[HN Gopher] GnuPG used to ask for your support to help protect o...
___________________________________________________________________
GnuPG used to ask for your support to help protect online privacy
Author : elvis70
Score : 206 points
Date : 2021-12-28 15:43 UTC (7 hours ago)
(HTM) web link (gnupg.org)
(TXT) w3m dump (gnupg.org)
| rectang wrote:
| > _Fortunately, and this is still not common with free software,
| we have now established a way of financing the development while
| keeping all our software free and freely available for everyone._
|
| > _Our model is similar to the way RedHat manages RHEL and
| Fedora:_
|
| I looked around the website for a bit and didn't find a blog post
| or anything indicating what they've replaced the donation revenue
| stream with. Have they been employed? Are they doing consulting?
| slashfoo wrote:
| I'm confused as well, it's not clear from that post what the
| new structure is, or how sustainable, or if there are back-up
| plans. It just says, that there is a new structure essentially.
|
| I'd appreciate it if someone helped me understand, or get more
| context.
| zikduruqe wrote:
| https://gpgtools.org/support-plan maybe?
| vmception wrote:
| Is this one of those things where you could technically pay for
| Winrar, but perhaps should never admit to doing so?
| moondev wrote:
| https://gnupg.com/ via https://gnupg.org/service.html
| dmix wrote:
| This is good news. Just using gpg isn't good enough. Knowing
| how to do it properly is most important.
|
| I hope more companies throw money at these guys.
|
| Maybe they can even document some of their learnings doing
| deployments in a blog sort of system to give back to the
| community.
| mistrial9 wrote:
| I support some form of FOSS guilds, in moderation; that is,
| there is knowledge that is documented but not necessarily
| full, complete tutorial and discussion casually provided.
| Obviously many companies do this explicitly themselves now
| with "community documentation" or "public core" and then
| many other media assets that are not shared widely. This is
| natural and obvious, with caveats that fairness is
| inherently difficult, and you can't please everyone.
| Security practice is certainly the sort of world where that
| guild behavior can go badly, and many will complain,
| sometimes falsely. So it goes in the real world.
|
| Corporate and government users have been free-riding FOSS
| to ridiculous levels, in my view, and I welcome some way
| that _actual practitioners_ can self-organize and at least
| survive. As opposed to say, divorce, substance abuse and
| what amounts to financial suicide, which I have seen happen
| to real people with good intentions and bright minds.
| colechristensen wrote:
| " GnuPG.com, Dusseldorf, Germany Offers commercial grade
| support, customized development, porting to new platforms, help
| with integrating GnuPG into customer projects, code audits, and
| more. GnuPG.com is a brand of g10code GmbH; owned and run by
| GnuPG's and Gpg4win's principal authors."
| rectang wrote:
| There is certainly a need for consultants to help
| organizations do PGP-style security well. And it doesn't look
| like they're transforming GnuPG into an open core product
| model with critical components only available commercially.
|
| So, this seems good? It doesn't look like they've been bought
| by anybody (e.g. a VC) who's going to require the sort of
| rate of return that can only be attempted (and probably not
| achieved) by doing things incompatible with GnuPG's role in
| the open source ecosystem. Not every company has to be huge
| -- GnuPG can have outsized positive impact on the world while
| remaining small and sustainable.
| formerly_proven wrote:
| "GnuPG VS-Desktop" has been approved by the BSI for encrypting
| secret files/messages in the German government
| (VS=Verschlusssache) so I'm guessing that's where most of the
| money is coming from.
| vmception wrote:
| How is that a government contract at all? Sounds like a
| bullshit handout if anything, and I've seen pretty dumb
| government contracts before.
|
| Well whatever works!
| schleck8 wrote:
| The BSI is great though, they know what they are doing.
| Also the German government supports Open Source projects
| financially [1] and one of the states is planning to go
| full open source in its administration, so you'd think they
| are interested in keeping these projects alive
|
| [1] https://prototypefund.de/en/
| Schroedingersat wrote:
| The german government appear to have fairly widely realised
| that the available options are support open source, or
| provide free intel to the US.
| vmception wrote:
| So instead of using the open source tool themselves they
| find a reason to capitalize the stewards, hm alright
| zikohh wrote:
| I've always found it annoying that there isn't a properly
| supported python package for gnupg. There were like two or three
| forks that were maintained properly but each one had its "time".
| It's very confusing for people to begin with using PGP since you
| have to understand which one to use and the history and why they
| all exists. A lot of fuss if you ask me.
| ArchOversight wrote:
| Most of the Python packages for GPG just shell out to gnupg,
| which is not really the greatest API.
| zikohh wrote:
| That's the exact problem. They claim to provide an API but at
| the end of the day under the hood, thats what's being done.
| It really annoys me.
| tptacek wrote:
| We can use stronger terms here --- whatever else you think of
| PGP, the shell-out stdio "api" for PGP is dangerous (GnuPG
| will release unauthenticated ciphertext to "callers" of that
| API, with a warning you need to catch). This API was
| responsible for the Efail bugs --- which were horrible --- a
| few years ago. Don't ever do this.
| zikohh wrote:
| Agreed, but the problem here isn't provided by the caller,
| but it's by the python package that claims it's an api to
| GnuPG.
| jarrell_mark wrote:
| There's a package called PGPy. It's a python implementation of
| PGP. BSD-3-Clause licensed.
| https://github.com/SecurityInnovation/PGPy When testing it out
| GnuPG compatibility, I just had to add the --rfc4880 when
| encrypting with GnuPG. Then PGPy could decrypt it using the
| private key generated by GnuPG. PGPy supports key generation
| and encryption too.
| einpoklum wrote:
| Isn't it weird that some companies are willing to pay for just
| the brand? Or - is it perceived as a form of corporate
| sponsorship?
| ralph84 wrote:
| > Except for the actual binary of the MSI installer for Windows
| and client specific configuration files, all the software is
| available under the GNU GPL and other Open Source licenses.
|
| They're paying for a Windows installer. Building Windows code
| from source is not something most Windows users are capable of.
| einpoklum wrote:
| But can't you just build an MSI installer from sources, then
| distribute that to users? Like you can build .deb/.rpm or
| flatpak packages on Linux?
| NotEvil wrote:
| You can, but then you won't have any support and any
| integration stuff the commercial one might
| tgsovlerkhgsel wrote:
| Without the government certification, that's worthless if
| you need a certified solution. Hence, those companies will
| pay.
| SloopJon wrote:
| This is a nice turnaround from 2015:
|
| > Werner Koch wrote the software, known as Gnu Privacy Guard, in
| 1997, and since then has been almost single-handedly keeping it
| alive with patches and updates from his home in Erkrath, Germany.
| Now 53, he is running out of money and patience with being
| underfunded.
|
| https://www.propublica.org/article/the-worlds-email-encrypti...
|
| https://news.ycombinator.com/item?id=9003791
|
| Recall that this was in the wake of Heartbleed, a vulnerability
| that exposed our dependence on OpenSSL, another critical, and
| chronically underfunded project.
|
| The project got a nice boost after that article, leading to this
| Ars Technica story about the windfall:
|
| > Given the ramshackle state of massive GnuPG code base, it's not
| clear what's the best path forward.
|
| http://arstechnica.com/security/2015/02/once-starving-gnupg-...
|
| https://news.ycombinator.com/item?id=9011138
|
| Nonetheless, a fundraising campaign followed just two years
| later. It turns out that $150K isn't actually that much of a
| windfall.
| BMorearty wrote:
| Very confusing post. It doesn't explain how they are now making
| money--which is probably relevant for some folks to trust them to
| protect online privacy.
| flatiron wrote:
| They used to ask for donations. They still do, but they used to
| too. /s
| 0xJRS wrote:
| rest in peace, Mitch
| repomies69 wrote:
| https://gnupg.org/service.html
| fishtoaster wrote:
| I think they did explain it, although I had to read it a few
| times to find it. If I understand correctly, they're charging
| for "the actual binary of the MSI installer for Windows and
| client specific configuration files." It sounds like they're
| doing so under the name "GnuPG VS-Desktop." I think it's
| related to selling services through https://gnupg.com/gnupg-
| desktop.de.html, but I'm not entirely sure.
| seanieb wrote:
| Is PGP a zombie technology that won't ever die because there are
| organizations that have nailed their identity to it?
|
| (For everything you think you should use PGP for please use Age -
| https://github.com/FiloSottile/age)
| exabrial wrote:
| The only thing PGP did correctly, and very well, is the concept
| of persistent identity. Keybase recognized this and uses PGP as
| the toehold, then from there, created a secure auditable chain
| of NACL keys. The PGP 'web of trust' and non-repudiability
| nature of PGP messages each failed for good reason.
| ameliaquining wrote:
| I'm a bit confused; if we assume that web-of-trust isn't
| viable, what exactly is good about how PGP does identity?
| tptacek wrote:
| This PGP-style concept of persistent identity is almost
| always the opposite of what you want from a secure messenger,
| where meta-information about who's exchanging messages with
| whom is often just as valuable as the message content itself.
| When the NSA identified Reality Winner communicating with The
| Intercept, they didn't so much care about what was in those
| messages; once the link was established, they had better ways
| of extracting the rest of the information they wanted than
| trying to defeat a cryptosystem.
| CiPHPerCoder wrote:
| Consider, for the age and minisign/signify use-case:
| https://gossamer.tools
| ameliaquining wrote:
| I haven't heard of this before. How does it compare to
| Sigstore?
|
| (Also, the use case here is clearly much, much narrower
| than for age and minisign. Which is good, assuming the
| problem it solves is the problem you have, but should still
| be noted.)
| dlor wrote:
| Whoa, sigstore maintainer here. I've never seen or heard
| of Gossamer before. It seems very similar in design!
| CiPHPerCoder wrote:
| Gossamer is a 2017 design of an idea that was first
| published in 2015. However, it was exclusively focused on
| the PHP community from its inception, so it's
| unsurprising that nobody's heard of it.
| rectang wrote:
| What ecosystems are out there where I can flick a switch
| and say 1. "automatically install _signed_ releases " or
| 2. "automatically install releases _signed by multiple
| identities_ "?
|
| Are any of the big language-specific ecosystems capable
| of that? (npm, crates.io, composer, PyPI, CPAN, Maven,
| rubygems, etc.)
| dlor wrote:
| Nothing really yet. Containers got relatively close with
| Notary V1, I'm focused on fixing that here in sigstore
| right now. I think Python, Ruby, and NPM would be great
| targets to go after next!
| rectang wrote:
| Is there a straightforward way to use attestations to gate
| automatic updates?
|
| For example, it would be nice to delay automatic updates of
| WordPress plugins and themes until after there is more than
| just the uploader's identity as a single point of failure
| guaranteeing that the update is genuine.
|
| (Obviously the perfect way to do things given enough
| developer resources is to review all code yourself before
| installing manually, but it would be nice to improve
| situations where those resources are not available.)
| CiPHPerCoder wrote:
| Yes: https://github.com/paragonie/libgossamer/blob/master
| /docs/tu...
|
| The intention was to allow security vendors to offer code
| reviews of open source dependencies, and you can choose
| which you trust. This mechanizes Linus's Law and ensures
| there's an audit trail with "many eyeballs".
| rectang wrote:
| This seems like critical prerequisite infrastructure,
| which is fantastic -- although not yet what I was asking
| for. As far as I can tell there is not yet a way for
| individual WordPress installations to actually benefit.
| However, it seems that work is underway:
| https://gossamer.tools/project/wordpress
|
| > _The intention was to allow security vendors to offer
| code reviews of open source dependencies_
|
| What I care most about is just quorum publishing where
| multiple independent identities sign a release, so that
| an attacker has to compromise multiple trusted identities
| to execute a supply chain attack. I'm not too excited
| about reviews beyond that. The main thing is to upgrade
| collective ecosystem security by hardening automatic
| updates.
| CiPHPerCoder wrote:
| Solving the problem you care about requires doing what I
| just said. :)
|
| And, yes, there is a lot of work necessary to get
| WordPress to use Gossamer. I can't guarantee a deadline
| right now, but 2022 looks hopeful.
| Zamicol wrote:
| Gossamer looks similar to Google's Trillian which is
| written in Go.
|
| https://transparency.dev https://github.com/google/trillian
| CiPHPerCoder wrote:
| More specifically, Trillian is analogous to Chronicle,
| which is what Gossamer uses as its underlying ledger. But
| yeah, there's a lot of similarities. You're on the right
| track. :)
| uwotmate wrote:
| > non-repudiability nature of PGP messages
|
| Huh? Unless you're signing it (in which case of course it's
| not deniable, it's a signature) it has no such nature.
|
| Do you care to elaborate on those good reasons that the web
| of trust "failed"?
| deknos wrote:
| sequoia is better :)
| loeg wrote:
| Age isn't a complete PGP replacement (and doesn't try to be).
| Agree, it's a better tool _for the use-cases it covers_.
| Zamicol wrote:
| Age doesn't do signing.
| tptacek wrote:
| Age doesn't do signing because PGP's signing mechanics have
| been one of the biggest fiascos in popular cryptography (to
| this day, mainstream PGP use via GnuPG doesn't produce
| authenticated ciphertext, due to confusion on the part of
| PGP's designers on the distinction between authentication and
| signatures). In day-to-day encrypted secure messaging,
| durable signatures are one of those things that sound great
| but are actually the opposite of what you want.
|
| The most widespread practical use of PGP's signature
| capabilities are for package systems, where the actual
| contents of the package aren't confidential to begin with;
| PGP is _only_ being used to sign. But PGP signatures are
| clumsy and archaic, and there are better tools to get the
| same capability without PGP 's baggage --- notably the
| "signify" scheme that OpenBSD came up with and that minisign
| implements.
| guenthert wrote:
| > due to confusion on the part of PGP's designers on the
| distinction between authentication and signatures
|
| I'm not sure where you're heading when you think that the
| general populace would be any less confused about that.
| tptacek wrote:
| Can you reword this? I'm not sure what you're saying
| here. Are you asking me to go into more detail on the
| difference between a signature and a message
| authentication tag?
| CiPHPerCoder wrote:
| Confusing the two is perilous.
|
| https://blog.cryptographyengineering.com/2016/03/21/attac
| k-o...
| ameliaquining wrote:
| Fortunately, minisign does.
|
| age doesn't replace everything PGP does, which is good,
| because PGP does too many things. It just replaces the use
| case of file encryption (which itself is arguably too
| general; it's perhaps best to think of age as a good fallback
| for encryption use cases that don't have a better domain-
| specific tool). See
| https://latacora.micro.blog/2019/07/16/the-pgp-problem.html
| upofadown wrote:
| This is the second link to "The PGP Problem" here. I will
| only post my critique of that anti-PGP rant once:
|
| * https://articles.59.ca/doku.php?id=pgpfan:tpp
| tptacek wrote:
| The thread on that post:
|
| https://news.ycombinator.com/item?id=27181576
|
| Obviously consider the source, but: I think that thread
| is better reading than the article.
| nitrogen wrote:
| Is calling the main player in a space a zombie technology a
| zombie promotional strategy for unknown upstarts? Seems like
| such an old pattern.
| CiPHPerCoder wrote:
| Calling age an unknown upstart is a weird take.
| ameliaquining wrote:
| Eh, it's pretty new, and new cryptosystems are often more
| likely to have vulnerabilities. It's still safer than PGP,
| but that's not a high bar. Hopefully over the coming years
| it will become more widely used and scrutinized with few
| vulnerabilities reported, in which case it will then be
| more clearly safe to rely on.
| bbarnett wrote:
| Never heard of Age here. I looked, seems like it is brand
| new?
| Anthony-G wrote:
| I also have never heard of _Age_. Then again, I don't
| actively keep up-to-date with the world of cryptography
| (other than from a PKI /X.509/TLS perspective) . As a
| system administrator, I only use GnuPG to check the
| signatures of software packages and to exchange passwords
| with other sysadmins.
|
| This thread has been both interesting and educational.
| tptacek wrote:
| Serious question: how read into work on cryptography
| engineering and secure messaging do you feel you are? I'm
| trying to get a gauge of what it means to be "brand new"
| for you. What cipher constructions are OK? The CAESAR
| finalists? The AEADs Rogaway surveys in his papers? The
| ones GnuPG supports?
| adament wrote:
| It seems weird to me to gauge someone's understanding of
| "brand new" for cryptography _software_ by measuring
| against primitives and constructions. To me at least,
| those are not the same thing. Even if a piece of software
| contains cryptography I will still also evaluate its age
| as a piece of software simply as a proxy for maturity and
| stability of the feature set.
| tptacek wrote:
| Is this intended as an answer for my question? Because it
| doesn't help me gauge what the parent commenter sees as
| "brand new".
| adament wrote:
| No it was a comment trying to indicate that I found your
| question odd, and ask why you think your question is
| useful? Do you believe there is a single notion of brand
| new that can be applied across all categories? Is the age
| for brand new milk the same as for software or for
| scientific results or items of clothing? Or do you
| believe that for the categories of software and
| cryptographic theory the notion of brand new is
| equivalent?
|
| Frankly in my reading of your question you come across as
| very arrogant, where you use the guise of a "serious
| question" to show off your knowledge cryptography.
| tptacek wrote:
| Thanks for sharing, but this isn't responsive to anything
| I'm asking or saying.
| adament wrote:
| Thanks, I am sorry for taking your time.
| newbie789 wrote:
| CiPHPerCoder wrote:
| It's been around since 2019, and has been discussed
| heavily on Hacker News.
| Kadin wrote:
| So, it's brand new. Got it.
|
| Hell, I have shirts older than the language it's written
| in.
|
| In 20 years, I might not even be able to find a working
| compiler to build it, after the shiny-object crowd moves
| on to something else.
|
| You know what I'll still be able to decrypt? An ASCII-
| armored, GPG encrypted, TAR archive.
|
| Personally, I am not interested in the latest
| evolutionary improvements on file formats. Evolution
| produces a lot of interesting things; most of them are
| dead ends. What I want is the _cockroach_ of file
| formats. The coelacanth.
| CiPHPerCoder wrote:
| > So, it's brand new. Got it.
|
| No. Brand new means _completely new_. Something that 's
| going on 3 years old isn't brand new anymore.
|
| A more appropriately term is _relatively new_.
| Civilization is _relatively new_ compared to the age of
| the universe. Age is relatively new compared to modern
| computers.
|
| But neither civilization nor age are _brand new_.
| [deleted]
| wolf550e wrote:
| You will be able to decrypt a file produced by age. All
| the cryptography there is standard, you'll have a
| compatible library in whatever language you'll use in 20
| years, if you think the first party Go and Rust
| implementations won't survive.
|
| Using common libraries, I can create a python program to
| decrypt a file produced by age in a few hours, I think.
| z0r wrote:
| You're trying to tell us that software from 2019 isn't
| new? The majority of the software that I use on a daily
| basis is minimum a decade old, and I don't think I'm
| alone.
| johnisgood wrote:
| Yeah, and it is supposedly a software related to
| cryptography. Has it been audited at least? They are
| promoting it so much, but GnuPG has been around for a
| while now and loads of people have used it. What about
| Age? I feel more comfortable with GnuPG.
| CiPHPerCoder wrote:
| What is your bar for "audited"?
|
| I've reviewed both the design and implementation for age
| in the past and only found nitpicky things to improve
| (mostly related to HKDF).
|
| I can take a fresh look and make a pretty PDF on
| paragonie.com if you care so much.
| johnisgood wrote:
| I am sure audits could help Age either way. :) I am just
| saying that it is still fresh as opposed to GnuPG. This
| is what people typically call "battle-tested", when the
| software has been used by a zillion of people for some
| time.
| CiPHPerCoder wrote:
| It isn't _brand new_ , no.
| someguydave wrote:
| age is hardly a complete replacement for GPG
| CiPHPerCoder wrote:
| A "complete replacement" for GPG would be a dumb idea to
| begin with.
|
| You want a specific tool for each of these use-cases.
| Choose one from the list for each use case.
|
| 1. Private messaging: Signal, WhatsApp, Cwtch
|
| 2. File encryption: age
|
| 3. Encrypted backups: age + a Reed-Solomon encoder for
| catching flipped bits
|
| 4. Digital signatures: minisign, signify, OpenSSH
| signatures
|
| The problem with GPG (and with PGP in general) is it
| tried to do too many things. Complexity is the enemy of
| security.
| adament wrote:
| Thank you! I was unfamiliar with both age and Cwtch. From
| what I can tell, Cwtch is also a linear messaging system.
| Are you aware of any software offering secure non-linear
| (hopefully threaded) messaging, i.e. a secure e-mail
| replacement? It does not have to be MIME, SMTP, IMAP
| based like PGP, but preferably support for similar
| branching conversations and archiving and hopefully with
| support for multiple users. I love Signal but I find that
| finding old messages, or groups with more than a few
| people and branching conversations is a lot less pleasant
| than e-mail. And thus Signal is not currently a
| replacement for e-mail for me but a great addition.
| jolmg wrote:
| It didn't try to do what you put on that list. It didn't
| do messaging; messaging programs used it. It didn't do
| backups; backup programs used it.
|
| It's just a foundation-sort of program that does
| encryption and signing of arbitrary data, using one
| format for keys, and allowing working with those keys
| whether they're in the same computer or in a
| smartcard/hsm. That simplifies key management, since it
| allows you to have one Yubikey with your PGP key on it
| and do basically anything crypto related.
|
| But what I believe someguydave was referring to was stuff
| like smartcard/Yubikey support, not different uses of
| encryption and signing.
| CiPHPerCoder wrote:
| > But what I believe someguydave was referring to was
| stuff like smartcard/Yubikey support, not different uses
| of encryption and signing.
|
| https://twitter.com/FiloSottile/status/147494166654508646
| 5 -\\_(tsu)_/-
| upofadown wrote:
| >Encrypted backups: age + a Reed-Solomon encoder for
| catching flipped bits
|
| I fear that I might of caused this idea. I have as a
| result added the following footnote to the article that I
| suspect is the cause[1]:
|
| >Please note that the single flipped bit here is not a
| realistic example and that in practice damage tends to
| encompass one or more media blocks. Such blocks tend to
| be multiples of 512 bytes.
|
| I am afraid that someone might actually implement this...
|
| [1] https://articles.59.ca/doku.php?id=pgpfan:agevspgp
| CiPHPerCoder wrote:
| I don't read your wiki, so no, you were not the cause of
| it.
|
| This list item was prompted by a private discussion with
| friends.
| miles wrote:
| > 1. Private messaging: Signal, WhatsApp, Cwtch
|
| WhatsApp's record over the last decade does not inspire
| confidence, and the issues raised this year alone are
| quite serious:
|
| https://wikipedia.org/wiki/Reception_and_criticism_of_Wha
| tsA...
| tptacek wrote:
| So don't use WhatsApp. That's a reasonable decision to
| make! I don't ever opt into it or recommend it to people
| (though I'd happily use it in preference to PGP email,
| which is doubtlessly the most risky secure messaging
| implementation on the Internet, arguably even more
| dangerous than simply using ordinary plaintext email with
| Google Mail).
| CiPHPerCoder wrote:
| It still uses better encryption than Telegram, Threema,
| and several other products that market themselves as
| "private messaging" apps.
| ak217 wrote:
| It's both. GnuPG has very poor UX and it's also so old and so
| well-known that it kills a lot of the "unknown upstarts". I
| think on balance GnuPG reduces the security of network
| communications and the appeal of a web of trust PKI because
| it's presented as "the main player", people try to use it,
| realize that the UX is garbage, and become disillusioned in
| the technology behind it.
| tptacek wrote:
| PGP (and its de facto reference implementation in GnuPG) is
| not the main player in this space, unless you define the
| space down to a point so small and idiosyncratic that it
| doesn't really have meaning in an broad discussion.
| upofadown wrote:
| Age can't authenticate when encrypting to a public key because
| it doesn't support signatures. So don't use it in this mode
| unless you know what you are doing.
|
| Most people should just use GPG for stuff like this.
| tptacek wrote:
| Nobody should be using GnuPG casually; if you're still using
| it in 2021, you should have a really clear reason for doing
| so. You're virtually always better off using any other well-
| known tool. The reasons you've provided in the past for
| defaulting to GnuPG --- such as its avoidance of
| authenticated encryption being a good data recovery mechanism
| --- have, to put it gently, not seemed especially informed by
| cryptographic best practices. It seems like more of a social
| cause for you than an engineering decisions. Which is fine as
| far as it goes, but it'd be better if you were clearer about
| that.
| rvense wrote:
| I use it indirectly with pass (passwordstore.org), which is
| one of the few security-related pieces of software I like.
| Do you have an opinion on that? I've never heard of age
| before, but it looks like a pass-like interface to it could
| be ejected in a few hours if one were so inclined.
|
| Is the antipathy towards GPG based on it being too easy to
| misuse/misapply, or is it because it's broken when used
| properly?
| [deleted]
| nyolfen wrote:
| there in fact exists a pass-like interface for age:
| https://github.com/FiloSottile/passage
| tptacek wrote:
| I've heard nothing but good things about pass. There's
| also a pass that uses age now, which is I guess what I'd
| use if I was in the market for something like it. There's
| a point at which you're asking so little from your
| cryptosystem --- as is the case with local-only CLI
| password managers --- that it doesn't much matter that
| you're using PGP. I don't, like, recoil from .pgp.asc
| files! The place you really get in trouble with PGP is
| when you try to use it on email.
| rectang wrote:
| There was a link posted elsethread (
| https://news.ycombinator.com/item?id=29715664 ) which
| reviews a lot of the issues with PGP:
| https://latacora.micro.blog/2019/07/16/the-pgp-
| problem.html
| barsonme wrote:
| That's the whole point.
|
| Cryptography tools should do one thing and do it well. Most
| of PGP's problems stem from it including the kitchen sink.
|
| If you need signatures, use minisign.
| upofadown wrote:
| The requirement for signatures to authenticate public key
| encryption is inherent. OpenPGP includes it because it is
| for all practical purposes mandatory. It isn't some sort of
| useless frill.
|
| This is public key cryptography 101 stuff...
| toastedwedge wrote:
| Has it been independently audited at all? I looked around and
| didn't find anything about it.
|
| It's probably maybe fine, and of course code can change at any
| time, but with software focused on security, it would seem more
| necessary than, say, an audio player (excluding improbable
| situations).
|
| Either way, It's nice to see a GPG alt written in Go.
| tptacek wrote:
| There's also a first-class Rust implementation.
| Anthony-G wrote:
| That would be Sequoia-PGP: https://sequoia-pgp.org/
| CiPHPerCoder wrote:
| No, Thomas was talking about rage.
| https://github.com/str4d/rage
| aborsy wrote:
| Comparing the list of CVEs for major cryptographic software
| OpenSSL, OpenVPN, OpenSSH and GnuPG implementation of OpenPGP,
| GnuPG has stood up pretty well for three decades:
|
| https://www.cvedetails.com/vendor/4711/Gnupg.html
|
| The main shortcoming of OpenPGP standard is lack of modern
| authentication. It has MDC, which works in most cases, but isn't
| best practice nowadays. There is an update to RFC4880 in
| progress, RFC4880bis draft, which is presumably considered by
| sequoia-gpg. The file format is also apparently disliked by some
| people, but end users care about results. If RFC4880bis is
| standardized, the gap between OpenPGP and alternatives is closed.
| Then, using a heavily audited standard and code is preferred.
|
| I read GnuPG is used by organizations requiring high security,
| eg, intelligence agencies, NSA, state-level actors (presumably
| shadow brokers etc), banks etc.
|
| It's still good to have competing options. But let's focus on
| facts.
| tptacek wrote:
| This does not look like an especially reassuring track record!
| People should keep in mind that GnuPG is a legacy C codebase.
| Nobody would implement a tool like GnuPG in 2021 the way GnuPG
| is implemented; we accept its implementation because of path
| dependency, not because it's especially sound.
|
| I don't think your supposition that GnuPG is beloved of "NSA
| and state-level actors" really qualifies as "facts". The
| industry standard "secure email" system for banks is simply a
| TLS web interface that you post your emails to; banks don't use
| PGP for secure communications. I haven't, of course, worked for
| _all_ the banks, so if you 've got a counterexample, please
| provide those facts for us to evaluate.
|
| Obviously, the documentation of a proposed design for AEAD
| support in an RFC doesn't close the gap --- users care about
| results, as you say, and so what matters, to the exclusion of
| all else --- is what _the installed base of GnuPG clients_
| supports. Which is why Sequoia 's years of support of (I
| think?) EAX mode AEAD encryption hasn't moved the needle for
| the moribund PGP ecosystem.
| aborsy wrote:
| It's hard to meaningfully define and measure software
| security. One needs to also prescribe a threat model, provide
| other information, etc. This could take pages.
|
| If you measure software security track record by the number
| of known CVEs per unit time per unit task per LOC, the track
| record of GnuPG/OpenPGP is about that of OpenSSH/SSH and
| OpenVPN; see the site I linked. I think most people would
| agree that OpenSSH is secure (although SSH is a similarly
| dated protocol).
|
| The fact that a security product is used by organizations
| dealing with highly sensitive information in fact correlates
| with the quality of that product. The security researchers in
| these organizations review, vet and recommend that software,
| compared to alternatives.
|
| GnuPG dutifully implements OpenPGP. OpenPGP has shortcomings
| I noted, but their impact on experimental results has been
| low; see the list of registered vulnerabilities.
|
| There is a lot of critical software and applications written
| in memory unsafe C (Wireguard, Linux network stack, LUKS,
| popular password managers, etc). They are well regarded,
| despite being written in C.
|
| The use of GnuPG by important organizations is stated in
| GnuPG's website. The examples I provided are well known and
| may be found using a search engine.
|
| Correct me if I am wrong about what I stated.
| tptacek wrote:
| SSH is in fact not "similarly dated" to PGP! SSH roughly
| tracks the maturity of TLS (I'd say SSH is generally a step
| behind TLS, but not several steps); neither is completely
| mired in the 1990s. The same isn't true of PGP, which is.
| That's to be expected: GPG is a global ecosystem of direct,
| interoperating peers, where both TLS and SSH can upgrade
| incrementally in islands of new implementations, which
| gradually expand and agglomerate until the worst of the
| O.G. designs can be disabled.
|
| By way of example: if you build a new fleet of machines,
| it's very likely that your SSH sessions will use 25519
| curves and a Chapoly AEAD.
|
| OpenPGP is, for this reason, pretty much irrelevant. You
| can ratify any bit of modern cryptography you like in
| OpenPGP standards, but because everyone in the PGP
| ecosystem expects to be able to communicate with everybody
| else, you'll only be able to _use_ the lowest common
| denominator of whatever widely-installed old versions of
| GnuPG support.
|
| You could, of course, refuse to interoperate with people
| speaking CAST5-CFB or whatever, and form a clique of
| Sequioa PGP users using EAX and, I don't know, P-curve
| ECDSA? But at that point, you're only going to be able to
| communicate with a tiny subset of PGP (itself a tiny subset
| of all secure messaging users). Why bother with PGP at all
| at that point?
| kasey_junk wrote:
| It's relatively common for banks to exchange files with
| financial partners that have been encrypted with pgp.
| tptacek wrote:
| Like, I know intellectually that this must happen, but my
| experience (which tilts much more to investment banks, to
| be fair) is that an FTP server with plaintext files is much
| more common.
| upofadown wrote:
| Since OpenPGP is normally used in offline and stateless
| applications like encrypted email and encrypted files there is
| no need for some sort of session oriented authentication. The
| content itself is signed and thus authenticated. So the MDC is
| not normally needed either, it is just an integrity check for
| the edge case of unauthenticated encryption. The only time the
| alleged deficiencies of the MDC come into play is when doing
| symmetrical encryption.
|
| This article covers this in more detail:
|
| * https://articles.59.ca/doku.php?id=pgpfan:authenticated
|
| So if OpenPGP never gets upgraded authenticated encryption no
| one will care much.
| CiPHPerCoder wrote:
| > GnuPG has stood up pretty well for three decades
|
| Make sure you also look for libgcrypt, which had a lot of
| cryptographic weaknesses in the 2010s.
|
| https://www.cvedetails.com/vulnerability-list/vendor_id-4711...
| deknos wrote:
| well then, redirect your funds to sequoia-pgp.org then. they make
| a good alternative, which is more secure than gpg. several former
| gnupg developers work on that as werner did not want to work on
| citrical issues back then.
| tgsovlerkhgsel wrote:
| GPG is severely hampered by two issues:
|
| 1. a lack of good support via an API/libraries (the standard way
| to communicate with it seemed to be shelling out to the binary
| and trying to parse its output for a long time)
|
| 2. terrible UX, especially around the trust model - web of trust
| is great in theory and for geeks but doesn't work well in
| practice, and the terms used to explain it invited dangerous
| misinterpretations (to mark a key as trusted in the sense of "I
| verified that this fingerprint belongs to that person", you're
| expected to sign it, NOT mark it as "trusted" - the latter
| actually causes all keys signed by that key to be trusted, making
| it a "CA").
|
| These may be addressed by now, but I think this is too little too
| late.
| DarylZero wrote:
| > Those with SEPA donations, please cancel them and redirect your
| funds to other projects which are more in need of financial
| support. The donations done via Stripe or PayPal have already
| been canceled.
| tptacek wrote:
| This is good; donating to GnuPG was not an especially effective
| way of protecting at-risk users, and it's better that the project
| be supported by the niche userbase (apparently: the German
| government) that actually uses PGP in 2021, rather than trying to
| make a social cause out of a (pretty controversial) file format.
| rectang wrote:
| I think there are multiple reasons it's good. It's good for
| security as you've articulated.
|
| It's also good as an example of sustainable open source
| development via the consulting model. We've seen a lot of hand-
| wringing about FOSS funding lately. It may not be as flashy or
| high-profile as VC-funded open core projects with all their
| ubiquitous marketing, beautiful websites, and submarine PR. But
| it's a way to make a living by exchanging useful value in
| exchange for moderate fees, rather than asking for charity or
| signing up for an unsustainable investment deal.
| tptacek wrote:
| I agree. That seems like the real story here, and it's good
| that the top of this thread is still about the funding
| mechanics at play here and not another endless relitigation
| of the (contested) value of PGP itself.
|
| (Not that I've shied away from that downthread.)
___________________________________________________________________
(page generated 2021-12-28 23:00 UTC)