SoylentNews is people
SoylentNews
An Op-Ed piece from ArsTechnica:
Every once in a while, a prominent member of the security community publishes an article about how horrible OpenPGP is. Matthew Green wrote one in 2014 and Moxie Marlinspike wrote one in 2015. The most recent was written by Filippo Valsorda, here on the pages of Ars Technica, which Matthew Green says "sums up the main reason I think PGP is so bad and dangerous."
In this article I want to respond to the points that Filippo raises. In short, Filippo is right about some of the details, but wrong about the big picture. For the record, I work on GnuPG, the most popular OpenPGP implementation.
This discussion has been archived.
No new comments can be posted.
Op-Ed: Why I'm Not Giving Up on PGP
|
Log In/Create an Account
| Top
| 26 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
< nobse> bleh... last night I had a dream... someone NMU'ed vim...
nightmare
-- in #debian-devel
(Score: 2) by VLM on Monday December 26 2016, @01:14PM
It does nothing to address the biggest threats of today
If you see someone ranting about 1024 bit keys not being strong enough you know you've found someone who's done no realistic threat assessment, has no large scale security system or plan, basically wide open other than having longer keys.
Also there's no "breaking into" there's intentional cooperation and at absolute worst requiring NSLs.
(Score: 2) by takyon on Monday December 26 2016, @01:27PM
Will an NSL work on services that can't read the user data that they have? What about services [wikipedia.org] hosted in Switzerland rather than the U.S.?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by VLM on Monday December 26 2016, @02:11PM
The NSL applies to the employees not the dirt the server sits on. Putting the server on swiss dirt does nothing if the corporation is founded in CT and the admin who got the letter is in the USA.
If by "can't read the user data" you mean they encoded it in 40 bit DES, well, technically "cat" and "select * from ..." doesn't work, but its not really hard. If its closed source you can assume its broken and devs can be forced by law if something interferes with TLS it gracefully degrades to plain text, for example, so the .gov (or some .gov, or some .com) can target selected users merely by MITM the traffic. Or another classic is you transport it encrypted and we store it encrypted but we also store your password to decrypt it. Has anything closed source ever had read access to your private key? You sure? Ever?
(Score: 2) by butthurt on Monday December 26 2016, @09:06PM
🤨 (Face With One Eyebrow Raised) Weren't you touting Crimean hosting earlier this month?
A story from April Fool's Day in 2003 said:
Swiss Internet Service Providers (ISPs) will have to keep a log for six months of all the emails sent by their customers.
-- http://www.swissinfo.ch/eng/swiss-log-on-to-email-surveillance/3243688 [swissinfo.ch]
More recently, Swiss voters approved increases in governmental surveillance.
/article.pl?sid=16/09/26/0139215 [soylentnews.org]
https://www.artmotion.eu/swiss-mail-overview/ [artmotion.eu]
(Score: 2) by butthurt on Monday December 26 2016, @09:08PM
That last link should say "another Swiss e-mail service (I'm not a customer)."
(Score: 2) by takyon on Monday December 26 2016, @09:29PM
As for the Crimea comment, I suspect it was a joke! Not sure though because I can't find it on the fucked search or Google sitesearch.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by butthurt on Monday December 26 2016, @10:22PM
They explain why:
In the SPTT, the obligation to provide the technical means for lawful interception is imposed only on Internet access providers so the Company, as an Internet application provider, is not subject to this obligation and cannot be compelled to build in the technical means to intercept customer communications.
-- https://protonmail.com/privacy-policy [protonmail.com]