The Pro-PGP Position

A few days ago, I blogged an excellent essay by Filippo Valsorda on why he's giving up on PGP. Neal Walkfield wrote a good rebuttal.

I am on Valsorda's side. I don't like PGP, and I use it as little as possible. If I want to communicate securely with someone, I use Signal.

Posted on December 22, 2016 at 7:59 AM • 58 Comments

Comments

George H.H. MitchellDecember 22, 2016 8:23 AM

So encourage the Signal folks to produce an email system. Email isn't going away any time soon. And Thunderbird with Enigmail makes PGP palatable. (Palatable enough for me, anyway.)

Ron AaronDecember 22, 2016 8:31 AM

PGP is certainly not the easiest to set up and use. But it is an extremely useful tool if you want to, say, upload a file of some kind to a public place while maintaining access control.

I second George H. H. Mitchell's comment: Thunderbird with Enigmail is reasonably nice to use.

BDecember 22, 2016 8:46 AM

George --

Public key encryption does not match the usage model most people, even technically competent and security-minded people, have for email. Email is supposed to be receivable on any device that a person logs into, regardless of whether they used it before, regardless of whether or not the sender of a message is online, regardless of how long ago the email was received. The reason people do not like PGP is not the UI; it's that PGP encryption breaks email in some way, and I would argue that is fundamental.

The only hope I see for email encryption is widespread adoption of Yubikey for 2FA. Basically you would have to force people to use a device that can store their private key in order to log in. That would have to be universally adopted, which is a huge and ongoing logistical problem, and you would still need some way to deal with people losing their Yubikey (some backup system for the secret key). If we had a reliable way to identify people something like IBE might be useful, but we do not have that and the IBE model has an inherent backdoor so for many people it is a non-starter.

It's not for lack of trying -- these problems are hard to solve.

-- B

CowardDecember 22, 2016 8:47 AM

Signal requires Google Play Service or iOS, and a phone number too. I prefer OTR, and PGP is certainly very useful when sending encrypted files.

BerndDecember 22, 2016 8:58 AM

Isn't the endpoint (Android/iPhone) of Signal much less secure than the potential endpoint of GnuPG (GNU Linux)?

Cheers,

Bernd

Weirdo WispDecember 22, 2016 9:06 AM

As far as I know, Signal can be used only on one device, a clunky (touch screen) smartphone, certainly a very insecure device. (There are browser extensions, I guess, for using the smartphone’s Signal app from a computer; but that’s clunky, too, and certainly they are not available for any browser.)

Also, I am not willing to give my phone number away. A phone number is a very bad identifier. There are much more people allowed to message (= mail) me than to call me.

E-mail and PGP I can use on many devices, real, quite secure computers. I can have nice, memorizable e-mail adresses. And I can have many e-mail addresses and PGP keys – for example for the times I want to be pseudonymous or anonymous. For Signal, this requires multiple smartphones, and because of the phone number (and phone number registration and data retention laws in some countries) it is certainly not anonymous.

And e-mails I can file to different folders, per project or communications partner, I can flag them, mark them unread (to work on them later). I have not seen this for any messenger.

AJDecember 22, 2016 9:09 AM

Also for those of us developing FLOSS, what alternatives are there to PGP/GPG for signing our releases?

MuharemDecember 22, 2016 9:18 AM

On the loosing your yubikey problem: buy/register at least 2 of these. If one is lost the other can still be used.

mike~ackerDecember 22, 2016 9:47 AM

IMHO the key to thinking about PGP lies in AUTHENTICATION -- moreso than in encryption.

years ago we relied on the old ball point pen for authentication. generally we thought an original signature was legal -- because it could be authenticated by a handwriting expert and/or notary signature.

now that we want to do everything over the 'Net -- how to we AUTHENTICATE?

the key part that is missing is that most net users don't have the ability to authenticate

IMHO two factor authentication can help -- but it's not infallible

with that in mind though it's important to note: security cannot be obtained in any computer system that is easily compromised ( "hacked" ) .

Pundits today teach the public to look for the HTTPS indicator on any Web Page they are using for sensitive data

that helps, -- but -- as we know x.509 Certs have been spoofed.

We need to learn that we must not trust the mass of published x.509 certs that are provided by the Browser. Instead, for sensitive use -- we need to validate and then COUNTERSIGN the X.509 certificate that we will use in any sensitive application.

to do it -- users will need their own PGP key.

What this implies is that the published and broadcast x.509 certs -- should be afforded only MARGINAL trust: not good enough for sensitive applications.

anyone who has read the original PGP documentation will remember that Zimmerman warned us: PGP cannot help -- if the host computer is compromised.

In looking at the overall question then: we need (1) a secure O/S, and (2) general adoption of PGP.

I think IRS Forms 1040 may be the best example that illustrates the need: How does the IRS know that your 1040 is genuine?

Because it has your SSN & DoB? Hackers sell that stuff by the bucket. your AGI from last year?

Better to sign it with PGP.

But this brings us to the other Real Need: a means by which computer users can generally and easily get their PGP key authenticated. This could be a service provided by Credit Unions, DMV, County Records, Notaries, &c

a secure O/S ?

We may need to put PGP into some sort of packaged technology -- a KEK type device, perhaps.

Hopefully Bruce will continue this dialog.

PS

PGP is easy to use in CLAWS maild as well as in Echelon -- in addition to T-Bird.

Warren HinckleDecember 22, 2016 9:52 AM

A product placement by Bruce Schneier?

Of course, you should realize that Signal receives a significant amount of funding via the Open Technology Fund.

Furthermore Bruce is on the Board of the Open Technology Fund, which is a program run by Radio Free Asia under the auspices of the Broadcast Board of Governors. Which is a CIA spin-off devoted primarily to spreading American propaganda overseas.

Signal is a product of the national security state. Just like Tor.

You've been warned...

AndrewDecember 22, 2016 9:52 AM

Just speaking as an interested end-user, nobody else I know actively uses PGP or Signal, and I have a lot of tech-savvy contacts. I use Thunderbird/Enigmail too. For most non-techy people who mainly use webmail and have trouble remembering their computer’s password, setting up and maintaining that is probably still a step too far. And then you have to use & maintain something completely different on your smartphone (e.g. K9 + Openkeychain on Android), setting/remembering another unlock code, and worry about trusting another OS. Just to clarify, I’m ok with all that, but I know others who literally don’t care about unlock codes, unique passwords, etc. because they have “nothing to hide”.

One post above mentioned Signal's issues with Google/IoS infrastructure, and needing to link it to a phone number. Disassociating from those would be a step in the right direction at least? So, instead of publishing my (Signal) phone number, I could publish some kind of unique (potentially device portable or disposable) identifier instead? I'm sure these kinds of things are possible if developers set their minds to them.

It’s great that the security community has these kinds of debates every now and then, and hopefully some new ideas can evolve out of it, but I think that to get any kind of ubiquity for secure communications, it really needs to be baked in from the start, widely available, and as transparent to end-users as humanly possible.

MRDecember 22, 2016 9:53 AM

Anyone try ProtonMail (https://protonmail.com/)? It appears to have seamless PGP integration. It's Swiss hosted but I've no idea how secure it truly is.

Use SignalDecember 22, 2016 10:06 AM

Open Whisper Systems just released their censorship circumvention https://whispersystems.org/blog/doodles-stickers-censorship/

> Today's Signal release uses a technique known as domain fronting. Many popular services and CDNs, such as Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly, and Akamai can be used to access Signal in ways that look indistinguishable from other uncensored traffic. The idea is that to block the target traffic, the censor would also have to block those entire services. With enough large scale services acting as domain fronts, disabling Signal starts to look like disabling the internet.
>
> With today's release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE. When those users send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com.

These guys are awesome! Great job.

rirottoDecember 22, 2016 10:07 AM

This whole "prefer Signal over PGP" series of statement is ridiculous. While Walfield put forward some very strong points here http://arstechnica.com/information-technology/2016/12/signal-does-not-replace-pgp/ refuting and destroying many of Valsorda's arguments against PGP, most of the participant in these debate are obsessed with cryptography and are missing the point:

Email is NOT interchangeable with instant messaging, however open and ubiquitous the latter may be (Signal is neither). Email is first and foremost, completely indispensable productivity tool (which Signal and every other IM, not even the infinitely more ubiquitous WhatsApp, is not).

There is and will not be in the observable future such thing as business that does not use email or a professional that does not use email heavily to communicate with his suppliers, partners, and customers. And almsot all people who use email in business, use it and will continue to use it at home. I can, without fear of being wrong, without knowing any of the readers of this blog, tell you that ALL OF YOU (including Mr Schneier) is not anywhere NEAR abandoning the use of email.

So what's the freaking point of comparing Signal to PGP?

Tim BradshawDecember 22, 2016 10:12 AM

I think PGP has plenty of good uses.

Being an ex-sysadmin I care a lot about backups. One of the things I do is make daily dumps of critical state in my home directory into Dropbox, whose security I trust not at all. So the script that makes the dump encrypts it with gpg (before linking it to the db-synced space). That has the nice property that it runs completely automatically, but the key to decrypt it is nowhere on the machine.

This works pretty well in practice. It probably does not defend me against the NSA (or in my case GCHQ) but if those people come after me I have already lost.

Signal (which I use, of course) also is not anywhere near a replacement for PGP-encrypted mail for many people. By far my most common use-case for PGP-encrypted mail is to send authentication details to someone, and it's great for this: messages are individually decrypted and clients make reasonable attempts to ensure that the decrypted content never touches non-volatile storage (I know that they are vulnerable to heroic attacks: everything is vulnerable to sufficient heroism, but very few people need to defend against such heroism). If I send something using Signal then every message I have sent is visible if one of them is. So you can have a mail folder full of mails with credentials in, decrypt the one you want, and whoever is shoulder-surfing you gets that one, only. And of course you can use multiple keys with multiple passphrases if you want to protect different messages of different sensitivities.

There are plenty of other cases where PGP works well and where there is no replacement.

Further, I think that any replacement that actually deals with a significant number of the things that PGP is good for, which Signal, for instance, does not do, will probably be as complicated as PGP: complicated problems tend to have complicated solutions, while simple problems (secure chat application) have much simpler ones.

Clive RobinsonDecember 22, 2016 10:19 AM

@ Bernd,

Isn't the endpoint (Android/iPhone) of Signal much less secure than the potential endpoint of GnuPG (GNU Linux)?

All endpoints that connect to a communications network and handle plaintext are vulnerable to "end run" attacks via "IO shims" etc.

Thus having accepted that and the risk it presents, you then have the question of control. Arguably with any smart phone you have no control what so ever, Android on a pad or other device is likewise locked down by the manufacture with even god unable to say what nasties they've installed the same for MS OSs as well (Lenovo installed malware).

My prefrence is to not bother even trying to lock down a commodity OS, and thus shift the security end point off of any such systems altogether...

ThothDecember 22, 2016 10:31 AM

@Andrew

It's just the remaining "Johnny doesn't want to encrypt" syndrome even if the GUI is nice (where "Johnny can't encrypt" syndrome is getting milder) but they have to:

- Use multiple platforms and protocols that can vary
- Platforms may not agree on many specifications and implementations
- Confusing OPSEC and instructions to have a bulletproof 200% NSA proof setup (very unlikely to happen) unless it's deemed a waste of time
- Product lock in
- I have nothing to hide argument
- Hiding something shows guilt or attracts the cops argument

There are many other reasons but essentially, it boils down to the contact simply refuses to secure their end, it breaks the chain of security and there is nothing that can be done until the contact decides to change their mind and take the trouble to download apps, purchase hardware and so forth to make themselves more secure.

Also note that emails (especially signed documents according to National eGovt guidelines) can be used in formal proceedings (i.e. Courts, Financial Institutions, B2B, Taxes ..etc..) but secure chat would not be permissible in any form whatsoever to replace the position of signed emails when formalities are required in an institutional setting. That is not to say PGP/SMIME is better or some form of secure chat is better. It is the context it is being deployed in that actually matters instead of blindly nodding the head just because someone said this is better than that. PGP/SMIME/CAdES would not be going away anytime soon in the context of formal settings especially over digital documents (which email is considered in this category) while secure chat is more of an informal conversation just like any chat and may not have any standing in legal context (i.e. business dealings). So, comparing secure email vs. secure chat, it needs to establish the requirements and conditions with regards to how the message is sent and stored and the "shelf life" of the message and any legal requirements for preservation for audit purposes and all that must be taken into context.

RickDecember 22, 2016 10:42 AM

I'm wary about people promoting YubiKey 4 here. Isn't that the first YubiKey with closed-source crypto?

HarryDecember 22, 2016 11:23 AM

Signal is a great piece of software that is open source, free and easy to use. It works on the two largest mobile platforms (Android and iOS) and requires no special technical skill. You can use it for voice calling or text messaging.

PGP on the other hand comes in a variety of flavours, varies in compatibility from device to device, doesn't always get updated promptly and makes email much more difficult to use even with plugins. It's used by an ever decreasing minority and even the experts (Zimmerman et. al.) prefer not to use it except for very specific purposes. The number of devices you can use it on are limited to the extent that you are prepared to expose your private key to the device and also having compatible software. PGP is difficult for your average person to understand and isn't used routinely.

There is nothing to stop anybody who wants to create a rival service to Signal from using the source code and going from there. Signal themselves don't permit federation but they do allow you to create your own software.

The whole point of preferring Signal (or for that matter any encrypted messaging app) is that WhatsApp, Telegram etc. are the way most people communicate nowadays. Very few large businesses use PGP. Only a minority use S/MIME and that, unlike PGP, is properly integrated into most non-webmail clients.

In many respects ephemeral messaging is more secure providing both parties choose not to create an immutable archive of communications, it has forward secrecy and key verification is easy.

Providing a person uses Signal sensibly with due regard to their personal threat model and that they verify the fingerprint (which is very simple to do) then this easy to use method of communication is far superior to PGP which is cumbersome, used infrequently and prone to mistakes.

PGP certainly has its place for high-security systems but the majority of users will never encounter it and never use it.

AndrewDecember 22, 2016 12:50 PM

@Thoth
Thanks for your comments. You raise a number of important and valid points, and I entirely agree! I'm not a security professional, just a tech-savvy end-user of these systems who wishes they could be better than they are now. Not necessarily nation-state proof, but something that gives more protection when devices are lost/stolen, data breaches happen, etc.. Ideally I'd prefer Johnny to encrypt by default because in many cases Johnny isn't remotely aware of all the risks, let alone does he have a qualified opinion on them.

I wasn't intending to directly compare IM to email as the use cases/infrastructure are clearly different, but note that it may be possible to transfer some general ideas between each. Signal might be the go-to IM/VOIP app of today for those wanting privacy, but its possible we'll have forgotten about it in 5-10 years, and moved onto something better which uses some of the same ideas. I think as time moves on, email usage will reduce as a number of use cases transition to newer but less accountable systems like IM/Whatsapp, Social Media, etc. When the spotlight is on Signal and its peers at the moment, maybe now is as good a time as any to push for more, including accountability, redundancy, etc.

HarryDecember 22, 2016 12:52 PM

"And if you want to encrypt your completed tax forms? Or sign software packages? Or Git commits?"

I'm not sure you've understood my comments but all three (tax forms, software packages or Git commits) are examples of where PGP can be used.

But remember the IRS (or other agency) aren't going to necessarily know that the key actually belongs to you. They're probably going to blindly accept your completed form as valid with or without it being PGP signed.

I don't know if the IRS would accept a digital signature (like DocuSign) but that's another option for non-PGP users.

Software packages can be signed with Authenticode on Windows or their SHA256 hash shared for Linux/Windows.

Git commits are a good example of where I'd prefer PGP over other solutions.

Remember that I'm not against PGP, I just don't think it suits the masses and therefore it's not used. For messaging most people are better off with a decent encrypted messaging application (like Signal).

WaelDecember 22, 2016 1:13 PM

@Rick,

Isn't that the first YubiKey with closed-source crypto?

Closed-source isn't such a formidable barrier; code can still be analyzed unless it's obfuscated, encrypted[*], and anti-debug fortified, then it becomes more difficult to understand.

May the русский язык object code decompiler be viz you! [1]

[1] That's: May the force (source) be with you.
[*] You'd think that this closed-source encryption code is encrypted. But you'd probably be wrong. I haven't checked... Lol

JohnDecember 22, 2016 1:14 PM

What is the evidence for iOS or Android being a "secure" platform in the first place ? There is a reason why no head of state in their right mind use either, is there not ?

Nick PDecember 22, 2016 1:22 PM

@ Bruce

The most consistent and disturbing thing about these posts is that all of you leave off the fact that GPG is the only communications tool that consistently stopped NSA's analysts in the Snowden leaks. That means a subset of it dressed up in a portable GUI is enough to stop NSA at least as of 2008 or whatever. They then have to go all in on endpoint attacks where airgaps, simple embedded, or TFC-like designs can reduce risk to DOS. Just a mere diversity of platforms & configurations alone help vs iPhone or Android which NSA (among others) can already breach remotely.

Seems to be better to clean up GPG/PGP with a new, de facto standard that just slims and pretties it up in a portable way much like s2n does for TLS. Implement it on most common platforms maybe using stuff from GPG maybe not. Throw in a forward secrecy option for use cases that need it. Odds against average attacker are great given trouble NSA had with the one with shittier UI and less uptake.

If not, then these anti-GPG/PGP posts should at least mention most nation-states can likely remotely compromise Signal on at least Android while they can't GPG. Then, why the author is giving up that level of security (esp endpoint) for Signal. Usability is probably all it will boil down to. Then, if real security is desirable, the incentives for contributors start leaning toward improving GPG-like tools.

HectorDecember 22, 2016 3:48 PM

@Nick P

The reports from the Snowden files suggested that GPG prevented their analysts decrypting the information when the person wasn't on their radar. That's quite an important caveat.

There was plenty of evidence to suggest that desirable targets would be infected with malware, trojans or they'd conduct TAOs which would compromise even GPG.

I'd love a new standard for GPG but nobody seems interested. For the past 20 years the adoption rate has been exceptionally small. It's now a case of flogging a dead horse. Certainly we should keep it in active development but it's a pipe dream for us to expect the man in the street to use it on a daily basis.

Signal has already gained a significant number of users in a very short space of time and the underlying source code has been implemented by WhatsApp who have 1 billion plus users.

Nobody realistically expects total security from a smartphone but Signal makes general communication much more secure.

Android is a mess that needs sorting.
iOS is a black-box which we just have to 'trust'.

There's no solution to using GPG on a commercially available smartphone and then expecting more security than Signal offers. On the desktop that's different of course although that assumes that you're running a trustworthy OS on trusted hardware with all the physical security of a SCIF.

Nick PDecember 22, 2016 4:28 PM

@ Hector

The implication I saw was a bit beyond that where their easy, attack tools did nothing. Instead, they had to rely on limited resources of TAO with their advanced attacks.

MarkDecember 22, 2016 4:48 PM

I'm a fan of Signal, and I use PGP. PGP is a pain in the ass. As an OS X user, I use https://gpgtools.org/. It's still not updated for the latest version of OS X.

PGP isn't too bad to use, but you can't recommend it to anyone who doesn't have a lot of tech savvy. I recently tried to get it to work with Mailvelope, and I couldn't get it to work properly.

Explaining the concepts of keys isn't possible to regular people. That's why Signal is good: it's all abstracted away from the user.

However, Signal fails in a few ways:
1) It's not anonymous. You need to sign up with a cellphone number. Yes, you can apparently sign up with a VOIP number, or an anonymous SIM card, but it's not anonymous out of the box.
2) It relies on both Google and Apple's notification services to run. That means that either Google or Apple (depending on if you run iOS or Android) knows when you receive messages and the frequency with which you're sent messages.
3) And the obvious: You need to trust Open Whisper Systems. You need to trust their directory service. You need to trust their people, and you need to trust their infrastructure. You need to trust the source code they publish is what they really use. You need to trust an American company.

More can be read here: https://www.securemessagingapps.com/. (Yes, that's my site.)

PGP can to used (if both parties know what they're doing) without that needed trust in a third party. It has its uses.

ab praeceptisDecember 22, 2016 10:47 PM

Nick P

Indeed.

And I'd like to add a suspicion that had its beginning years ago and I brushed it aside ("I'm not a tinfoil hat wearer!"). Strangely, though, what I have seen growing and what today is an unwieldy jungle, matches quite well an old cia guide on how to spoil processes and structures (of course, business interests are in the mix, too).

So many crypto algorithms, so many protocols, so many devices and mechanisms. Plus quite some "super-friendly and helpful" organisations like one mentioned here, that just so happen to be linked to the cia and similar players. Plus, of course, the super-generous and helpful giga corporations who "help" linux and other projects that doen't run away quickly enough.
The result? linux is a) dictated to a large degree by those corps and b) an insecure mess.

Looking at the de facto situation (and listening to many discussions) one is led to believe that secure communication must be a golden unicorn. If it can be achieved at all, that can certainly only be done with Open[insert nice term du jour], the state (read: nsa/nist) and "friendly" corporations.

Is that true? I don't think so. Actually I'm certain meanwhile, that the real goal of those players is to *never* reach the unicorn, or, at least, to never let us common people get close to it.

So I ask the question: Does one really need very powerful magic and gazillions of dollars? Let's have a look.

We have plenty of good symmetric crypto. We have a few still good PK algos. We have well proven and time tested distribution structures (plus we have learned from some early errors). We also have ridiculously powerful processors even in our phones.

Yet we still have a discussion "PGP or signal?". And we still have a PGP that is hard to use for Joe and Jane and frankly even for many Joe and Jane engineers.

The first problem is some good symmetric algos - we have them. The next problem is kex - we have the algos for that and more are in the works. Then we have the problem of identification - that is largely solved, albeit sadly by more and more enforced state mechanisms. The final problem is basically a distribution problem; I'm talking about the cert and ID stuff.

So, we have everything needed. But we still don't have a reasonable and reasonably secure infrastructure. We still don't have easy to use "click to encrypt" emails. We still don't have a *reasonable and trustworthy* PKI system; what we have is rotten and what hadn't been rotten by stupidity and design, has been rotten by gross greed.

We are insecure. But far worse, we are insecure because certain powers *want* it that way.

Daniela A.CDecember 23, 2016 12:36 AM

it would seem that the issues are relative, it's not either/or.
messaging and email are not inter related. they have different roles.

given that signal relies on very insecure infrastructure & platforms, pgp offers far more scope for security via the implementation

the problem, which is a fairly serious one, is not being creative enough in ones world view. if we narrow our options to pgp or signal, such myopia prevents interpreting and mixing and matching alternatives. security demands adaptability. like any good soldier in the field one must anticipate the mindset of the enemy, and know ones Art of War.

as brighter minds have already pointed out, pgp and signal are limited in their capacity to NOT raise the suspicious flag in transit.
Codes, not ciphers, would seem to be, more and more and more, the way the wind should be blowing.
Dylan wrote a song about it.
'You don't need to catch the clap(per) to tell which way the encryptions turning. It's Cooooooddeeeee" From the classic 'Highway on Highway' album, came right after
Blonde Revisited

Daniela A.CDecember 23, 2016 12:48 AM

@Hector @Nick P

hector wrote:

>The reports from the Snowden files suggested that GPG prevented their analysts decrypting >the information when the person wasn't on their radar. That's quite an important caveat.

>There was plenty of evidence to suggest that desirable targets would be infected with >malware, trojans or they'd conduct TAOs which would compromise even GPG.

in the film Citizen Four, Snowden comments to Laura Poitras of his concerns that the NSA may break his encryption and that they were running out of time. Actually the implication from memory, by the way he phrased it, was they they would bruteforce the password

Nick PDecember 23, 2016 8:35 AM

@ Daniela

I might have to rewatch it in case I'm misremembering. I thought they were running out of time because he disappeared after grabbing all kinds of files. As in, he thought they'd figure it out something was wrong then send investigators on his trail.

CDecember 23, 2016 9:56 AM

@Daniela @Nick P

In Citizen Four, he talks about assuming they "could make trillions of guesses per second". I took this to mean they were time-limited before their communications could be considered insecure.

@All

I'm sure it would be stating the obvious to say that "tool for the job" is the best way to handle secure communications. There is no "one size fits all" approach.

If Signal is tainted somehow, then what alternatives exist?

I think we all agree that as far as we are aware today, at least AES and RSA are still secure? Where these are used doesn't matter, so why not remove all the junk that clutters applications, and create simple libraries where they can be used easily?

I get a headache from wondering why every application keeps re-inventing the crypto library problem with varying degrees of success.

What is the goal? To make it so that written information becomes unreadable data. HOW that data is sent/received (whether e-mail or IM) should not, and does not, matter.

A universal mechanism needs to be created that handles ONLY the required crypto functions and certificate handling, that can be called from anywhere, or used via command-line directly.

Forget having 50 different methods/key lengths - only have the best available so no mistakes can be made.

Why is this so difficult?

RDecember 23, 2016 10:39 AM

Quite the layman here, haven't got experience with either PGP or Signal.

However, I was wondering whether SpiderOak's Semaphor could be something of a middle ground between PGP and Signal? Because I think it sounds like that product falls in between email and chat. You can use it on multiple devices, can share documents and can make different channels. I haven't tried it myself and I wouldn't have a clue regarding actual security.

Maybe someone here has experience with this and would be willing to share some first-hand experience?

Nick PDecember 23, 2016 12:16 PM

@ C, Daniela

Here is the link. It's ultra-clear now. He's explaining she needs to have a strong password to protect her private keys. He tells her to assume a trillion guesses per second to emphasize why the password needs to be incredibly hard to brute force. He then points out that the password and/or key will also be compromised if they hack the device itself. He implies other concerns by saying those steps just give breathing room. Probably means investigators tracing him and/or TAO. Finally, tells her that publishing the info will send them after him anyway.

The trillion guesses is just about strength of password given as a warning. He probably used a strong one himself given he told her to.

Anon N.December 23, 2016 4:43 PM

GnuPG rocks more than ever.
See also: Signing source code and password-store.

The way to start for a beginner is to ignore the signing part and start with encryption only. Later on start reading about the "web of trust" and key signing.

Clive RobinsonDecember 23, 2016 6:06 PM

@ C,

If Signal is tainted somehow, then what alternatives exist?

Your fundemental problem is not Signal but the fact you have no control over the platform it runs on. The network service supply and the handset / tablet manufacture have the final say on the who, the how and the what of the device security, and currently they've all pretty much decided that the purchaser of the device has no control.

Only somebody who has no knowledge of security would consider putting a security end point on a device they have no control over and thus putting the important plaintext on the device where it can easily be got at via an I/O or driver shim.

Worse the designers and suppliers of the Signal service apparently see no issue with your phone number which is directly tracable to the SIM in your phone... That SIM can do all sorts of things to a SmartPhone via the Over The Air interface, that you can not stop and still use the smart phone with the Signal service. Thus there is nothing anonymous about the use of the Signal service.

Security wise this is NOT "Best Practice" by any means...

Because nomater how secure Signal may be a High / State Level Attacker can get at the plaintext on the device, so even if Signal was the strongest titanium or carbon fiber link in the chain, other links in the chain have less strength than wet toilet paper, or over boiled noodles.

As our host Bruce has noted several times in the past, the security rests on the weakest link not the strongest. A High or State level attacker will just "end run" around Signal and not even bother with it unless it's got realy appaling security, as the base platform realy has no security from them.

Hopefully this point is getting through to people.

Just to say it one more time "Do Not have Plaintext on devices you do not have absolute control over".

ThothDecember 23, 2016 6:11 PM

@Nick P, C, Caniela

"The trillion guesses is just about strength of password given as a warning. He probably used a strong one himself given he told her to."

Just use the OpenPGP JavaCard Applet. I have already mentioned that I carry one of those
smart cards on my person and it's very convenient. They can try to bruteforce the card as the card has a PIN limit of only 3 tries and it would wipe once it exceeds the PIN code limit.

The source code is in JavaCard (a variant of Java for JavaCard enabled smart cards) and is fully open source and officially supported by Yubico.

I will link two variants besides the Yubico's official variant that follows the OpenPGP card standard and also another variant which I modified the official variant to include a
self-destruct code functionality in case of coercion by adversaries where you can disclose the self-destruct code and trick them into keying the self-destruct code into the card. The self-destruct code cannot be differentiated from the normal PIN code as they use the same PIN entry mechanism (no special mechanism needed) and the self-destruct code functionality is mingled with the normal PIN check code to ensure that it becomes undetectable when using. Also nothing that all these codes are executing within the secure and tamper resistant environment of a smart card.

This will increase your OPSEC to a very high degree.

Official Yubico Variant: https://github.com/Yubico/ykneo-openpgp

My Hardened Variant: https://github.com/thotheolh/ykneo-openpgp/

Whispering SignalistDecember 24, 2016 12:06 AM

Did anyone of you face this problem with signal:
Messagin works ok
Calls will setup fine but no audio whatsoever in both directions.

I have to add that im currently in a south asian country known for its crypto-aversion with my european registered signal...

Very weird behaviour to me, not sure if the bad connection or the authorities are causing it.

TJDecember 24, 2016 3:49 AM

I just use a good RSA lib to get keys, encrypt, and sign, and TLS 1.2 or SSH for connections.. Crazy right?

Dirk PraetDecember 24, 2016 7:24 AM

@ Thoth

They can try to bruteforce the card as the card has a PIN limit of only 3 tries and it would wipe once it exceeds the PIN code limit. The source code is in JavaCard (a variant of Java for JavaCard enabled smart cards) and is fully open source and officially supported by Yubico.

I also think this is the way forward. Over the last couple of months, I have started to use yubikeys and other Javacard-enabled smart cards for quite some stuff. Your auto-destruct code IMO was actually the missing part in those. Any success in getting it officially adopted into the mainstream code yet ?

@ Clive

Worse the designers and suppliers of the Signal service apparently see no issue with your phone number which is directly tracable to the SIM in your phone

You can easily register using the number of a cheap pre-paid SIM card you use only once and then dispose of.

@ Nick P

The most consistent and disturbing thing about these posts is that all of you leave off the fact that GPG is the only communications tool that consistently stopped NSA's analysts in the Snowden leaks.

The nail on the head. I know of quite some young and aspiring guitarists who gave up on their instrument because there's a steep mountain to climb before becoming proficient with it. Admittedly, it's much easier to mash up digital samples using just a laptop and then pimp up the result with Pro Tools or something similar. But does it also make for better music? I use both Signal and PGP/GPG (and quite some other stuff), depending on whom I'm talking to, what the conversation is about and what kind of adversary might probably be interested in it. 99.9% of those communications actually contain no secret or illegal stuff whatsoever, but only practice makes perfect if ever the need arises to keep them safe from eavesdroppers indeed or advise others on how to do it right. As a bonus, you waste time and resources of the surveillance state.

@ All

Merry X-Mas and happy holidays. And yes, I'm still around 8-)

ThothDecember 24, 2016 10:07 AM

@Dirk Praet

No news from Yubico guys although I still presume they are representing me to push for the self-destruct feature in the next version of OpenPGP card standard.

@all
Merry Yuletide/Xmas and a better year ahead.

TJDecember 24, 2016 3:13 PM

If you use some type of isolation card or dongle you can actually afford to have it vulnerable as long as none of the vulnerabilities are on the narrow protocol behind the USB interrupt controller etc..

This with sandboxing and something like hashing-memory are the future of security. You just have to get all the "experts" to quit suggesting we get everyone from the library developer at MS to the bedroom programmer to just write "secure code". I'm even seeing people suggest everyone just code in Rust.. facepalm

Clive RobinsonDecember 24, 2016 8:54 PM

@ Dirk Praet,

Merry X-Mas and happy holidays. And yes, I'm still around 8-)

You are still a round what?

Admittedly I'm a lot more "round" at this time of year which I put down to the winter solstice festive excess my early ancesters used to indulge in many thousands of years ago showing up in my epigenetics ;-)

Hopefully you will be making merry in body if not spirit (Jack Daniels if I remember correctly).

@ To all,

May you all enjoy the solstice and it's attendant festivities and likewise in a few days the completion of yet another sidereal orbit, such things being older than man himself, are nether the less marked by nature as well, just not with as much fastidiousness as man ;-)

WaelDecember 24, 2016 11:47 PM

@Dirk Praet, @Nick P, all

Merry X-Mas and happy holidays. And yes, I'm still around 8-)

Merry X-Mas to you too.

Happy Hanukkah to my cousins...

@Clive Robinson,

Happy Solstice to you too :)

@Dirk Praet,

Was wondering where you went! I feared a 400 pound Japanese dumbbell fell on your head or something ;)

Dirk PraetDecember 25, 2016 6:45 AM

@ Wael, @ Clive, @ Nick P

Was wondering where you went! I feared a 400 pound Japanese dumbbell fell on your head or something

Worse, actually. In a momentary lapse of reason, I decided to pick a fight with a well-known and rather unpopular Belgian billionaire relative of Dianne Feinstein a couple of months ago, exposing some of the man's sordid activities on TV. Which kinda drew his undivided attention and that of a Dutch mob associate of his and his Bulgarian "enforcement" team. For safety reasons, I had to move out of the place I had been living at for the last 25 years and went underground for a while. At the advice of my legal team and thanks to some fine contacts in LE and a huge, well-documented file I had been building up over the last five years, we eventually settled the case in front of a lower court judge where I essentialy agreed to cease and desist my "defamation" campaign in return for him calling off his hounds and payment of an undisclosed sum in "damages".

I guess the most important lesson learned here is that waging war on the Finkelstein diamond empire was probably not my brightest idea ever. One of my attorneys even called me "friggin' insane". On the positive side, I'm feeling pretty smug about myself that I managed to stay a step ahead of these people at every single stage and actually got them to settle. And a judge congratulating you off the record for having "a serious pair of balls" really is priceless.

So yes, one could say that I have been a bit otherwise occupied lately 8-)

WaelDecember 25, 2016 8:26 AM

@Dirk Praet,

Worse, actually. In a momentary lapse of reason...

I knew there was something going on. Several scenarios resonated in my empty skull. With you, the lapse of reason must only be a momentary event.

in return for him calling off his hounds and payment of an undisclosed sum in "damages".

Sounds fair. Hopefully the undisclosed sum is enough for you to retire (you don't need to comment about that.)

And a judge congratulating you off the record

You need to feel good for standing up to the principles you believe in and adopt! Glad you're alive and kicking. Just don't try to kick too much ;)

Nick PDecember 25, 2016 9:34 AM

@ Dirk Praet

Wow. Best story I've heard this year. Glad you're OK. Wish the thugs in my area took such nice offers. Good news is the neighborhood was a shithole we were planning to leave anyway.

Be more like: "Settle? Nah, nigga, it's called coagulate. That's what your blood is about to do when we finished!"

Bong-Smoking Primitive Monkey-Brained SpookDecember 25, 2016 10:05 AM

@Nick P,

That's what your blood is about to do when we finished!

Zombie blood does not coagulate!

AnuraDecember 25, 2016 11:13 AM

@Bong-Smoking Primitive Monkey-Brained Spook

Well, it doesn't coagulate, it's already coagulated. As the heart stops pumping, the only way for the muscles to get any sort of nutrition is by breaking down and absorbing what remains in the blood cells. This process is always facilitated by a parasitic organism such as Trichophyton immortui, since the human body has no in-built way to keep cells alive without fresh blood.

Nick PDecember 25, 2016 12:07 PM

@ Bong-Smoking

I didn't think it was relevant since the thugs weren't targeting people working at DMV or Post Office.

AnonDecember 26, 2016 3:39 AM

It is long over due that the developers of Signal made their app available via F-Droid, or post the .apk on their website.

Making the app only available via Googleplay is not in the true spirit of FOSS.

Dirk PraetDecember 26, 2016 12:59 PM

@ Nick P

Wish the thugs in my area took such nice offers.

It's mostly a matter of preparation and leverage. Going against a bunch of nameless thugs that have little to lose is ill-advised unless you're willing and able to match (and exceed) any threats or acts of physical violence, LE, in general, will do exactly zilch with until you've been beaten half-dead and at which time they will just advise you to move somewhere else.

Without going into details, I had taken all necessary precautions legal and otherwise before going public and kinda caught a very lucky break in one of the goons tasked with "teaching me a lesson" - and I kid you not - accidentally being an old acquaintance of mine who tipped me off over the phone. A recording of which gave me all the leverage I needed for a decisive, beit somewhat unexpected checkmate up my sleeve the Jewish Council would have crucified him over.

Hopefully the undisclosed sum is enough for you to retire

I wish. I might have if I had pursued the affair in court all the way, but which would have been a tedious and very long uphill battle which one of my sollicitors convinced me I would get totally outsourced and outspent in by the opposing party. Like in the US, the judicial system over here favours the rich and powerful and in the end all parties but their lawyers lose. I had made my point, got him cornered and offered him a deal both parties could agree to without anyone losing face. One can only hope the guy now has a serious incentive to re-think his questionable real estate and totally illegal slumlord activities for which he is known all over town and far beyond.

jfgunterDecember 29, 2016 1:45 AM

Anyone know whether whisply is trustworthy? secure? from the producers' website:

"Whisply is the second product by Secomba GmbH – the developers behind Boxcryptor. With Whisply files can be send directly in the browser – protected by AES-256 end-to-end encryption. The user doesn’t have to download and install any software. The download link that Whisply generates for the receiver of the file can be sent via a channel of choice, with optional PIN or password protection.

All of that works simple and fast. The only precondition is that the sender has either a Dropbox, Google Drive, or OneDrive account. However, the receiver of the file does not need cloud access."

Thanks in advance ....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.