PGP (Pretty Good Privacy) has been around for quite a while now, and the GNU code for it (GNU Privacy Guard, or GPG) is free.
Amongst other things you can encrypt and/or sign emails using PGP.
Unfortunately it has yet to catch on for a common usage. We use it a lot in A&A. We sign the emails we send in almost all cases and have done for decades (I like how I can say "decades" now when referring to A&A). We are just starting more comprehensive encrypting of emails we send as per another blog post.
But it is still uncommon. It is not properly supported in almost any common email clients. I use thunderbird and there is a good plugin (enigmail) which works well, but still a plug-in. It puzzles me a bit as to why it is not a lot more standard in major email clients yet, after all this time.
Of course, one of the big problems, is the "trust" of keys. There is (deliberately) no central authority. Sadly, a central authority model, like that used for https, is way easier for end users. They could automatically trust an email claiming to be signed by their bank because it would be signed by a chain of authority their email client knows to trust. This is the same as the way you can go to https for you bank and know it is them.
There is an email system for this, S/MIME, but even support for that is complicated and not simply included in major email clients, as far as I can see. It also has the problem that individuals want keys, and a central authority model makes that a pain and probably involves paying to have your key signed.
I do think some organisations could do more to encourage PGP. It would be great if Companies House, for example, would sign company keys as a service that is part of managing company registrations. They already have security measures, and they could use the fact they can trust a signed company email as an added feature in dealing with companies. That may encourage more companies to check signatures, and maybe even use company key signed emails as signatures for contracts.
You still have the issue with individuals, but again, organisations that already do security checks, like banks, could easily include key signing. It would be a way to advertise their bank as a source of trust.
Anyway, enough of solving the problems of the world for a moment, the main reason for writing this is that I have to assume more people are using PGP at last...
How do I know? SPAMMERS!!!
I am seeing more and more spam that includes a PGP signature block or a PGP public key block in the spam email. These are usually broken or bogus, which is silly, but they almost certainly look close enough to get an improved anti-spam checking score, and give an impression of more credibility to people.
That would only happen if people really are using PGP more. So, interesting times.
Of course, if people do use PGP more, then spam checking can start actually checking signatures and trust chains, as part of the scoring. Get enough people using PGP, even if only for signing, and we could ultimately eliminate spam (ha!).
Subscribe to:
Post Comments (Atom)
The end of 17070 and serious consequences
I just read a very concerning article on BBC https://www.bbc.co.uk/news/articles/ckgknm8xrgpo TL;DR BT crossed wires and so a criminal inve...
- 
This is an appeal for (sensible) comments. I am working on revised A&A tariffs for broadband. For those that are not sure how they wor...
- 
For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...
- 
Broadband services are a wonderful innovation of our time, using multiple frequency bands (hence the name) to carry signals over wires (us...
 
 
 
I guess a key server is a pretty good source of likely-to-be-valid email addresses, come to think of it.
ReplyDeleteThe problem with GPG key servers is that there's no way to delete your key from them without already having the key. So if you lost your key its impossible to replace the old one on the key servers (I think you can *add* the new key but the old one sticks around forever so it isn't clear to other keyserver users which they should be using).
DeleteIf you could delete your key without having it, anyone could delete your key! So you see why. But add a more recent key and that is what people will use (if trusted). Simple enough system.
DeleteUnfortunately it's not a sign that people are using PGP more, just that those people who do use PGP are very unlikely to be spammers. In particular, this is an attempt to exploit an old (long-removed) SpamAssassin rule that triggered on the mere presence of a PGP block (regardless of validity) and gave a fairly large negative score. It is not very surprising that the SA training set, containing a whole bunch of email contributed by networking people, would have a nontrivial density of non-spamming PGP users.
ReplyDeleteHave you looked at Keybase? They do a good job of "centralising" identity management for GPG without actually requiring a central trusted party.
ReplyDeleteWe don't really have that much of a problem - the issue is the public at large...
DeleteYes; I was suggesting Keybase as a viable solution for "the public at large".
DeleteThe viable solution for the public at large would be something like gmail. Google did look at it I believe but it didn't go anywhere - key is the problem that with webmail the webmail provider ends up holding the private key which partially defeats the point.
DeleteGoogle enabled this for G-suite, which is the Gmail etc. for businesses. A G-suite customer can switch on S/MIME for their business, and their users will be able to send and receive signed or encrypted mail using keys that are on Google's infrastructure.
DeleteFor the core PGP user this isn't good enough (what if Google are bad guys?) but for the average corporate user it's probably a win, because the keys are safe in Google's servers, not on the laptop you just infected with malware or on a backup disk somebody just gave to a cowboy "recycling" outfit.
I recommend Rainbow's End by Vernor Vinge as an example of a world where banks do key signing. One of those disturbing "oh dear, that could actually happen" near-future sf stories :).
ReplyDeleteSide note: It's called "Rainbows End", no apostrophe, and this is actually story-relevant. :)
DeleteThe bottom line is that it's just not needed most of the time, so the effort to implement just isn't worth it.
ReplyDeleteHave you looked at the e-Estonian (e-residency) service. Smart card (and reader) which you can sign documents with the backing of a European government behind the signature.
ReplyDeleteI was just trying to get S/MIME set up on an iPad. I paid Comodo for a cert, but now I can't collect it since I don't have IE or Firefox on any box. So I wasted my money. Comodo said it's not their problem and just completely refused to help me. Could try and see if I have better luck with Globalsign or someone like that. But not really wanting to risk being had again.
ReplyDeleteI meet a lot of people who think email is clunky and hard to use.
ReplyDeleteThey're almost all using Outlook, or some imitation of Outlook such as Thunderbird or Gmail (with bonus metastasised features). No wonder!
Use a decent email client like mutt, and it becomes a superb method of communication. (Bonus feature: no image/javascript tracking bugs.)
Have you looked at DKIM? DKIM combined with SPF and DMARC can, with reasonable confidence, assure the recipient that the sender's domain is valid and not being spoofed.
ReplyDelete-----BEGIN PGP MESSAGE-----
ReplyDeleteVersion: GnuPG v2
hQIOAwd8nUx3at+tEAgA6mbMb6TAo/FT+c4hhgrCbhSUG1YNsm0RLDpgbfb6icQI
l7i97c9vGKZOTuGbctRCF+TG3exl9aZJgWy9a9IUsbeQLbQrF0O69M172BJwkCBA
MkgZe0ljnZ2Y9Q0lquTzmkCk7HL9m7QIHvZEUHATXCc31k/JsfR3aFKXHv0oJPHL
HAexWRo2f7xqOSIVj8Q+qvgzR/vPL9oPylc79aT6osBg6+3ZXAN59X7S3Nj8uGtS
eAWpHcl1gz/flkRX1TMiWvGqr0z+HCM86nlGXYuAJnQC/JW+/G/wqc8YyqkFU8aC
slrQAAa+r23ZuPm/f4KQjdmzBHgL5ATIid5WG+KQ9Qf/XFH+J4BoEYZL00PywlHf
dDOHK8s3zVOhQYZ0ekh/EEDpIi4oDO+SWo+YgK3B6Tsb1zpU6qKHOxQm1cY/eslk
Owpv1wGvdxc4c+gxB4vv1s9Hdg+mhHsePeu3N9UPQ7Me0wb31iwknDkJeDxq8cjh
s8AkwtV1qQCSXVd6WpUcqamt3ZzIRXOXjHM3UZ+mmSFvwXYxKkj8cehFi6DxFUEj
rVCjTfvQFcqdwN0ZPI2fkSsACGEza9l9w0qw/+OvBj5SXqq3ffsu+OPUgVgjj/4X
/1ji0usBPP2O9IsS8oj2yTDqi1GI4wn0cwXYpmKvJFcwsYwdSHZh9X060Jn7wE4/
yYUBDgMtxKGvqUWG8xAD/R2qulICX2wd6uCvTyK0bUaBafo9uj9o0Nk/I/j1FvZE
e6qMi7Fr5WnnKBOQT6yAEI5u3dmWwJE2tTCYYH7eP2tyPzsZdE8KN6njBEvMUJX7
oyrGj3aOBprW7ZFkZkEwuM6XOn26PRAP4SYw3ePo5G9Ok7kTDL8YZweN0o9hexWO
A/0axErdMHyLQx6vNPMmbuZ6LfJjlXq3teqak22McqhXTLWL9oi1aqCG3GB4dhtL
0K6bnvM0cx2Mv/qzXB6mG6pOTB9oNtiP5GcDAa+Z9EU6As0c2jRn0WG/X3CNuONF
MhZ2M8BRTqaUjU5jvdBKiEP3Oo4w4Yu718EgoPK7Ob0p5dLAIgH6tC5mv3Ax90Pq
M8ozUu+q9+AveI/GFEjtwOokoKuQDfOfl7weu5z1dOdJr1sW+zg/OkyGLqdj/Azr
PDq6ceCj5LhGxBG6nFVedCTprydzzCU5h3yjqbuRbpseCrW6wSBsiJd75VCC0CpK
zYyxzUxx805tyqN/JZT0eoxJ5ayeEBDEpEjpBUob7cir89JqFTMK6HkwR9qVkpav
ghDXhYguZuKyoRqsCkWUZCJXE/uJCS7TYQ9GNMp17kUqk+/R39ZPu+LkNCpolKRx
L2U56b4TIZUgaAEiOM+DTcvwsC3LUQY=
=bmHN
-----END PGP MESSAGE-----
For the benefit of others :-
Delete********* *BEGIN ENCRYPTED or SIGNED PART* *********
*dusts off pgp key*
*tries to remember passphrase*
*eventually gets it right*
yay!
Looks like my key is just slightly older than yours! I also seem to have one that's lost which is even older (and one from when I was at school in 1996 also!)
********** *END ENCRYPTED or SIGNED PART* **********
Yay - it works!
DeleteI've always used CACert to get S/MIME capable certificates, for free.
ReplyDelete