Pretty Good Privacy, anyone?

[woollypigs]

Listen very carefully, I shall say this only once.

Does any of you lot ever use PGP, I for one don't have anything worth to hide behind PGP and I can only think about one maybe two people I know that has set up public key, but I'm pretty sure that either of them haven't sent an encrypted email beyond the the first testing/setup email. I set one key up years ago and happily forgot which email I used and I was even so smart to set up a secret name and forgot to safe the key etc..

So a couple of years ago I set another one up with openPGP when Dez and I got talking about it and this time remembered to save my Keys. And that was pretty much it, what else is there to do with it other than send a friend an email saying look it works.

I just found the Keys again while looking around on my HDD, there was probably an idea behind whhhyyyyy I stored it in that folder..........? feck do I know! And since I have read about Snowden and his and others use of PGP I thought why not play with it again.

Is it really worth it setting it up to at least sign your email as who you are, where most people don't know what PGP is or how to use it. It is somewhat hard for a none techie to set up and in a age where most people use webmail on friends/work/home/internet cafe computers or their mobiles. It will add the extra problem of installing a plugin.

I'm testing out a plugin for Chrome/gmail atm. and it will only work on this browser. And back in the circle of no one I know uses it, so I had to send the email to my other emails. But if you don't use a webmail that can't use the browser plugins you are bit stuffed.

Though it would be somewhat great if you could sign your email to prove who you are to your bank or other sensitive places and they could do so too, so you could contact them via email and not ring up and answer hundreds question about your pet and wait in a phone queue. 

[Dibdib]

I go through stages of signing my email and not bothering to sign it.  FWIW, I like the signing aspect rather than the encryption side.

It's just a typical example of a great idea not reaching enough of a critical mass to actually be useful - because like you say, banks etc. don't use it.

[Charlotte]

AAISP sign all their emails to me.  Every month I get a bill from them with a PGP footer.

It makes my little geek heart sing 

[pcolbeck]

I used to sign all my emails using GPG but cant be bothered anymore as no one ever checks the signature. I stopped about the same time I gave up using Emacs as my mail client and joined the dark side using Outlook at work and Thunderbird at home.

[Feanor]

Worth installing the Thunderbird plugin just to appreciate at AAISP's efforts!

https://support.mozillamessaging.com/en-US/kb/digitally-signing-and-encrypting-messages

[Dibdib]

So who's going to start signing their yacf posts first?

[Kim]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oh well, if you insist...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlHIgF0ACgkQIfdVwRWCkkQx4QCfdQ1c/OTFdnRFfrZSRV/YbXHH
zC8AmwXoLv1n19n2+JXc7jRrRPJvaFiB
=x+hw
-----END PGP SIGNATURE-----

[pcolbeck]

And remember peeps MD5 is not a good hashing algorithm it's only slightly more secure than rot1.

[Pancho]

I used to do it all the time. But, over time email became more ubiquitous and no one else seemed to bother. I've still got a load of encrypted files on my harddrive. I really should delete them as I've probably lost keys and forgotten passwords - and you can be sent to jail for that these days.

However, I may investigate a browser plug-in. It'd be nice to delay the NSA's computers for a fraction of a picoseconds.

[ian]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oh well, if you insist...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlHIgF0ACgkQIfdVwRWCkkQx4QCfdQ1c/OTFdnRFfrZSRV/YbXHH
zC8AmwXoLv1n19n2+JXc7jRrRPJvaFiB
=x+hw
-----END PGP SIGNATURE-----

I can't imagine why it's not caught on! Oh my eyes, it's 1995 again!

[pcolbeck]

Yes but all Email is just text and the Email client hides all the headers and stuff from you these days. If everyone used PGP it would be the same there would just be an extra bit in the from field in the Email client that displayed a green tick or something next to the from address if the Email was signed and the signature was valid.

[Feanor]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hmm, my keys seem to have expired.
I've just generated a new pair.
Hope this works.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRyK0hAAoJEGPzPjRbJr3GpiMH/1xEWYPliHm+KQbI01TaY/mW
ztH8qmdY58X2wNoWeQn82UNkzXQhYXGWNAEflq+VBsALKCJBLHJ33TNyM8+4gBBR
kycqic3cbxxKlP9FwXWuWjjbTc3oW7O5q4crDbYr4GpRc2dNg3NAPXDYaCIe/Clm
s1sUSGR7HoFKIlF1Thtoxb/HiSZBrdKPq0/Rj/Z8Yf1mmEhE73HmRBEjNjSxl6cq
uGIXKhbDAsBULzryoCUnwyQH2uWzQtijC4jdAY98dO4DpAW9+ExGgm60jm0n/R6C
PQJ79BL+UKSAA8gn4IcVR6wxBcZmQYH9QRE8i/PtFhRzD3/Amipib3bfVVRkHiY=
=UQ0i
-----END PGP SIGNATURE-----

[woollypigs]

Doh! I started this post and played around before I even I got to use the passphrase - can I for the life of me remember it, can I heck! And I'm normally pretty good at remembering my passwords, just haven't used this one enough to remember it.

See that is an other problem, lucky not many people have signed my public key and not many use it, I now have to generate a new one and let people (well that one person who had it) know that we are now using a new one.

On a side note : pub  4096R/21B7141F 2013-03-24 Edward Snowden <edsnowden@hushmail.com> Edward Snowden <esnowden@boozallen.com>

[mrcharly-YHT]

Actually, banks etc do use it. PGP became a commercial company many years ago. An acquaintance works for them.

Recently been bought by Symantec.

AFAIK, they have to give a 'universal key' to the US gov so that they can read any encrypted stuff sent in the USA if they want.

[Feanor]

GnuPG is open-source, and can be inspected for any such nonsense, by people much more knowledgeable about cryptography than me.

I do not believe it will have intentional back doors, nor a 'master key'.

http://www.gnupg.org/

[Greenbank]

GnuPG is open-source, and can be inspected for any such nonsense, by people much more knowledgeable about cryptography than me.

I do not believe it will have intentional back doors, nor a 'master key'.

Due to the mathematics involved it can't have an intentional back door or master key.

The only possible weakness in the various assymetric encryption algorithms is whether a government somewhere has an efficient way to solve the factorisation or discrete log problems (they are analogous) for very large numbers, some algorithm way way way beyond what existing extensive research knows about (i.e. 10^100 times more efficient than any publically known algorithm).

(Quantam computers and Shor's algorithm promise a lot but the (im)practicalities of building a quantam computer with enough qubits to be useful in these problems have rendered that line of attack rather limp.)

[woollypigs]

Well here is my PublicKey http://www.woollypigs.com/openPGP.txt

Now what to use it for?

[David Martin]

I did set up server to server communication using GPG keyrings for authentication. It was an interesting exercise that proved difficult for the programmer maintaining the other server to replicate.

Until email clients make it ubiquitous then it will be a bit of geek fandom.

[Kim]

Until email clients Microsoft make it ubiquitous then it will be a bit of geek fandom.

FTFY  (though it's becoming increasingly likely that you can substitute either of the other evil empires to the same effect)

[pcolbeck]

I did set up server to server communication using GPG keyrings for authentication. It was an interesting exercise that proved difficult for the programmer maintaining the other server to replicate.

Until email clients make it ubiquitous then it will be a bit of geek fandom.

That's what PKI is for Dave it uses exactly the same principle, public and private keys, but has an infrastructure for peer for peer comms built around it (SSH, secure FTP, WPA2 with client side certs etc etc).

[Cudzoziemiec]

What on earth are those "signed posts" supposed to prove and how? I can't see how they give anyone any guarantee that those accounts have not been hacked, if that's the idea.

Until email clients Microsoft make it ubiquitous then it will be a bit of geek fandom.

FTFY  (though it's becoming increasingly likely that you can substitute either of the other evil empires to the same effect)

Either of the other? What makes you think there's only two?!

[Feanor]

The gobbledygook is not meant to be human-readable.

It's intended to be concealed by the PGP plug-in in your mail client, which then simply gives you a green banner at the top of the message saying it has a valid signature from Kim or me or whoever.

Same as an attachment: If you look at an attachment in plain-text, it's gobbledygook too.   But most sensible mail clients hide that and simply present is as a pretty attchment to the user.

The gobbledygook is proof the mail actually came from us, not an imposter; and that is has not been altered in any way.

The boring technical stuff:
The signature is digest ( a one-way hash function ) of the content of the mail, which is then encrypted with our secret private keys.   This can be decrypted by the recipient's PGP plugin, using the sender's public key, which can be grabbed from the public key-servers where we put them.   If the recieved digest decrypted with the sender's public key matches the message digest we compute ourselves, then we know the message has not been altered of faked.

The Bad Guys can't pretend to be us, since they don't know our private keys.
So they can't fake or alter a message, since they can't re-sign it.
When I send a signed message, I need to provide a pass-phrase which protects my private key, so no-one using my PC can send a message signed by me.

[vorsprung]

What on earth are those "signed posts" supposed to prove and how? I can't see how they give anyone any guarantee that those accounts have not been hacked, if that's the idea.

Signing anything shows that the key used to sign it has made a signature that is unique to that message

Therefore, if you trust the key you can also trust the message

All these systems (like PGP) use pass phrases to unlock the key.  Pass phrases are only used on a client and are not passwords that are stored on a server.  It's usually the server end of email that is compromised

[tiermat]

I have used it before, once.  I was doing some work for the Royal Navy and the insisted that all emails were signed.  This was nearly 10 years ago now.  Now they just use the GSI network to verify things (ESMTP has a lot to do with this, verifying sender etc), so the use of individual certs has sort of dropped off the radar.

[ian]

Yes but all Email is just text and the Email client hides all the headers and stuff from you these days. If everyone used PGP it would be the same there would just be an extra bit in the from field in the Email client that displayed a green tick or something next to the from address if the Email was signed and the signature was valid.

Oh, I agree, but I don't think the majority of users see the point and as such it simply adds another layer of unwanted complexity. By and large, people seem quite happy to host their infidelities on Facebook, or shout the news of their latest unwanted infection down the phone while in packed train carriages. I don't think they're too worried about email.