93 lines
3.9 KiB
Markdown
93 lines
3.9 KiB
Markdown
---
|
|
title: "Pretty Difficult Privacy"
|
|
kind: article
|
|
created_at: 2014-04-03 18:30
|
|
tags:
|
|
- security
|
|
- privacy
|
|
- gpg
|
|
- php
|
|
- gnupg
|
|
summary: |
|
|
I have been mildly interested in digital security and privacy
|
|
for years. With the introduction of Keybase.io that interest got
|
|
sparked again and I investigated the current state of GnuPG.
|
|
---
|
|
_Disclaimer: I could write books about online privacy, freedom of speech
|
|
and how encryption fits into that picture. There are others out there who
|
|
can do a better job at that and who have way more experience in crypto
|
|
than I have._
|
|
|
|
So, I got a keybase.io invite. Awesome. But what problem is keybase trying
|
|
to solve?
|
|
|
|
I created my first GPG key in 2000 by way of checking out shiny new things.
|
|
I've been happily generating GPG keys ever since, but I never really used GPG.
|
|
There were three reasons for this:
|
|
|
|
1. The tools, like GnuPG, are difficult to use.
|
|
2. Integration with popular mail clients sucks.
|
|
3. I only know two to three people with a public key.
|
|
|
|
To start with that last point, there is barely anyone I know that uses
|
|
GPG. And I know quite a few technically oriented people, like developers
|
|
and sys admins. No body seems to bother for GPG and the hassle it entails.
|
|
Most people *do* have a public key available, but they simple have not
|
|
setup anything to read and send encrypted or signed emails on a daily
|
|
basis.
|
|
|
|
This brings us to points 1 and 2. The tooling, GnuPG, is not very
|
|
user friendly. I'm not saying it's unusable, but compared to the CLI
|
|
interface that keybase provides, it's arcane magic. Even with GPG setup
|
|
and integrated in [Sup][3], I routinely make mistakes and get feedback from
|
|
people I encrypted an email wrong and it's unreadable by them.
|
|
|
|
Using this arcane magic in conjunction with _normal_ applications, like
|
|
mail clients, is quite difficult as well.
|
|
|
|
Luckily there's [GPGTools][1] for Mac, which provides you with everything
|
|
you need to get started, including a Mail.app plugin, key management and
|
|
a Mac version of GnuPG.
|
|
|
|
With this software installed, as a normal user, you probably still have
|
|
no clue what you're doing.
|
|
|
|
It took me a few evenings to get up to speed again with how GPG works and,
|
|
more difficult, how to manage your keys. This last part turns out to be
|
|
the most difficult thing, mostly because the plenhora of options and
|
|
settings to choose from. All the terminology is not helping: private keys,
|
|
public keys, fingerprints, trust (of keys), trust (of users), key rings,
|
|
signing, ecrypting, cleartext, photoids, shortids and key ids, key length,
|
|
algorithms, validity, passphrases and expiration dates. Not to mention
|
|
subkeys, signing of keys, capabilities and revokation.
|
|
|
|
That's quite a lot of matter to understand before you can use GPG properly.
|
|
|
|
I think what keybase is doing is great. There are also a few flaws in their
|
|
plan, and I think it's not for the better of GPG and privacy. First and
|
|
foremose, Keybase is becoming a central repository that stores user
|
|
identities. That does not sound good, not even to mention they are running
|
|
a business and a closed-source site. Besides, there is already the
|
|
web of trust and public distributed key servers for GPG to use. Proving
|
|
identity with a twitter account or github account is also not very powerful
|
|
IMHO, as it's easy to fake.
|
|
|
|
These things aside, keybase does not solve the fundamental issue of
|
|
cryptography in general and GPG in particular: it's difficult to use and
|
|
does mostly not integrate nicely with other software.
|
|
|
|
For me, to get GPG to the general public, I think the tooling and
|
|
services around GPG should:
|
|
|
|
* be understandable and usable by the average user
|
|
* be open source
|
|
* be distributed in nature
|
|
* integrate easily with third party applications
|
|
|
|
If you can solve this problem, I thing you have gold. Get in touch with
|
|
me if you have ideas on this topic. You can find [info on my GPG key right
|
|
here][2].
|
|
|
|
[1]: https://gpgtools.org/
|
|
[2]: http://ariejan.net/gpg/
|