Gmane -- Mail To News And Back Again

From: Rev. Jeffrey Paul <sneak <at> datavibe.net>
Subject: Re: Public key signing
Newsgroups: gmane.linux.gentoo.user
Date: 2003-04-22 22:07:32 GMT (6 years, 10 weeks, 4 days, 10 hours and 38 minutes ago)

Apologies in advance to listmembers for this off-topic and ranty mail.

I'm kind of late on this, but I feel this is a critical addition to this
thread:

If you don't think key verification (and thus signatures) is that
important, then you almost certainly don't understand the dangers (and/or
feasibility) of a man-in-the-middle attack on a split-key cryptosystem.

It's extremely dangerous to use PGP to encrypt your messages without
understanding the dangers involved and then expect your communications to
be private as a result.  A false sense of security will hurt you in the
long run, I promise.

The PDF documentation that comes with PGP is a good read that illustrates
many of the common mistakes and assumptions made by users of split-key
systems.  The technical aspects covered in the document are very
elementary and probably below most users on this list, but the practical
examples are incredibly useful and thought-provoking even for experienced
users.

ftp://ftp.pgpi.org/pub/pgp/7.0/docs/english/IntroToCrypto.pdf

I am a freelance IT consultant with an emphasis on security.  I can cite
more than one or two cases where, after helping someone setup a system or
procedure involving cryptography, I've been called back to help with some
problem stemming from people ignoring all of the training and warnings
I (and the documentation) provided.  For most people, it is far far easier
to compromise your plaintext than you could possibly imagine.

USING PGP WITHOUT UNDERSTANDING PKI IS MUCH LESS SECURE THAN PLAINTEXT IN
ALMOST ALL CASES.  (At least with plaintext, you're -sure- that anyone who
intercepts it can read it.)

Security comes through understanding of and adherance to certain
procedures designed specifically to protect your systems and data.
Without both of those components, you should not expect significant
security.  For the types of users who install and use PGP, the security
and privacy offered by simply installing a software package and
configuring your email client is painfully inadequate.

From my extensive experience, almost everyone who uses PGP with/for their
email is not achieving any significant improvement in security (versus
everything in plaintext).

Please, please, please, please, if you use PGP, take the time to
understand the dangers and don't discount the extensive PKI that has been
developed for the express purpose of protecting you.  A little reading
(and mild paranoia as a result) can never hurt you.  Trust me on this.

-j

--------------------------------------------------------
 Rev. Jeffrey Paul    -datavibe-     sneak <at> datavibe.net
   aim:x736e65616b   pgp:0x15FA257E   phone:8777483467
    70E0 B896 D5F3 8BF4 4BEE 2CCF EF2F BA28 15FA 257E
--------------------------------------------------------

--
gentoo-user <at> gentoo.org mailing list