1. 32
  1.  

  2. 16

    In here, we see another case of somebody bashing PGP while tacitly claiming that x509 is not a clusterfuck of similar or worse complexity.

    I’d also like to have a more honest read on how a mechanism to provide ephemeral key exchange and host authentication can be used with the same goal as PGP, which is closer to end-to-end encryption of an email (granted they aren’t using something akin to keycloak). The desired goals of an “ideal vulnerability” reporting mechanism would be good to know, in order to see why PGP is an issue now, and why an HTTPS form is any better in terms of vulnerability information management (both at rest and in transit).

    1. 22

      In here, we see another case of somebody bashing PGP while tacitly claiming that x509 is not a clusterfuck of similar or worse complexity.

      Let’s not confuse the PGP message format with the PGP encryption system. Both PGP and x509 encodings are a genuine clusterfuck; you’ll get no dispute from me there. But TLS 1.3 is dramatically harder to mess up than PGP, has good modern defaults, can be enforced on communication before any content is sent, and offers forward secrecy. PGP-encrypted email offers none of these benefits.

      1. 6

        But TLS 1.3 is dramatically harder to mess up than PGP,

        With a user-facing tool that has plugged out all the footguns? I agree

        has good modern defaults,

        If you take care to, say, curate your list of ciphers often and check the ones vetted by a third party (say, by checking https://cipherlist.eu/), then sure. Otherwise I’m not sure I agree (hell, TLS has a null cipher).

        can be enforced on communication before any content is sent

        There’s a reason why there’s active research trying to plug privacy holes such as SNI. There’s so much surface to the whole stack that I would not be comfortable making this claim.

        offers forward secrecy

        I agree, although I don’t think it would provide non-repudiation (at least without adding signed exchanges, which I think it’s still a draft) and without mutual TLS authentication, which can be achieved with PGP quite easily.

        1. 1

          take care to, say, curate your list of ciphers often and check the ones vetted by a third party

          There are no bad ciphers in 1.3, it’s a small list, so you could just kill the earlier TLS versions :)

          Also, popular web servers already come with reasonable default cipher lists for 1.2. Biased towards more compatibility but not including NULL, MD5 or any other disaster.

          I don’t think it would provide non-repudiation

          How often do you really need it? It’s useful for official documents and stuff, but who needs it on a contact form?

        2. 3

          I want to say that it only provides DNS based verification but then again, how are you going to get the right PGP key?

          1. 3

            PGP does not have only one trust model, and it is a good part of it : You choose, according to the various sources of trust (TOFU through autocrypt, also saw the key on the website, or just got the keys IRL, had signed messages prooving it is the good one Mr Doe…).

            Hopefully browsers and various TLS client could mainstream such a model, and let YOU choose what you consider safe rather than what (highly) paid certificates authorities.

            1. 2

              I agree that there is more flexibility and that you could get the fingerprint from the website and have the same security.

              Unfortunately, for example the last method doesn’t work. You can sign anybody’s messages. Doesn’t prove your key is theirs.

              The mantra “flexibility is an enemy of security” may apply.

              1. 1

                I meant content whose exclusive disclosure is in a signed message, such as “you remember that time at the bridge, I told you the boat was blue, you told me you are colorblind”.

                [EDIT: I realize that I had in mind that these messages would be sent through another secure transport, until external facts about the identity of the person at the other end of the pipe gets good enough. This brings us to the threat model of autocrypt (aiming working through email-only) : passive attacker, along with the aim of helping the crypto bonds to build-up: considering “everyone does the PGP dance NOW” not working well enough]

                1. 1

                  Unfortunately, for example the last method doesn’t work. You can sign anybody’s messages. Doesn’t prove your key is theirs.

                  I can publish your comment on my HTTPS protected blog. Doesn’t prove your comment is mine.

                  1. 2

                    Not sure if this is a joke but: A) You sign my mail. Op takes this as proof that your key is mine. B) You put your key on my website..wait no you can’t..I put my key on your webs- uh…you put my key on your website and now I can read your email…

                    Ok, those two things don’t match.

          2. 9

            I’d claim I’m familiar with both the PGP ecosystem and TLS/X.509. I disagree with your claim that they’re a similar clusterfuck.

            I’m not saying X.509 is without problems. But TLS/X.509 gets one thing right that PGP doesn’t: It’s mostly transparent to the user, it doesn’t expect the user to understand cryptographic concepts.

            Also the TLS community has improved a lot over the past decade. X.509 is nowhere near the clusterfuck it was in 2010. There are rules in place, there are mitigations for existing issues, there’s real enforcement for persistent violation of rules (ask Symantec). I see an ecosystem that has its issues, but is improving on the one side (TLS/X.509) and an ecosystem that is in denial about its issues and which is not handling security issues very professionally (efail…).

            1. 3

              Very true but the transparency part is a bit fishy because TLS included an answer to “how do I get the key” which nowadays is basically DNS+timing while PGP was trying to give people more options.

              I mean we could do the same for PGP but if that fits your security requirements is a question that needs answering..but by whom? TLS says CA/DNS PGP says “you get to make that decision”.

              Unfortunately the latter also means “your problem” and often “idk/idc” and failed solutions like WoT.

              Hiw could we do the same? We can do some validation in the form of we send you an email encrypted for what you claim is your public key to what you claim is your mail and you have to return the decrypted challenge. Seems fairly similar to DNS validation for HTTPS.

              While we’re at it…. Add some key transparency to it for accountability. Fix the WoT a bit by adding some DOS protection. Remove the old and broken crypto from the standard. And the streaming mode which screws up integrity protection and which is for entirely different use-cases anyway. Oh, and make all the mehish or shittyish tools better.

              That should do nicely.

              Edit: except, of course, as Hanno said: “an ecosystem that is in denial about its issues and which is not handling security issues very professionally”…that gets in the way a lot

              1. 2

                I’d wager this is mostly a user-facing tooling issue, rather than anything else. Would you believe that having a more mature tooling ecosystem with PGP would make it more salvageable for, say, vulnerability disclosure emails instead of a google web form?

                If anything, I’m more convinced that the failure of PGP is to trust GnuPG as its only implementation worthy of blessing. How different would it be if we had funded alternative, industry-backed implementations after e-fail in the same way we delivered many TLS implementations after heartbleed?

                Similarly, there is a reason why there’s active research on fuzzing TLS implementations for their different behaviors (think, frankencerts). Mostly, this is due the fact that reasoning about x509 is impossible without reading through stacks and stacks of RFC’s, extensions and whatnot.

                1. 0

                  I use Thunderbird with Enigmail. I made a key at some point and by now I just send and receive as I normally do. Mails are encrypted when they can be encrypted, and the UI is very clear on this. Mails are always signed. I get a nice green bar over mails I receive that are encrypted.

                  I can’t say I agree with your statement that GPG is not transparent to the user, nor that it expects the user to understand cryptographic concepts.

                  As for the rules in the TLS/X.509 ecosystem, you should ask Mozilla if there’s real enforcement for Let’s Encrypt.

                2. 4

                  The internal complexity of x509 is a bit of a different one than the user-facing complexity of PGP. I don’t need to think about or deal with most of that as an end-user or even programmer.

                  With PGP … well… There are about 100 things you can do wrong, starting with “oops, I bricked my terminal as gpg outputs binary data by default” and it gets worse from there on. I wrote a Go email sending library a while ago and wanted to add PGP signing support. Thus far, I have not yet succeeded in getting the damn thing to actually work. In the meanwhile, I have managed to get a somewhat complex non-standard ACME/x509 generation scheme to work though.

                  1. 3

                    There have been a lot of vulns in x509 parsers, though. They are really hard to get right.

                    1. 1

                      I’m very far removed from an expert on any of this; so I don’t really have an opinion on the matter as such. All I know is that as a regular programmer and “power user” I usually manage to do whatever I want to do with x509 just fine without too much trouble, but that using or implementing PGP is generally hard and frustrating the the point where I just stopped trying.

                    2. 1

                      You are thinking of gnupg. I agree gnupg is a usability nightmare. I don’t think PGP (RFC4880) makes much claims about user interactions (in the same way that the many x509 related RFC’s talk little about how users deal with tooling)

                    3. 1

                      Would you say PGP has a chance to be upgraded? I think there is a growing consensus that PGP’s crypto needs some fixing, and GPG’s implementation as well, but I am no crypto-people.

                      1. 2

                        Would you say PGP has a chance to be upgraded?

                        I think there’s space for this, although open source (and standards in general) are also political to some extent. If the community doesn’t want to invest on improving PGP but rather replace it with $NEXTBIGTHING, then there is very little you can do. There’s also something to be said that 1) it’s easier when communities are more open to change and 2) it’s harder when big names at google, you-name-it are constantly bashing it.

                        1. 2

                          Can you clarify where “big names at Cloudflare” are bashing PGP? I’m confused.

                          1. 1

                            Can you clarify where “big names at Cloudflare” are bashing PGP? I’m confused.

                            I actually can’t, I don’t think this was made in any official capacity. I’ll amend my comment, sorry.

                    4. 13

                      Title would make more sense if it specified it was in the context of vulnerability reporting, not a general-purpose replacement.

                      1. 4

                        You know how there are “lies, damned lies, and statistics”? Even anecdotal data reports can be skewed by back-pressure. Re Golang, Filippo writes “Anecdotally, all interesting reports come unencrypted”.

                        When I reported the problems of misuse of the Golang SSH library and almost all users skipping hostkey verification, I sent that report to the Go folks via PGP-encrypted mail. Brad Fitzpatrick asked me to resend cleartext, so after checking mail-server logs to be sure it was going out with TLS between my server and Google’s, I did.

                        So sure, all the interesting reports do come in unencrypted, after you ask the senders of encrypted reports to resend. That’s still rather misleading.

                        (Since I’m going to be asked for citations anyway, and balancing that against self-promotion, let’s just provide the cites here: https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/ and https://bridge.grumpy-troll.org/2017/04/golang-ssh-redux/)

                        1. 2

                          For what it’s worth, I joined the team in early 2018 and can only speak to anecdotes from the past 2.5 years. Since, we’ve never asked a reporter to resend in plaintext, I don’t remember any encrypted reports that led to a security release (although I might be mistaken), and I’m nearly certain we never had a report we felt required ongoing communication via PGP encrypted mail.