Saturday, October 16, 2021

Email was never, is never, and can never be secure... OpenPGP can help with some of that.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

 Most people do not think about security or privacy when using email. Email was never designed for security or privacy. From the beginning, email was not secure and was not designed for privacy. OpenPGP will make email more secure, but it cannot encrypt the subject or the metadata (essentially data about data, like who sent the message, and to whom it was sent).

 What OpenPGP does is it can encrypt the message body so that only the intended recipients will be able to read the message. OpenPGP uses public key encryption. This is different from symmetric key based systems in that symmetric encryption relies on the recipients (all of them) having a shared secret that the all know... obviously this means on would have to physically meet all of the recipients to securely share the secret... kind of difficult to do that for people you cannot physically meet with. OpenPGP uses a system more like what is used by your web browser to securely download this post (HTTPS). Asymmetric or public key encryption relies on very complex math that is really, really, really hard to reverse compared to how much effort is needed to calculate the function normally. Essentially you keep a set of numbers, these numbers are kept in a special file so you don't have to remember them. The special numbers are mathematically related so that if I encrypt with the public set of numbers as the key, only your private numbers can be used to decrypt the message and vice versa. In a nutshell, OpenPGP leverages some clever math and programming to scramble data that you wish to protect in a manner than can only be reversed by people who know the secret key used to encrypt the message. This means that if someone wants to read anything protected by OpenPGP without the secret part of the key files, they would need an insane amount of effort to understand the message. This is not effort needed to crack a vault... actually a vault would be about a trillion times less difficult to crack than an OpenPGP key. The amount of work a computer would need to do to reverse engineer your keys would use enough energy to bring the oceans to a boil... Hence the name Open Pretty Good Privacy.

 Using OpenPGP is actually fairly easy. The most difficult part is finding out how to use it... PGP users are not always good at explaining how and why to do things... though there are a few really good tutorials out there. Linux users usually already have an OpenPGP compatible program on their systems, their systems actually use OpenPGP to verify the integrity and source of their updates and installations of programs. OpenPGP can still be used on Mac and Windows based computers as well as most smartphones but it usually is not pre-installed on them like it is on many Linux systems. OpenPGP is not a program that you can install, this can be confusing to some but OpenPGP is the name of the standard that many good programs use. The program I would recommend is the Gnu Privacy Guard or GPG for short. The GPG website has a list of programs for most platforms that are fairly good as well as detailed instruction on how to safely and securely install their program.

 GPG like any other security program is best installed directly from trusted sources such as the repository on Linux systems (like an "App Store" but everything is free) or in the case of GnuPG (GPG) the developer's website is sufficiently trustworthy since the developers are trustworthy. The other thing that makes GPG trustworthy is that the source code is open to be viewed by the public, and there are people who are far smarter than anyone that most people will ever meet who do look at this code and verify that nothing suspicious is happening. OpenPGP also does not have any central key signing authority so there is no company one must pay to become verified, instead it relies on a model known as the web-of-trust which is a little like asking a trusted friend if someone online really is who they claim to be. Basically you may need to know if someone claiming to be someone really is that person and you have not been able to meet in-person to verify their identity... if someone you trust has met this person then they can vouch for this person's identity.

 This is slightly oversimplified and so sounds more complex than it is in practice. Many people may not think they need the security that OpenPGP can provide but another reason to use it is that there are users that genuinely need the security this system can provide and they can use OpenPGP with more success if more people can use OpenPGP. OpenPGP is like a telephone... it works best if you have someone else to converse with. One major example of a legitimate use for OpenPGP would be people communicating with journalists, not all countries are tolerant of journalism and a free press so they may use heavy handed tactics such as dispatching their police forces on perfectly peaceful civilians if they learn of their identities. If everyone or at least a large number of people are using OpenPGP then the one person needing the security it provides for life and death matters can more easily stay safe since they cannot be singled out of the crowd.

 Please consider using OpenPGP, programs exist that can integrate with most email providers and it can also be used for a vast array of privacy and security related tasks. Considering all the functionality OpenPGP provides it really is not that difficult to use. OpenPGP is far more than just email encryption, it also has the ability to function like a digital identity that is decentralized by design and still really secure. OpenPGP can be used to protect sensitive documents and also to and and remove something called ASCII Armour... which is a way to transform any file into a format that uses nothing but letters and numbers for transmission over mediums that cannot handle normal files (email usually does this internally because some email services will corrupt files that are not transformed this way).

 Given how long OpenPGP has been available, I am somewhat disappointed that most people have never heard of it. Even if you have not heard of OpenPGP until today, you can be sure that it was one of the technical inventions that make the modern world possible since it was one of the foundations that allowed us civilians to use strong encryption that we take for granted such as the HTTPS standard that most websites support, and is a necessity for things like online banking. Encryption is not just for the so called "bad guys" but instead is the best tool (and often only tool) to protect the general public from said "bad guys". With strong cryptography, even the full power of an enemy nation-state cannot break even the keys of the average civilian in any reasonable time frame (reasonable being in less than 100 000 years running the attack on a large super computer).
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCY9YGbwAKCRCDGTsp04R9
Uy2CAP9pysEVL/MxQmeXK13chEATu7UVQ+vtNbJb6SR2SPJSqwD/YEOkT+J1TA55
7dQ3rx/RoFc4I3+JuGjk3usiyGoNsA4=
=/OW1
-----END PGP SIGNATURE-----

No comments:

Post a Comment

Latest Post

Steam on Linux Mint Cinnamon

Most viewed