My Thoughts on GPG

Discussion in 'privacy technology' started by dartmouthduck, Sep 29, 2013.

Thread Status:
Not open for further replies.
  1. dartmouthduck

    dartmouthduck Registered Member

    Joined:
    Sep 29, 2013
    Posts:
    10
    Location:
    Romania
    Hello Wilders,

    I no longer use GPG/PGP when sending e-mails. I don't think the encryption algorithm or any open source implementation is in any way broken or compromised. However, the entire concept and idea itself has problems.

    GPG/PGP use perpetual keys. When you set up GPG/PGP, you generate a private key from which the public key is derived. This is both secure and the fundamental problem.

    Unlike OTR, which has perfect forward secrecy with the inclusion of ephemeral keys negotiated per exchange using DH, since your private and public key remains the same for every message, adversaries will be able to save all of your cryptographic text until they can finally obtain your private key (with whatever means necessary).

    This means, even if your messages are secure today, if someone steals your private key, your messages will not be secure tomorrow. In today's personal computing environment, simple malware (with the help of keyloggers for private keys locked by passphrase) makes getting other's private keys trivial.

    So I don't use GPG/PGP.

    It's a false sense of security. You should assume your emails, whether GPG encrypted or plain text, can and will be read. It's no different from a basic public forum (except worse since in an e-mail message, many times, there are two e-mail server operators instead of just one forum operator).

    Recommending GPG/PGP is not the answer. Use OTR and don't look back.
     
  2. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Good points.

    PD
     
  3. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    First, as far as I know you can revoke your keys and generate a fresh pair, so it is not mandatory to use the same key pair forever.

    As for GPG, it is as secure as possible right now. It is true, in the future someone might find a way to break it, but I strongly disagree with the fact the using encryption is the same as sending unencrypted text.
     
  4. tlu

    tlu Guest


    Correct me if I'm wrong - but OTR can only be used for instant messaging but not for encrypting your emails with, e.g., Thunderbird. Thus, OTR can't be seen as an alternative for GPG. I think you're mixing apples with oranges.
     
  5. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    You are correct, but unless you need to catalog archives of messages (work/business related), does one really need to save emails? I get his point and agree to a point. Just use both, and ask yourself "does this really need to be sent as an email?"

    PD
     
Loading...
Thread Status:
Not open for further replies.