Tuesday, 11 April 2017

PGP usage

PGP (Pretty Good Privacy) has been around for quite a while now, and the GNU code for it (GNU Privacy Guard, or GPG) is free.

Amongst other things you can encrypt and/or sign emails using PGP.

Unfortunately it has yet to catch on for a common usage. We use it a lot in A&A. We sign the emails we send in almost all cases and have done for decades (I like how I can say "decades" now when referring to A&A). We are just starting more comprehensive encrypting of emails we send as per another blog post.

But it is still uncommon. It is not properly supported in almost any common email clients. I use thunderbird and there is a good plugin (enigmail) which works well, but still a plug-in. It puzzles me a bit as to why it is not a lot more standard in major email clients yet, after all this time.

Of course, one of the big problems, is the "trust" of keys. There is (deliberately) no central authority. Sadly, a central authority model, like that used for https, is way easier for end users. They could automatically trust an email claiming to be signed by their bank because it would be signed by a chain of authority their email client knows to trust. This is the same as the way you can go to https for you bank and know it is them.

There is an email system for this, S/MIME, but even support for that is complicated and not simply included in major email clients, as far as I can see. It also has the problem that individuals want keys, and a central authority model makes that a pain and probably involves paying to have your key signed.

I do think some organisations could do more to encourage PGP. It would be great if Companies House, for example, would sign company keys as a service that is part of managing company registrations. They already have security measures, and they could use the fact they can trust a signed company email as an added feature in dealing with companies. That may encourage more companies to check signatures, and maybe even use company key signed emails as signatures for contracts.

You still have the issue with individuals, but again, organisations that already do security checks, like banks, could easily include key signing. It would be a way to advertise their bank as a source of trust.

Anyway, enough of solving the problems of the world for a moment, the main reason for writing this is that I have to assume more people are using PGP at last...

How do I know? SPAMMERS!!!

I am seeing more and more spam that includes a PGP signature block or a PGP public key block in the spam email. These are usually broken or bogus, which is silly, but they almost certainly look close enough to get an improved anti-spam checking score, and give an impression of more credibility to people.

That would only happen if people really are using PGP more. So, interesting times.

Of course, if people do use PGP more, then spam checking can start actually checking signatures and trust chains, as part of the scoring. Get enough people using PGP, even if only for signing, and we could ultimately eliminate spam (ha!).


  1. I guess a key server is a pretty good source of likely-to-be-valid email addresses, come to think of it.

    1. The problem with GPG key servers is that there's no way to delete your key from them without already having the key. So if you lost your key its impossible to replace the old one on the key servers (I think you can *add* the new key but the old one sticks around forever so it isn't clear to other keyserver users which they should be using).

    2. If you could delete your key without having it, anyone could delete your key! So you see why. But add a more recent key and that is what people will use (if trusted). Simple enough system.

  2. Unfortunately it's not a sign that people are using PGP more, just that those people who do use PGP are very unlikely to be spammers. In particular, this is an attempt to exploit an old (long-removed) SpamAssassin rule that triggered on the mere presence of a PGP block (regardless of validity) and gave a fairly large negative score. It is not very surprising that the SA training set, containing a whole bunch of email contributed by networking people, would have a nontrivial density of non-spamming PGP users.

  3. Have you looked at Keybase? They do a good job of "centralising" identity management for GPG without actually requiring a central trusted party.

    1. We don't really have that much of a problem - the issue is the public at large...

    2. Yes; I was suggesting Keybase as a viable solution for "the public at large".

    3. The viable solution for the public at large would be something like gmail. Google did look at it I believe but it didn't go anywhere - key is the problem that with webmail the webmail provider ends up holding the private key which partially defeats the point.

    4. Google enabled this for G-suite, which is the Gmail etc. for businesses. A G-suite customer can switch on S/MIME for their business, and their users will be able to send and receive signed or encrypted mail using keys that are on Google's infrastructure.

      For the core PGP user this isn't good enough (what if Google are bad guys?) but for the average corporate user it's probably a win, because the keys are safe in Google's servers, not on the laptop you just infected with malware or on a backup disk somebody just gave to a cowboy "recycling" outfit.

  4. I recommend Rainbow's End by Vernor Vinge as an example of a world where banks do key signing. One of those disturbing "oh dear, that could actually happen" near-future sf stories :).

    1. Side note: It's called "Rainbows End", no apostrophe, and this is actually story-relevant. :)

  5. The bottom line is that it's just not needed most of the time, so the effort to implement just isn't worth it.

  6. Have you looked at the e-Estonian (e-residency) service. Smart card (and reader) which you can sign documents with the backing of a European government behind the signature.

  7. I was just trying to get S/MIME set up on an iPad. I paid Comodo for a cert, but now I can't collect it since I don't have IE or Firefox on any box. So I wasted my money. Comodo said it's not their problem and just completely refused to help me. Could try and see if I have better luck with Globalsign or someone like that. But not really wanting to risk being had again.

  8. I meet a lot of people who think email is clunky and hard to use.

    They're almost all using Outlook, or some imitation of Outlook such as Thunderbird or Gmail (with bonus metastasised features). No wonder!

    Use a decent email client like mutt, and it becomes a superb method of communication. (Bonus feature: no image/javascript tracking bugs.)

  9. Have you looked at DKIM? DKIM combined with SPF and DMARC can, with reasonable confidence, assure the recipient that the sender's domain is valid and not being spoofed.

  10. -----BEGIN PGP MESSAGE-----
    Version: GnuPG v2
    -----END PGP MESSAGE-----

    1. For the benefit of others :-

      ********* *BEGIN ENCRYPTED or SIGNED PART* *********

      *dusts off pgp key*
      *tries to remember passphrase*
      *eventually gets it right*
      Looks like my key is just slightly older than yours! I also seem to have one that's lost which is even older (and one from when I was at school in 1996 also!)

      ********** *END ENCRYPTED or SIGNED PART* **********

  11. I've always used CACert to get S/MIME capable certificates, for free.