Archives for posts with tag: secure email

Google kondigde begin deze maand aan bezig te zijn met de ontwikkeling van End-to-End. Deze Chrome browser plugin moet het mogelijk maken om in je browser beveiligde email via Gmail te versturen of te ontvangen. Vooralsnog is het een alpha release, en geeft Google slechts de broncode van End-to-End vrij. Er is dus nog geen plugin die je kunt installeren, helaas. In deze blog post ga ik dieper in op End-to-End, en wat we daar van mogen verwachten.

Read the rest of this entry »

I happened to stumble upon these OpenPGP Best Practices the other day. Opposite to the intentions of that article, it made me realise PGP sucks, and in fact for several reasons.

The main problem with PGP (and GPG) is that it is a total usability nightmare. Not because by default these are command-line tools: there are GUIs for them and plugins that integrate them in email clients. No, the problem is that they do not help the user in making the right (read: secure) decisions. There is no default secure configuration. There are a gazillion configuration options, and any random combination is bound to make the system insecure.

For example, in terms of key management, the user has to remember to regularly update his local key ring. He has to remember not to use a popular but broken key server. When generating a key, he has to pick the right parameters to get the most secure setup. This include understanding and using sub keys. He should not forget to set an expiration date, and should remember to generate a revocation certificate. And that’s not all….

This is a nightmare. We really need to design something better.

Update 15-9-2014: Matt Green wrote a much longer and much more detailed argument why PGP must die.