betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

22 February 2006

Do You Use PGP?

Encryption is not just for techies any more

This morning Rodolfo asked me if I use GPG (which is a program that implements PGP encryption, for example for sending secure mails). My answer is of course: "I do - almost every day." I recommend it to everyone. The reasons are well known, the old saying is that E-Mail is only about as secure as a postcard written with pencil. If you work for a stupid employer or use a mail server of a stupid company, it's even less secure. One problem with encrypting your mails if that the other side has to be using the stuff too. So here are some real world experiences...


Almost every day I communicate with a few people in my personal surroundings with E-Mail. Some of these mails contain personal stuff, some even "secret" stuff like banking information, passwords for various accounts, etc. But most of the are just "Hey, how is the weather there? Are you going to be out of town this weekend?" This stuff could be sent in the clear and unless someone was tracking my whereabouts and mood of the day, he would have an easy job (even easier than just reading my weblog!) But there is a reason I encrypt them all: It's a matter of habit.

Not only for the techies

Those people I communicate with are not computer experts. Which is quite remarkable, since in my experience usually only computer experts use PGP. They had learned how to use email and now I tought them how to use PGP with a plugin for their mail program (MacGPG with a plugin for Apple's Mail.app is one good example). But if I sent them an encrypted mail only once a blue moon they would have to dig out instructions, it would not work for some stupid little reason and we would be back to expensive and insecure phone calls. That way the idea is forgotten pretty fast.

Make it a habit

The solution is to make it a habit. I send only encrypted and signed mails to these people. If they send me an unencrypted mail by mistake (happens once in a while, especially in the beginning) I reply in encrypted mail and make sure to point out the mistake. After a while receiving and sending encrypted mail gets as easy as "normal" mail. A good mail plugin is a big help too, software can make things a lot easier.

In general the good thing is that most of the tasks to maintain a secure correspondence are quite easy. Once you have the setup, you get a few steps right and you are sending and receiving. Even things that baffle newbies for days (like signing other peoples public keys in order to be able to use them) can be done once and for good when you have a fixed set of correspondence. This should be no problem for example in a small company or a small workgroup.

Setup is a b...

I do have one big gripe with GPG though: The setup is a bitch. No way a newbie can do this on their own. Not only does it involve all that new terminology with keys, signatures, bits, and all that... it also involves a lot of knowledge about computer internals. Using the Terminal on the Mac, special directories, all that. The MacGPG project is working in the right direction there. For now the solution is that the newbie needs help: Someone to help through the setup. In a small group of people or in a small team this can be solved too. On a bigger scale this could be a job for user groups like MUS or HelMUG.

Posted by betabug at 10:34 | Comments (10) | Trackbacks (0)
ch athens
Life in Athens (Greece) for a foreigner from the other side of the mountains. And with an interest in digital life and the feeling of change in a big city. Multilingual English - German - Greek.
Main blog page
Recent Entries
Cycling to Sounion (11/25 08:50)
Yepp it's broken (11/06 14:09)
König Auto in Griechenland (11/02 18:46)
Mal wieder in der Schweiz (10/21 16:51)
Best of
Some of the most sought after posts, judging from access logs and search engine queries.

Apple & Macintosh:
Security & Privacy:
Misc technical:
Athens for tourists and visitors:
Life in general:
<< First Glimpse of Athens Wireless Metropolitan Network | Main | Traffic Cops >>
Comments
Re: Do You Use PGP?

How about writing a small HOWTO/DYI PGP communication for Mail.app and maybe other popular email clients?

I agree with you regarding the MacGPG plugin. It's a good piece of software and it's heading the right way. It'll be better when they include a "Generate your key" button.

On the Windows platforms, I didn't find anything better than the commercial PGP tools from PGP inc.

And yes, one MUST use PGP/GPG to protect even seemingly uninteresting information. The value of information depends of whom is looking at it.

Posted by: Saad Kadhi at February 22,2006 15:37
@Saad Kadhi Re: Do You Use PGP?

Hi Saad,

you wrote:
> How about writing a small HOWTO/DYI PGP communication for Mail.app and maybe other popular email clients?

There is already a HOWTO. You might find it here: Configuring GnuPG (Mac OS X)

Posted by: Alexander Nouak at April 11,2006 20:26
Re: Do You Use PGP?

Alexander,

the howto is very nice, thank you for the link! Still I would not want to give it to my father like that. That's why my proposition is that we need people who know how to use a computer well to help less experienced users.

Once the key generation and installation of all parts is done with a little help, the use of GPG/PGP for encrypting and signing mails is very well in the reach of less technical users.

Posted by: betabug at April 12,2006 09:22
(How) Do you tell people what it is?

When installing all that gpg suite of plugins for them, do you tell people the basic ideas about who can snoop on email, what asymmetric encryption is and why they should print out a print out a revocation certificate? It would be very unhonest not to, but seemingly people have a really hard time understanding this stuff. So you might as well not.

If you have a very simple, tried-and-true explanation of this any French language major can understand, please post the link (and email me about it).

Posted by: Johannes ROTHE at June 02,2006 23:33
Re: Do You Use PGP?

" Using the Terminal on the Mac"

Gee heaven forbid, if you don't know how to use the terminal on Mac you shouldn't be using a computer.

Posted by: Andrew at June 03,2006 04:12
Re: (How) Do you tell people what it is?

Johannes, yes, I explain these things. I do simplify a lot, and I have a lot of experience explaining/teaching complicated technical stuff to newbies. I use a lot of analogies and examples, but occasionally I just show how things work (e.g. showing a tcpdump or tcpflow output on a wireless network).

Not everything of that technical matter gets "stuck" in users minds. I do this to a.) get them motivated to use encryption and digital signatures and b.) because - as you say - it's the honest way of doing things. But I'm often surprised about how much non-technical people can understand when you take the time and patience to explain. Some people have a barrier inside them "I won't understand all that technical stuff anyway!", but once you are over that, a lot is possible.

No, I don't have a link with material to explain these concepts in simple terms. Lots of PGP documentation has the tendency to drift into technical matters at unexpected moments. I'm thinking about writing down the details of how I did it, something like a "teach PGP" howto.

Andrew: Your irony is easy to spot, it just lets open what exactly you criticize. As for the terminal and newbies, I wrote an article to give newbies a start into using the shell. That article can be found online (though in German) here: Einführung in die Unix-Shell für OS X Anfänger.

Posted by: betabug at June 03,2006 14:08
Re: Do You Use PGP?

"Gee heaven forbid, if you don't know how to use the terminal on Mac you shouldn't be using a computer."

I f#$! hate this attitude. People are just NOT INTERESTED in "Learning Computers." They want to communicate, share media, etc. The computer should make it as easy as possible, and anyone should be able to use one effectively and safely.

The market hasn't done its job until there is an "Encrypt" checkbox the user can simply check (and stuff like a "You don't have this sender's public key! Ask for it?" warning when necessary).

Posted by: dal20402 at June 06,2006 03:55
Re: Do You Use PGP?

There's a new protocol proposal called EmailXT that is looking promising. Not just another idea. A proof-of-concept application is already available, though very buggy, almost useless at this point IMHO. Something to watch...

Posted by: Jorge Santos at June 30,2006 11:38
Re: Do You Use PGP?

I work for a small call center that takes phone orders for clients so as you can imagine all the customer's personal data such as addr, phone number, email, credit card numbers, etc. need to be secured through email. Unfornately we purchased PGP about a year ago and we still can't get it to work. I've been on their forum & also read all the PGP documentations but I am not technical saavy at all. We have one client who purchased PGP and we have his public key etc. but cannot get the darn thing to encrypt. When I checked the messaging log, it doesn't show any activity. The problem is I don't know where to start to get this going again. Any suggestions of where I can get this information?

Posted by: Janet at October 10,2006 03:17
Re: Do You Use PGP?

Janet, I'm not really familiar with the commercial PGP product (using the open source GnuPG variant here). I think you should maybe look for professional support if this is a business critical thing to you (and it does sound like that).

That aside, a PGP program stubbornly refusing to encrypt something often points in the direction that maybe the public key from your client isn't signed by you. You have to "sign" his key, so your PGP program knows that you trust that key to be the proper key for that client. The manual should have some information about that.

On the other hand, I would expect a problem like that to result in an error message or an entry in a log file somewhere...

Posted by: betabug at October 11,2006 23:47
Trackbacks
You can trackback to: http://betabug.ch/blogs/ch-athens/304/tbping
There are no trackbacks.
Leave a comment