Op-ed: Why I’m not giving up on PGP

(credit: Aurich Lawson / Thinkstock)

Neal H. Walfield is a hacker at g10code working on GnuPG. This op-ed was written for Ars Technica by Walfield, in response to Filippo Valsorda's "I'm giving up on PGP" story that was published on Ars last week.

Every once in a while, a prominent member of the security community publishes an article about how horrible OpenPGP is. Matthew Green wrote one in 2014 and Moxie Marlinspike wrote one in 2015. The most recent was written by Filippo Valsorda, here on the pages of Ars Technica, which Matthew Green says "sums up the main reason I think PGP is so bad and dangerous."

In this article I want to respond to the points that Filippo raises. In short, Filippo is right about some of the details, but wrong about the big picture. For the record, I work on GnuPG, the most popular OpenPGP implementation.

Read 21 remaining paragraphs | Comments

Op-ed: I’m throwing in the towel on PGP, and I work in security

Enlarge (credit: Christiaan Colen)

Filippo Valsorda is an engineer on the Cloudflare Cryptography team, where he's deploying and helping design TLS 1.3, the next revision of the protocol implementing HTTPS. He also created a Heartbleed testing site in 2014. This post originally appeared on his blog and is re-printed with his permission.

After years of wrestling with GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up—at least on the concept of long-term PGP keys. This editorial is not about the gpg tool itself, or about tools at all. Many others have already written about that. It's about the long-term PGP key model—be it secured by Web of Trust, fingerprints or Trust on First Use—and how it failed me.

Trust me when I say that I tried. I went through all the setups. I used Enigmail. I had offline master keys on a dedicated Raspberry Pi with short-lived subkeys. I wrote custom tools to make handwritten paper backups of offline keys (which I'll publish sooner or later). I had YubiKeys. Multiple. I spent days designing my public PGP policy.

Read 29 remaining paragraphs | Comments

Despite Hacking Team’s poor opsec, CEO came from early days of PGP

Many years before his corporate e-mails would be plastered all over the Internet following a major security breach of his company, a young David Vincenzetti often posted to various Usenet groups, generally espousing his own pro-crypto views.

"The saving of privacy will be a very significant issue (and also a business) in the near future," he wrote, responding to a December 1999 article about then-presidential candidate Steve Forbes' speech on privacy and removing export controls on crypto.

The post is merely one of many retroactive discoveries happening as security onlookers revisit Vincenzetti's Usenet writings from the '90s in the wake of Sunday's Hacking Team breach. The file obtained from that hack—400GB of information distributed via BitTorrent (and published here)—reportedly includes not only various employee e-mails but also source code, financial documents, and more. And as the Daily Dot wryly observed early this week, Vincenzetti's online past indicates that “a younger Vincenzetti might as well have been coding a program to beat out his older self.”

Read 15 remaining paragraphs | Comments

Once-starving GnuPG crypto project gets a windfall. Now comes the hard part

For almost two decades, the open source GnuPG encryption project has teetered on the brink of insolvency. Now, following word of that plight, the lone developer keeping the project alive has received more than $135,000—in a single day, no less.

Short for Gnu Privacy Guard, GnuPG or simply GPG was first conceived in 1997. It makes up the guts that run GpG4Win, GPG Tools, and Enigmail, encryption programs that run on Windows, Macs, and as a plugin for the Thunderbird e-mail program respectively. An open source version of Phil Zimmermann's PGP, GnuPG quickly surged in popularity. Because it was written by a German citizen outside the US, it wasn't subject to then-draconian US laws restricting the export of strong cryptography technologies. Former NSA whistleblower Edward Snowden relied on the program to evade monitoring as he carried out his massive leak of top-secret documents. Many journalists and security professionals also swear by it.

Despite the popularity of the program, Werner Koch has struggled to make ends meet. According to a profile published Thursday by ProPublica, the 53-year-old resident of Erkrath, Germany, grew so impatient with the lack of funding that he considered abandoning the project and taking a better paying programming job. When documents leaked in 2013 by Snowden showed the extent of NSA surveillance, he decided the time wasn't right to drop the project. He has been stuck in limbo ever since.

Read 9 remaining paragraphs | Comments