37 · Score: 4, Insightful

As much as I hate Adobe and most of their shitware, I don't think it's fair to totally fault the poor person who did this.

But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file.
If a mistake of this magnitude is a single misclick away from happening - something that's really easy to do in a moment's careless mistake of the type EVERYONE has - something is broken with that UI.
There should be warnings in red you have to override with an explicit and nontrivial action.
1. Re:UI failure by dgatwood · 2017-09-22 11:07 · Score: 1
  
  There shouldn't even be UI for such a risky action. If you need the private key, you should have to hunt for the file on the hard drive, double-click it, and open it in a text editor. Doing the right thing should be easy, and doing the wrong thing should be hard.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
2. Re:UI failure by gweihir · 2017-09-22 11:28 · Score: 1
  
  Actually, if the private key is protected by a good passphrase, this operation is not risky at all.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
3. Re:UI failure by dgatwood · 2017-09-22 11:34 · Score: 1
  
  If by "not risky", you mean "able to survive local brute-forcing by a massive botnet", then you have more faith in passphrases—even good passphrases—than I do.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
4. Re:UI failure by gweihir · 2017-09-22 12:03 · Score: 1
  
  No, I just do understand how this works.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:UI failure by Khyber · 2017-09-22 12:47 · Score: 1
  
  Son, your understanding is laughed at by todays technology.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
6. Re:UI failure by gweihir · 2017-09-23 01:45 · Score: 1
  
  I find it fascinating how anybody that does not have a solid grounding in crypto feels competent to comment on what crypto can do and what it cannot do. Of course, the statements made by such people are routinely wayyyyy off. That is one reason why people like me charge a high consulting fee when making such statements professionally, because it makes it more likely that the customer (who does not understand what is going on, just like you) actually listens.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re:UI failure by dgatwood · 2017-09-23 05:05 · Score: 1
  
  The funny thing is that I've implemented crypto algorithms. I'm intimately familiar with what they can and can't do. The largest botnet to date was a couple of million devices. Within five years, we'll likely have at least one that crests the ten-million-device mark. Depending on the speed of those devices (and whether they have hardware-assisted crypto support), that could easily mean on the order of a trillion cracking attempts per second or more.
  Assuming a passphrase contains only the 95 printable ASCII characters, an eight-character passphrase would take about 1.8 hours even without any sort of dictionary words. A ten-character random passphrase would take only about 1.9 years. Worse, that's for actual random line noise passwords, which are pretty unlikely in practice. If you assume that they probably picked a combination of dictionary words and l33t-ed versions of those words, cracking it becomes almost a trivial problem with a sufficiently large botnet unless the passphrase is truly enormous.
  So again, why do you think a strong passphrase is adequate to protect a crypto key? I'm not saying it doesn't slow down an attacker, but a compromised crypto key—even one protected by a strong, highly random passphrase—should still be immediately revoked. To do otherwise would be reckless and irresponsible. The cost of a mistake is large, and the cost of a revocation is small.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Simple mistake... by Anonymous Coward · 2017-09-22 10:37 · Score: 0

Someone obviously haven't read "PGP & GPG: Email for the Practical Paranoid" by Michael W Lucas.
Not a pattern by ebonum · 2017-09-22 10:51 · Score: 1

Adobe has such a long history of putting security first and demonstrating security best practices! How could this sort of thing happen? Or is it because a typical Adobe employee doesn't know the difference between private key and a hole in the ground.
With or without good passphrase protection? by gweihir · 2017-09-22 11:15 · Score: 2

Because if a good passphrase is used, then this is a complete non-issue.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:With or without good passphrase protection? by Khyber · 2017-09-22 12:48 · Score: 1
  
  My passphrase SUPPOSEDLY would take a few billion years to crack.
  It took less than 20 minutes for a server farm to crack my password.
  Try again when you aren't 30 years behind the times in terms of technology.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
2. Re:With or without good passphrase protection? by kriston · 2017-09-22 18:52 · Score: 1
  
  If the key is old enough, and if it were properly encrypted, that private key was encrypted using IDEA. Arguably it would still be secure with negligible risk according to https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm#Security
  
  --
  Kriston
3. Re:With or without good passphrase protection? by Anonymous Coward · 2017-09-23 01:01 · Score: 0
  
  My passphrase SUPPOSEDLY would take a few billion years to crack.
  It took less than 20 minutes for a server farm to crack my password.
  Try again when you aren't 30 years behind the times in terms of technology.
  There is a difference between passphrase and password. If it took 20 minutes to crack it wasn't anywhere near a good passphrase or the used hashing was weak. While it is possible to brute force the passphrase to the key as you have the public key to check against it will still take a lot more than 20 minutes with a strong passphrase and good crypto. The problem is that all parts have to be strong: The crypto used, the passphrase and the length of the key.
4. Re:With or without good passphrase protection? by gweihir · 2017-09-23 01:47 · Score: 1
  
  The security of your "passphrase" is pretty irrelevant when attacking your "password". Are you sure you do understand what happened there?
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:With or without good passphrase protection? by gweihir · 2017-09-23 01:53 · Score: 1
  
  Indeed. The other question is what the substance of the "billion year" estimate actually was. This estimate was likely faulty, which is easy to do when you have no clue how things work. For example, estimate the passphrase at 1.5bit/char of entropy, get, say, 150 bit, but then hash it down to 64 bit. That makes attacking the hash directly a lot easier. Or do one of the cardinal sins and use a phrase that is publicly known, like a citation form a book.
  "20 minutes on a server farm" does sound a lot like somebody screwed pretty badly, including in the "billion year" estimate.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
6. Re:With or without good passphrase protection? by gweihir · 2017-09-23 01:54 · Score: 1
  
  IDEA is not supported by modern PGP implementations anymore, AFAIK. Maybe some commercial ones still do it though.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re:With or without good passphrase protection? by CronoCloud · 2017-09-23 05:23 · Score: 1
  
  gpg --version
  gpg (GnuPG) 1.4.22
  Copyright (C) 2015 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  Home: ~/.gnupg
  Supported algorithms:
  Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
  CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2
  gpg2 --version
  gpg (GnuPG) 2.1.13
  libgcrypt 1.7.8
  Copyright (C) 2016 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  Home: ~/.gnupg
  Supported algorithms:
  Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
  CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2
8. Re:With or without good passphrase protection? by gweihir · 2017-09-23 10:03 · Score: 1
  
  I see. So they put it back in. The patent has probably expired by now. Using it is not a good idea though.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
9. Re:With or without good passphrase protection? by tlhIngan · 2017-09-25 04:48 · Score: 1
  
  "20 minutes on a server farm" does sound a lot like somebody screwed pretty badly, including in the "billion year" estimate.
  Password crackers have gotten a lot smarter the past few years. Forcing use of numbers, upper case, and symbols doesn't actually increase the search space all that much anymore if you have humans generating passwords (i.e., it's not random line noise).
  A modern password cracker will take a dictionary word, then apply common transformations to it to generate a test. "password" will then generate a list like "pa55word", "pa55w0rd", "passw0rd", "p4ssword", etc. for random l33t-ification, it will also try "Password" and "PASSWORD" (and the l33t combinations thereof), then add a number at the end, e.g. "password0" (and various capitalizations).
  The end result is a single dictionary word may generate say, 100-200 extra combinations - much less than the theoretical increase caused by adding capitals, numbers and symbols to the search space.
  It's possible to generalize this to pass phrases as well, though the dictionary may be a bit larger, the search space is probably a lot smaller since it's unlikely to include mis-spelt words or random l33t replacements.
  Applying trivial transforms really only works to satisfy the oddball password requirements - it really doesn't increase security all that much.
Poof by jonnythan · 2017-09-22 11:39 · Score: 3, Insightful

And just like that, all email ever encrypted with that key is subject to decryption.
New key? by Anonymous Coward · 2017-09-22 12:06 · Score: 0

So they security changed their password. What, it's now the "old key + 1", like everyone else??
I have to disagree with you. by Anonymous Coward · 2017-09-22 12:16 · Score: 0

The recent deluge of data breaches/security problems show us that this is not an isolated problem.
From operating systems, to basic applications, to entire corporate databases, if there is one thing we should learn it is that doing security is hard and doing security correctly is damn near impossible. Security has never been job 1 and will never be until companies pay the price for their security breaches.
Adobe is just the latest case (hell - the article before this one is about leaking passwords for over 500k car tracking devices) and at least this instance it can be directly tied to human error. This wasn't a technical snafu; this wasn't like Equifax setting their admin password to 'password'; this was someone f'ing up and posting the private encryption key for all to see.
Thank technology for the scope of the impact. You think people don't change their passwords very often -- how often do places change their encryption keys. At least in this case you 1) have to know the key; 2) have access to the messages encrypted with they key; and 3) have messages that contain anything of value.
So while this latest security problem has possible repercussions, I wouldn't put it in the same category as the Equifax 140m+ personal credential breach.
Oh PGP? by Anonymous Coward · 2017-09-22 12:18 · Score: 0

It's pretty good.
emacs used to send LOTS of PGP 1.0 private keys to by Anonymous Coward · 2017-09-22 14:16 · Score: 0

In the first few years after I published PGP 1.0 for Phil Z. a bum emacs script resulted in dozens of private keys from folk high and low being sent to my then public email address..
emacs users seem to adopt the usage of pgp first in those early years 91-97(it was developed as a scripters toy originally..)...
publisher PGP 1.0
(just going to leave this out here)..
No! by higuita · 2017-09-22 14:25 · Score: 1

gpg is not that hard, the true is that mailvelop is shit ... export public key is a common task... exporting the private key do not, so it should be in a totally different place with a proper warning
also google, yahoo, ms, etc should include support for gpg in their webmail ... gpg looks hard because most tools do not support it. integrate then and things will be easier

--
Higuita
1. Re:No! by CronoCloud · 2017-09-23 05:25 · Score: 1
  
  also google, yahoo, ms, etc should include support for gpg in their webmail ..
  You can already use gpg with webmail if you use a proper mail client over IMAP. I've done it for years.
2. Re:No! by higuita · 2017-09-24 02:12 · Score: 1
  
  that is what i do.. but most people that uses gmail and friends only use the webmail or in worst case, the phone app ... neither have gpg support
  
  --
  Higuita
3. Re:No! by CronoCloud · 2017-09-24 02:58 · Score: 1
  
  It is even possible to use Pgp on your phone. I use Gmail IMAP via k9 mail with openpgp.
No, it isn't hard at all by Anonymous Coward · 2017-09-22 15:01 · Score: 0

And who the hell uses webmail?
Re: emacs used to send LOTS of PGP 1.0 private key by Anonymous Coward · 2017-09-22 15:50 · Score: 0

What's a private email address? One that people can't send mail to? Wouldn't that be useless?