[liberationtech] 13 reasons not to start using PGP

Tue Oct 15 11:49:29 PDT 2013

carlo von lynX:
> 
> People expect PGP to be "secure" without having such a clear idea
> of what they mean by "secure." Suddenly, times have changed.
> This summer times have changed and nothing is as it was.
> Now we know just being able to encrypt and sign is not enough
> for most situations in life. It's no longer "secure."

but, again, pgp/gpg never pretended to provide "anonymity." if the
public perception of "secure" now includes anonymity, that is neither
the fault of the tech nor a reason not to use it. rather, it's a reason
to learn tools that will help to anonymize a connection if that is what
one desires.

> You can't just use it over Tor, you also need a mail server willing
> to give you an account anonymously and then you need all your
> communication partners to do all of that configuration and
> finally you need to configure PGP so it won't expose who you are
> sending to.

correct. people need to learn appropriate opsec based on the
circumstances they are dealing with. it is more than possible for any
user to have a key associated only with an email address that has never
been touched by anything but tor from their side. plenty of services
exist that provide e-mail addresses for free without blocking tor. the
question of how private those services may keep your communications is
an entirely different issue, which is why the use of pgp/gpg is still a
good idea.

> On 10/11/2013 09:10 PM, Tempest wrote:
>> a fair point. but one could significantly address this issue by hosting
>> the public key on a tor hidden service. that would greater ensure that,
>> in order to get your key, they would be using a system that protects
>> against such threats. hardly an "easy" solution. but it can be solved
>> with a little extra planning.
> 
> I was just thinking to answer that you could leave out PGP entirely
> in this scenario, but...
> 
> On 10/11/2013 09:24 PM, Gregory Maxwell wrote:
>> Of course, if you can do this and the HS is secure, then you can just
>> dispense with the PGP altogether.
> 
> Gregory said just that  ;)

this would assume that servers never get discovered or compromised in
some way. a perfect real world example right now to refute the above
notion is silkroad. any person who used pgp/gpg to encrypt their
communications with each other via that service is likely in a much
better place right now. just because a server appears to be fully
secured within the tor network is no reason to abandon pgp/gpg
encryption of private communications.

i still do not see how you've made good arguments to support your title.
nobody has ever said pgp/gpg is perfect. but to make the claim that
people shouldn't bother starting to ue it is too simplictic and,
therefore, just a bit reckless under the circumstances.

-------------------------------------------------

VFEmail.net - http://www.vfemail.net
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  