One of the main UK computer security websites (Get Safe Online, GSO, a public/private partnership) has recently changed to using a website for security alerts, instead of sending emails that contained a “secret” word. Of course, a non-SSL website is not really safer or easier to verify than the emails, so I asked them: why don’t you use OpenPGP or GPG, like debian’s excellent security advisories?
The reply essentially boils down to “our target audience doesn’t use encryption software and we’re not going to educate them and other countries don’t either.” The encryption instructions on their site consists of an extremely vague explanation and links to a dozen or so other websites, along with insulting open source programs (which is disappointingly usual for GSO). The site is a little better than it was last year, but not much.
I think it’s a terrible shame that the gov.uk-supported site is failing to encourage encryption software use. Do you think this stems from a fear of strong encryption making it harder for the public sector to snoop on us?
So I guess this falls to the common/civil sector to promote personal security. How could we spread encryption software to the masses? GnuPG and as many mail client plugins as you can find? Icedove/Thunderbird and Enigmail?
This is kind of OT, but since you mentioned email at the end, maybe we can ponder a bit about email:
1. Many people don’t use any email clients. They just use hotmail/gmail/yahoo. How do we integrate the use of encryption software into these webmail systems?
2. We can do it the old way, i.e., write a text file, clearsign it, and then copy-and-paste it into the webmail. But what stops viruses from picking up these clearsigned messages and emailing them to random people? Can we be certain that a certain message truly came from someone, *even* if it is gpg-signed?
The day that a government (with a vested interest in being able to easily monitor the populace) advocates encryption will be a cold day in hell 😉
@Ambrose Li – 1. http://www.news.software.coop/the-trouble-with-big-webmail/180/#comment-1187 mentions a FireGPG plugin for Firefox-based browsers. I’ve not tried it.
2. Even if the virus has resent that clearsigned message, we can be sure it originally came from them. I guess we can’t be sure that they meant to send it to us, unless it’s also encrypted for our key. –clearsign is like publishing…
Careful what you wish for!
If PGP spreads, government’s snooping will be scuppered. Someone might then suggest legislation to prevent that happening …