> "Data is as secure as the weakest link in the chain."
This can't be emphasized enough. Their main point is they have no good way to fully implement a secure PGP implementation, and the threat models PGP protects against only works if it's implemented correctly.
It's a tough problem, and unfortunately PGP itself is not in a state to address it. It's too complicated, and not user friendly. At my job this past summer I tried to implement PGP within our red team in an easy, scalable way so when we proved we could do it, we could roll it out to blue team and eventually to non-IT people to make our organization more secure. The project failed, because there was no easy to use, scalable client that met our needs at the time.
When the Thunderbird of PGP comes out, then I'll look into it again, in the mean time I'll hobble along using keybase and signal for secure communications, imperfectly protecting myself from the actors it's meant to protect against.
> But key management is hard, and explaining how it works is
> hard, and there's a very small set of users in the gap
> between those who don't care about PGP at all, and those
> who care enough to do it themselves.
thats so true... It's ridicoulus to explain people email encryption in general that most of the time they don't do it after you explained the basics.
It's complicated and it's hard not even S/MIME with Outlook (builtin support) works flawelessy and sometimes it's akward to troubleshoot why a certain email was not encrypted or why it was empty after sending or why it added \r\n lines to a csv, or whatever.
2 comments
[ 271 ms ] story [ 984 ms ] threadThis can't be emphasized enough. Their main point is they have no good way to fully implement a secure PGP implementation, and the threat models PGP protects against only works if it's implemented correctly.
It's a tough problem, and unfortunately PGP itself is not in a state to address it. It's too complicated, and not user friendly. At my job this past summer I tried to implement PGP within our red team in an easy, scalable way so when we proved we could do it, we could roll it out to blue team and eventually to non-IT people to make our organization more secure. The project failed, because there was no easy to use, scalable client that met our needs at the time.
When the Thunderbird of PGP comes out, then I'll look into it again, in the mean time I'll hobble along using keybase and signal for secure communications, imperfectly protecting myself from the actors it's meant to protect against.
thats so true... It's ridicoulus to explain people email encryption in general that most of the time they don't do it after you explained the basics. It's complicated and it's hard not even S/MIME with Outlook (builtin support) works flawelessy and sometimes it's akward to troubleshoot why a certain email was not encrypted or why it was empty after sending or why it added \r\n lines to a csv, or whatever.