A Preposterous Preponderance of Prominent PGP Ponderings
Let me start this out by killing any speculation this post might raise: no, this has nothing to do with work. I am not doing anything related to GMail right now, nor do I know anyone working on GMail. Anything I write here should in no way be affiliated with Google.
Having said that, here are my thoughts: after talking to sneaselcouth about it recently, I’ve been thinking a lot about PGP (a public key encryption system for email). It seems like the vast majority of email users would love to have PGP figure more prominently in their lives. If it were used moderately, we could eliminate phishing scams, and if it were used by almost everyone, we could eliminate spam.
The main idea behind the above two claims is that if companies signed all their emails with PGP, we could tell what email is really from, say, eBay or Paypal, and what email is from phishers pretending to be eBay or Paypal. Certainly, this would take a slight amount of effort on the parts of the companies, but I’m pretty confident you could sign the text of a single email and then send it out to everyone on your mailing list without signing it many times over. If these companies would take an extra half-second per unique message, we could eliminate all phishers (assuming people verified their PGP keys at the websites where the keys purport to be from). This doesn’t require a web of trust; just email clients that can handle PGP.
If, on the other hand, almost everyone used PGP and we had a nice web of trust, anyone either not in the web or not within, say, 3 degrees of separation from you should have no business emailing you, and is likely a spammer. The difficulty here is getting new email addresses into the system. However, I’d be willing to bet that anyone who gets an email account has a friend with an email account too, and they could call up their friend and ask them to sign their key. Although this wouldn’t work in the near future because very few people use PGP right now, this would eliminate spam if it ever caught on.
So here’s the thing: Why haven’t people done this already? Certainly, there’s no economic incentive for companies to use PGP until their customers can verify their keys. But if a large email system like Hotmail or GMail started offering PGP support, I’d bet that other online email services would follow suit shortly (remember when GMail came out and offered several times more storage space than anyone else at the time, and overnight Hotmail, Yahoo, and several other companies doubled and tripled the space allocated for each account). There is already PGP support in Thunderbird, Evolution, Sylpheed and Sylpheed-Claws, if people only bothered to use them. I don’t believe Outlook or Outlook Express supports PGP, but Microsoft would likely include it in future releases if this started to take off. But the way I see this going, the simplest way to start is with webmail, where the end user doesn’t need to configure anything, and all the keys are stored on a central server at Hotmail/GMail/Yahoo headquarters. The keys themselves are worth little more than the passwords to these accounts, and since you never hear of anyone stealing all the passwords to all the Hotmail accounts, I don’t anticipate there being any major security problem here (certainly a minor one, but you’ll always have those in webmail).
Here are the problems I see right now, and tentative solutions:
- I guess part of it is a chicken-and-egg or hydrogen economy sort of problem. At the same time, starting an effective war against spam should give you good enough PR that it would be worth doing this (especially since all the tricky software has already been written).
- We need a way to get keys from companies without getting keys from phishers pretending to be companies. For large companies and banks and things, you could get the webmail sysadmin to spend an hour and download the keys of the 1000 most popular companies, and this would solve this problem for 99.9% of phishing attacks (they’re almost always about eBay, Paypal, Bank of America, or US Bank). Smaller companies with fewer customers offer a much smaller target for phishers, and although this system isn’t perfect it would get rid of almost all phishing.
- Getting people to sign each other’s keys could be tricky, since it might be viewed as an inconvenience. However, if you could pair this with some sort of social networking site (such as Facebook or MySpace), it could be a fun sort of thing. If signing a key was as easy as inviting someone to be your friend on Facebook, creating a web of trust would be pretty simple. The trick here is to make sure people realize that they shouldn’t sign keys of people they don’t actually know. Perhaps the right system is to make sure that both the signor and the signee were in the same room when this happens, by asking for both passwords in a single form? This could be problematic for lots of people, though (I wouldn’t be able to sign the vast majority of my friends’ keys if this were the case).
- Typical users wouldn’t know what to do with a key with an expiration date, but typical users wouldn’t want these anyway, so I don’t think it’s a big issue.
- Getting the same key onto both a webmail server and a personal computer with an email client would be next to impossible. Perhaps… there could be a way to transfer the message from the email client to the webmail server and sign it there, in such a way that the messages can still only be sent by the correct user with the correct password? I don’t know of such a system already (APOP might work for this), and this could get pretty tricky.
To be honest, that’s about all the problems I can think of right now. What are your thoughts? What have I missed? Do I have any of this wrong? Any feedback would be appreciated.
By the way, my PGP fingerprint is D7C4 3ECD 7C59 BA37 F817 AA82 C1AF 7E9F 1648 0B4B and my keyID is 16480B4B.
One issue would be that you’re now planning to store the private key on Gmail’s server, and send the password over the ‘net to Gmail. This first requires people to trust Google quite a bit, and then a secure connection (probably easy/already there). Then, unfortunately, users will clamor for the password to be cached. Gmail could probably succeed at caching it for the lesser of the session or N minutes, but if others picked this up they’d be less secure. I am all for its support, but I’d expect tension as more people adopt its use.
I remember from when I was first learning about PGP that (at least in the MIT version I had then) you could easily assign a level of trust to people, so that you could sign a key to mean that yes, this is definitely Bob, but assign them 0 trust saying that Bob gets drunk at a lot of PGP parties and you don’t trust his signatures.
Last I checked, my (public) PGP key is still stored here on LJ. Click the key icon near my name at the top of my profile. I can’t remember how I got it there, though. I also can’t remember or easily access my ID/fingerprint right now.
I’ve always been a little hazy about ASCII-armored keys. Is that just the output of ‘gpg –armor –export *myKeyID*‘? Now that I have yours, what do I do with it?
In response to your issue, remember that the vast majority of users know absolutely nothing about computers. The average user trusts pretty much anyone with pretty much anything, particularly if they’re upfront about what it is that they’re doing and why it’s a good idea. This is why spyware and phishing exist in the first place. Consequently, I think people wouldn’t mind if Hotmail/etc had all their users’ keys (and the users themselves didn’t have these keys on their personal machines). It might not be the perfectly secure system that GPG was intended to be, but I think it’d be good enough for your grandmother to use. I’d say that anyone who uses webmail already trusts their webmail provider with everything a PGP key could influence, so the trust is already there. Caching could be tricky, but I’m not convinced it’s that major a threat. You’re also right about the levels of trust, and that could likely be used to alleviate the concerns of people who actualy use PGP correctly.
I guess a bigger concern is companies having keys with expiration dates: eBay would want their key to expire eventually, since there would be a lot of money in cracking that sucker and the phishers would try to do that ASAP. The trick would then become automating the bit where you get eBay’s new key and remove their old one, so that their key could expire and no users would notice the switch to the new one.
I think you can just import it with ‘cat keyfile | gpg –import’, and probably then refresh it from the keyservers. Alternately, it can probably be found on the servers mac mentioned with [email protected]. (I probably have an st.hmc.edu identity I should remove now.)
This would, of course, be wonderful, but a good global PKI is going to be really, really hard.
On the other hand, more of what you’re talking about has been done than you think: there are already large repositories of keys (they’re called, obviously enough, “keyservers”, and pgp.mit.edu is probably the best-known), and the PGP command-line clients will interface seamlessly. (My Mutt config is smart enough to recognize that a message has been signed by a key it doesn’t have, go retrieve that key, then re-try verifying the message, for example)
I think this will catch on as a side-effect of cryptography in instant messages: people will discover that using OTR plugins is easy, and then they’ll wonder “why can’t I do that in e-mail?”
Assuming you’ve got a keyserver configured (see the GPG howto…), signing a key goes like this:
% gpg --recv-keys
% gpg --fingerprint
(make sure it matches...)
% gpg --sign-key
% gpg --send-key
Occasionally, remember to do % gpg –refresh-keys to see if anybody else has been signed.
Where “something unique” is the key ID, or an e-mail address, or part of one, or something else that lets gpg figure out what you’re talking about. For you, I used ‘adavidso’, and after I had your key, zsh tab-completed it for me.
See my earlier post for my key, and sign that sucker.
Blast, LJ damaged some of my formatting. All of those commands take another parameter, which identifies which key(s) you are operating on. It wants some unique identifier, as defined above.
I’m familiar with keyservers for storing public keys, but I’m talking about keeping the private key of every webmail user on the server that hosts the webmail. I’m not sure how different that would be, but I imagine something will need to be tweaked a bit.
Your comment raises a few questions for me: why do you think email cryptography will catch on after IM cryptography? I’ve always thought it would be the other way around. There are easily understandable reasons for getting email cryptography. Why would most people want to encrypt their IMs? Also, why do you think that getting a good global PKI would be so hard? I don’t think it would be any harder than getting a hydrogen economy, which has already started to happen (albeit very slowly). Once we get a critical mass of people using it, I expect others will want to join in.