I gave up PGP
About the author: Filippo Valsord is engaged in cryptography and TLS, calls himself “the ambassador of urandom”, is a member of the Cloudflare cryptogroup, raised a well - known service for testing Heartbleed vulnerability. You could meet him at conferences on cryptography and computer security or under the name @FiloSottile on Github and on Twitter
After years of tormenting GnuPG with a different level of enthusiasm, I came to the conclusion that it wasn’t worth it, and I give up. At least regarding the concept of PGP long-term keys.
This is not about the
If you received a link to this article in response to your encrypted letter or in response to a public key request, you can skip ahead to the “What's next” section.
')
Believe me, I tried. I went through everything. I tried Enigmail. I had offline master keys on a dedicated Raspberry Pi with short-term connections. I wrote special programs for making handwritten backups of offline keys on paper (which I will publish sooner or later). I had the hardware keys YubiKey. I spent whole days developing the rules for using PGP public keys.
I spent two hours traveling by train to the nearest Biglumber user in Italy to get the first signature in a solid set. I have the signature of the most associated key in the set. I went to key exchange parties on several continents. I even organized a couple of these.
I even had the audacity to say I understand PGP. In 2013, I dissected a batch format to pull together short identifiers . I invented complex systems in an unhealthy way so that the device connections would be tied simultaneously to my personal master key and to the corporate master key. I compiled tickets for usability and security issues for GnuPG and its various distributions.
By all indications, I have to be an ideal PGP user. Competent enthusiast, surrounded by a community of like-minded people.
But it just did not work.
First of all, the problem of unpopularity of encryption, about which others spoke a lot, has not disappeared anywhere. I received a maximum of two encrypted letters per year.
Then, the problem is inconvenience. Easily allowable critical errors. Confused server listings with perennial keys . "I can't read this letter on my phone." “Or on a laptop, I left the keys that I don’t use on another machine.”
But the real problems that I saw are much more subtle. I have never felt that my durable keys are secure. The more time passed, the less confidence was in each particular of them. YubiKey keys can be intercepted in a hotel room. Offline keys can remain in a distant drawer or safe. May announce new vulnerabilities. To USB devices can connect.
The security of long-term keys corresponds to the minimum common divisor of your life-long security activities. This is a weak link.
Worse, existing practices for handling long-term keys, such as collecting key signatures and printing public key prints on business cards, contradict other behaviors that would otherwise be considered an obvious hygienic routine: change keys often, have different keys on different devices , apply compartmentalization (different thinking profiles in different areas, for example, at work and at home - comment. per . ). Existing practices for handling long-term keys actually expand the attack vector, because they are pushing to make backup copies of keys.
We are talking about a cat with a mouse in the infrastructure, but this concept also applies to keys! If I suspect hacking, I want to be able to throw the laptop and start from scratch with minimal losses. The worst possible outcome is to bind the user to a key that he considers potentially compromised, because the cost of replacing the key is too high.
And all this for what?
"Of course, for the sake of long-term trust."
Yes, and about it. I have never, never, used the trust network for validating a public key. And remember, I have a well-connected key. I did not conduct a formal study, but I’m pretty sure that everyone who used PGP to communicate with me did or could do (if asked) one of the following things:
Trips and travels are especially hostile to long-term keys, making this type of start impossible from scratch .
Moreover, I am not even sure that there is an intruder against whom long-term keys make sense. Your usual average enemy will probably not be able to conduct a MitM attack on private messages on Twitter (this means that you can opportunistically use personal messages to exchange fingerprints of public keys, while still maintaining privacy). Mossad will do the Mossad stuff with your car, no matter what key you use.
After all, in our time I care more about outright secrecy, the possibility of refusal and ephemerality than about unbreakable trust. Are you sure you can protect a durable key forever? Because when an attacker decides to make you his target and succeeds, he will have access not only to all your messages from now on, but to all past messages too.
I'm not going to text letters. Just the opposite. But I will not guard my long-term key anymore.
Basically, I will use Signal or WhatsApp, which offer significantly better endpoint protection for iOS, ephemerality and painless key rotation.
If you want to contact me by security, it’s best to ask my Signal number via a personal tweet . If necessary, we can determine the appropriate way to compare prints.
If we meet in person and need to establish a secure channel, we will simply exchange the secret passphrase for use in the most appropriate program: OTR, Pond, Ricochet.
If it turns out that we really need PGP, we will install some suitable keys, most likely in Operational PGP style. The same goes for any signed releases or canaries that I can support in the future.
For file sharing, use Magic Wormhole, OnionShare or suitable PGP keys through a secure channel that we already have. Here, the goal is to avoid using not PGP, but the PGP key management model.
If you really need to quickly send me a message, I can save the Keybase key , but I do not promise. I like to take more trust in your social profiles, because this way the keys are rotated in a more natural way. And in any case, this is probably the way most will mess with me.
I also do not give up the hardware keys YubiKey. I really like my new YubiKey 4 with a fingertip sensor, which I use to store SSH keys, passwords, and boot the machine. But these things are 100% under my control.
I broke the protection on all offline repositories of my keys. I have no reason to think that they are compromised, but you should stop using them right now.
Signatures for the Markdown version of this document (article "Giving up on PGP") are attached below with all the keys that I can still find.
In the coming weeks, I will import all the signatures I have received, make all the signatures that I promised, and then make testimonials on the key servers. I will change my keybase key. In the end, I will destroy the secret keys.
See you in Signal. (Or on Twitter ).
Giving up on PGP.md
Giving up on PGP.md.B8CC58C51CAEA963.asc
Giving up on PGP.md.C5C92C16AB6572C2.asc
Giving up on PGP.md.54D93CBC8AA84B5A.asc
Giving up on PGP.md.EBF01804BCF05F6B.asc [will be when I restore the passphrase from another country]
Note. Over time, I plan to expand the “What's next” section, because the tools appear and disappear. The signed
After years of tormenting GnuPG with a different level of enthusiasm, I came to the conclusion that it wasn’t worth it, and I give up. At least regarding the concept of PGP long-term keys.This is not about the
gpg program itself and not about cryptographic tools in principle. Many have written on this topic. I'm talking about the PGP long-term key model, whether it is guaranteed by a trust network , public key prints or TOFU model - it does not matter. I say that it is not suitable for me personally.If you received a link to this article in response to your encrypted letter or in response to a public key request, you can skip ahead to the “What's next” section.
')
Believe me, I tried. I went through everything. I tried Enigmail. I had offline master keys on a dedicated Raspberry Pi with short-term connections. I wrote special programs for making handwritten backups of offline keys on paper (which I will publish sooner or later). I had the hardware keys YubiKey. I spent whole days developing the rules for using PGP public keys.
I spent two hours traveling by train to the nearest Biglumber user in Italy to get the first signature in a solid set. I have the signature of the most associated key in the set. I went to key exchange parties on several continents. I even organized a couple of these.
I even had the audacity to say I understand PGP. In 2013, I dissected a batch format to pull together short identifiers . I invented complex systems in an unhealthy way so that the device connections would be tied simultaneously to my personal master key and to the corporate master key. I compiled tickets for usability and security issues for GnuPG and its various distributions.
By all indications, I have to be an ideal PGP user. Competent enthusiast, surrounded by a community of like-minded people.
But it just did not work.
First of all, the problem of unpopularity of encryption, about which others spoke a lot, has not disappeared anywhere. I received a maximum of two encrypted letters per year.
Then, the problem is inconvenience. Easily allowable critical errors. Confused server listings with perennial keys . "I can't read this letter on my phone." “Or on a laptop, I left the keys that I don’t use on another machine.”
But the real problems that I saw are much more subtle. I have never felt that my durable keys are secure. The more time passed, the less confidence was in each particular of them. YubiKey keys can be intercepted in a hotel room. Offline keys can remain in a distant drawer or safe. May announce new vulnerabilities. To USB devices can connect.
The security of long-term keys corresponds to the minimum common divisor of your life-long security activities. This is a weak link.
Worse, existing practices for handling long-term keys, such as collecting key signatures and printing public key prints on business cards, contradict other behaviors that would otherwise be considered an obvious hygienic routine: change keys often, have different keys on different devices , apply compartmentalization (different thinking profiles in different areas, for example, at work and at home - comment. per . ). Existing practices for handling long-term keys actually expand the attack vector, because they are pushing to make backup copies of keys.
We are talking about a cat with a mouse in the infrastructure, but this concept also applies to keys! If I suspect hacking, I want to be able to throw the laptop and start from scratch with minimal losses. The worst possible outcome is to bind the user to a key that he considers potentially compromised, because the cost of replacing the key is too high.
And all this for what?
"Of course, for the sake of long-term trust."
Yes, and about it. I have never, never, used the trust network for validating a public key. And remember, I have a well-connected key. I did not conduct a formal study, but I’m pretty sure that everyone who used PGP to communicate with me did or could do (if asked) one of the following things:
- pulled the most liked key from the key server, most likely not even via TLS;
- uses another key if he responds with the words "this is my new key";
- Forward a letter in clear text, if you ask him to excuse like "I'm on a trip."
Trips and travels are especially hostile to long-term keys, making this type of start impossible from scratch .
Moreover, I am not even sure that there is an intruder against whom long-term keys make sense. Your usual average enemy will probably not be able to conduct a MitM attack on private messages on Twitter (this means that you can opportunistically use personal messages to exchange fingerprints of public keys, while still maintaining privacy). Mossad will do the Mossad stuff with your car, no matter what key you use.
After all, in our time I care more about outright secrecy, the possibility of refusal and ephemerality than about unbreakable trust. Are you sure you can protect a durable key forever? Because when an attacker decides to make you his target and succeeds, he will have access not only to all your messages from now on, but to all past messages too.
What's next
I'm not going to text letters. Just the opposite. But I will not guard my long-term key anymore.
Basically, I will use Signal or WhatsApp, which offer significantly better endpoint protection for iOS, ephemerality and painless key rotation.
If you want to contact me by security, it’s best to ask my Signal number via a personal tweet . If necessary, we can determine the appropriate way to compare prints.
If we meet in person and need to establish a secure channel, we will simply exchange the secret passphrase for use in the most appropriate program: OTR, Pond, Ricochet.
If it turns out that we really need PGP, we will install some suitable keys, most likely in Operational PGP style. The same goes for any signed releases or canaries that I can support in the future.
For file sharing, use Magic Wormhole, OnionShare or suitable PGP keys through a secure channel that we already have. Here, the goal is to avoid using not PGP, but the PGP key management model.
If you really need to quickly send me a message, I can save the Keybase key , but I do not promise. I like to take more trust in your social profiles, because this way the keys are rotated in a more natural way. And in any case, this is probably the way most will mess with me.
I also do not give up the hardware keys YubiKey. I really like my new YubiKey 4 with a fingertip sensor, which I use to store SSH keys, passwords, and boot the machine. But these things are 100% under my control.
About my old keys and transition
I broke the protection on all offline repositories of my keys. I have no reason to think that they are compromised, but you should stop using them right now.
Signatures for the Markdown version of this document (article "Giving up on PGP") are attached below with all the keys that I can still find.
In the coming weeks, I will import all the signatures I have received, make all the signatures that I promised, and then make testimonials on the key servers. I will change my keybase key. In the end, I will destroy the secret keys.
See you in Signal. (Or on Twitter ).
Giving up on PGP.md
Giving up on PGP.md.B8CC58C51CAEA963.asc
Giving up on PGP.md.C5C92C16AB6572C2.asc
Giving up on PGP.md.54D93CBC8AA84B5A.asc
Giving up on PGP.md.EBF01804BCF05F6B.asc [will be when I restore the passphrase from another country]
Note. Over time, I plan to expand the “What's next” section, because the tools appear and disappear. The signed
.md file will not change, an unsigned .diff will appear below for easy verification.Source: https://habr.com/ru/post/317630/
All Articles