Setting up and using PGP personally isn't all that hard, though it's got a few twists. Above and beyond any learning-curve issues:
1. It doesn't protect metadata. Who you communicate with, and when, and what subject you specify, are all available to any system which can read the packets. Unless you only accept and transmit TLS (secured-session) transport (HTTPS), this means that your communications patterns are in the clear. If your receiving party are fetching messages via a cleartext protocol (IMAP or POP, say, and in some cases HTTP, rather than the secured variants IMAPS, POPS, and HTTPS), then the headers and possibly mail body will be clear.
Cryptography has to be end-to-end to be effective, though attack surfaces exist at many levels. Ultimately the viewing device itself may be compromised, but that's a rather unscalable attack.
2. If you're using PGP but nobody else you're communicating with is then you're not gaining much. Keep in mind, I've been yelled at and/or chided by highly technical people with strong security backgrounds over sending PGP-encrypted emails. Including senior Google technical staff and Gene Spafford, of recent memory.
Much of that is due to a wide range of email clients not playing well with PGP, which gets again to vendor issues.
I recently posted a long critique of email on HN, and ultimately it's the lack of privacy, security, encryption, authentication, and reputation which make me think it's time to scrap it and start over, although learning from it and taking the best bits along.
1. It doesn't protect metadata. Who you communicate with, and when, and what subject you specify, are all available to any system which can read the packets. Unless you only accept and transmit TLS (secured-session) transport (HTTPS), this means that your communications patterns are in the clear. If your receiving party are fetching messages via a cleartext protocol (IMAP or POP, say, and in some cases HTTP, rather than the secured variants IMAPS, POPS, and HTTPS), then the headers and possibly mail body will be clear.
Cryptography has to be end-to-end to be effective, though attack surfaces exist at many levels. Ultimately the viewing device itself may be compromised, but that's a rather unscalable attack.
2. If you're using PGP but nobody else you're communicating with is then you're not gaining much. Keep in mind, I've been yelled at and/or chided by highly technical people with strong security backgrounds over sending PGP-encrypted emails. Including senior Google technical staff and Gene Spafford, of recent memory.
Much of that is due to a wide range of email clients not playing well with PGP, which gets again to vendor issues.
I recently posted a long critique of email on HN, and ultimately it's the lack of privacy, security, encryption, authentication, and reputation which make me think it's time to scrap it and start over, although learning from it and taking the best bits along.
https://news.ycombinator.com/item?id=12620997
reply