Do You Use PGP?
Encryption is not just for techies any more
This morning Rodolfo
asked me if I use GPG (which is a program that
implements PGP encryption, for example for sending secure mails). My
answer is of course: "I do - almost every day." I recommend it to
everyone. The reasons are well known, the old saying is that E-Mail is
only about as secure as a postcard written with pencil. If you work for
a stupid employer or use a mail server of a stupid company, it's even
less secure. One problem with encrypting your mails if that the other
side has to be using the stuff too. So here are some real world
Almost every day I communicate with a few people in my personal
surroundings with E-Mail. Some of these mails contain personal stuff,
some even "secret" stuff like banking information, passwords for various
accounts, etc. But most of the are just "Hey, how is the weather there?
Are you going to be out of town this weekend?" This stuff could be sent
in the clear and unless someone was tracking my whereabouts and mood of
the day, he would have an easy job (even easier than just reading my
weblog!) But there is a reason I encrypt them all: It's a matter of
Not only for the techies
Those people I communicate with are not computer experts. Which is quite
remarkable, since in my experience usually only computer experts use
PGP. They had learned how to use email and now I tought them how to use
PGP with a plugin for their mail program (MacGPG with a plugin for
Apple's Mail.app is one good example). But if I sent them an encrypted mail
only once a blue moon they would have to dig out instructions, it would
not work for some stupid little reason and we would be back to expensive and
calls. That way the idea is forgotten pretty fast.
Make it a habit
The solution is to make it a habit. I send only encrypted and signed
mails to these people. If they send me an unencrypted mail by mistake
(happens once in a while, especially in the beginning) I reply in
encrypted mail and make sure to point out the mistake. After a while
receiving and sending encrypted mail gets as easy as "normal" mail. A
good mail plugin is a big help too, software can make things a lot
In general the good thing is that most of the tasks to maintain a secure
correspondence are quite easy. Once you have the setup, you get a few
steps right and you are sending and receiving. Even things that baffle
newbies for days
(like signing other peoples public keys in order to be able to use them)
can be done once and for good when you have a fixed set of
correspondence. This should be no problem for example in a small company
or a small workgroup.
Setup is a b...
I do have one big gripe with GPG though:
The setup is a bitch. No way a newbie can do this on their own. Not only
does it involve all that new terminology with keys, signatures, bits,
and all that... it also involves a lot of knowledge about computer
internals. Using the Terminal on the Mac, special directories, all that.
The MacGPG project is working in the right direction there. For now the
solution is that the newbie needs help: Someone to help through the
setup. In a small group of people or in a small team this can be solved
too. On a bigger scale this could be a job for user groups like MUS or HelMUG.
Life in Athens (Greece) for a foreigner from the other side of the mountains.
And with an interest in digital life and the feeling of change in a big city.
Multilingual English - German - Greek.
Main blog page
It rained in September
Some of the most sought after posts, judging from access logs and search engine queries.
Apple & Macintosh:
Security & Privacy:
Athens for tourists and visitors:
Life in general:
How about writing a small HOWTO/DYI PGP communication for Mail.app and maybe other popular email clients?
I agree with you regarding the MacGPG plugin. It's a good piece of software and it's heading the right way. It'll be better when they include a "Generate your key" button.
On the Windows platforms, I didn't find anything better than the commercial PGP tools from PGP inc.
And yes, one MUST use PGP/GPG to protect even seemingly uninteresting information. The value of information depends of whom is looking at it.
> How about writing a small HOWTO/DYI PGP communication for Mail.app and maybe other popular email clients?
There is already a HOWTO. You might find it here: Configuring GnuPG (Mac OS X)
the howto is very nice, thank you for the link! Still I would not want to give it to my father like that. That's why my proposition is that we need people who know how to use a computer well to help less experienced users.
Once the key generation and installation of all parts is done with a little help, the use of GPG/PGP for encrypting and signing mails is very well in the reach of less technical users.
When installing all that gpg suite of plugins for them, do you tell people the basic ideas about who can snoop on email, what asymmetric encryption is and why they should print out a print out a revocation certificate? It would be very unhonest not to, but seemingly people have a really hard time understanding this stuff. So you might as well not.
If you have a very simple, tried-and-true explanation of this any French language major can understand, please post the link (and email me about it).
" Using the Terminal on the Mac"
Gee heaven forbid, if you don't know how to use the terminal on Mac you shouldn't be using a computer.
Johannes, yes, I explain these things. I do simplify a lot, and I have a lot of experience explaining/teaching complicated technical stuff to newbies. I use a lot of analogies and examples, but occasionally I just show how things work (e.g. showing a tcpdump or tcpflow output on a wireless network).
Not everything of that technical matter gets "stuck" in users minds. I do this to a.) get them motivated to use encryption and digital signatures and b.) because - as you say - it's the honest way of doing things. But I'm often surprised about how much non-technical people can understand when you take the time and patience to explain. Some people have a barrier inside them "I won't understand all that technical stuff anyway!", but once you are over that, a lot is possible.
No, I don't have a link with material to explain these concepts in simple terms. Lots of PGP documentation has the tendency to drift into technical matters at unexpected moments. I'm thinking about writing down the details of how I did it, something like a "teach PGP" howto.
Andrew: Your irony is easy to spot, it just lets open what exactly you criticize. As for the terminal and newbies, I wrote an article to give newbies a start into using the shell. That article can be found online (though in German) here: Einführung in die Unix-Shell für OS X Anfänger.
"Gee heaven forbid, if you don't know how to use the terminal on Mac you shouldn't be using a computer."
I f#$! hate this attitude. People are just NOT INTERESTED in "Learning Computers." They want to communicate, share media, etc. The computer should make it as easy as possible, and anyone should be able to use one effectively and safely.
The market hasn't done its job until there is an "Encrypt" checkbox the user can simply check (and stuff like a "You don't have this sender's public key! Ask for it?" warning when necessary).
There's a new protocol proposal called EmailXT that is looking promising. Not just another idea. A proof-of-concept application is already available, though very buggy, almost useless at this point IMHO. Something to watch...
I work for a small call center that takes phone orders for clients so as you can imagine all the customer's personal data such as addr, phone number, email, credit card numbers, etc. need to be secured through email. Unfornately we purchased PGP about a year ago and we still can't get it to work. I've been on their forum & also read all the PGP documentations but I am not technical saavy at all. We have one client who purchased PGP and we have his public key etc. but cannot get the darn thing to encrypt. When I checked the messaging log, it doesn't show any activity. The problem is I don't know where to start to get this going again. Any suggestions of where I can get this information?
Janet, I'm not really familiar with the commercial PGP product (using the open source GnuPG variant here). I think you should maybe look for professional support if this is a business critical thing to you (and it does sound like that).
That aside, a PGP program stubbornly refusing to encrypt something often points in the direction that maybe the public key from your client isn't signed by you. You have to "sign" his key, so your PGP program knows that you trust that key to be the proper key for that client. The manual should have some information about that.
On the other hand, I would expect a problem like that to result in an error message or an entry in a log file somewhere...
You can trackback to: http://betabug.ch/blogs/ch-athens/304/tbping
There are no trackbacks.