Is PGP the Solution to Protecting Your Private Emails?

[billiards]

This is a thread about encrypting your private emails. I put it in discussion as I would be interested to read about people's views on this given the recent revelation that certain governmental agencies are storing all our emails. Does anybody out there encrypt their emails? Or perhaps you would like to do it in principle but never really looked into it?

I myself only download a PGP pretty good privacy encryption package today (link), which I have been playing around with. However I must say that so far I am a little disappointed. Not with the technology itself, but with the limitation that people I want to write emails to don't use PGP.

You see, in order for a message to be encrypted both the sender and receiver need to have a key set (one private key and one public key). I can only send (or receive) encrypted messages to (or from) someone else who has a key. The only person I know who has a key is myself, so basically so far all I can do is send encrypted emails to myself!

So I'd be keen to hear from people that have experience using PGP. And I'd be keen to hear if people think it's a good idea for the public to protect their emails from snoops in general. I can't help thinking about "climate-gate" -- if they had used PGP the hackers would have had no chance at reading all their emails.

 

[lisab]

I just use ig-pay atin-lay when it's really private.

 

[russ_watters]

Do you have anything worthy enough of protection that hackers would be motivated to go after it specifically? Either way, you should consider the possibility that encrypting your email may make it look more interesting.

 

[Borek]

PGP is in use since at least twenty years - I remember discussions over whether we should allow its use across FIDO BBS boards somewhere in mid nineties. My bet is that fact that still not many people use it means that most people don't care that much about the content of their messages.

 

[Evo]

I had a paranoid friend years ago that used it. Honestly there is nothing in my emails that need to be encrypted.

 

[billiards]

A little bit of paranoia can be a good thing. I don't want someone snooping around my private life. If we can take steps to stop strangers reading our private communications then I for one am willing to take those steps. Maybe no one will ever read my communications -- but now I KNOW that my emails are being stored online by government data agencies -- I can simply encrypt my messages and they can't read them - ever - unless they get hold of my private key (or spend a great deal of computer power figuring it out).

I suspect that if people (the general public) knew about PGP, were taught how to use it (it's not hard, but you need a little bit of technical understanding), and so started using it on their computers, they would love it. I bet the reason it hasn't caught on is simply because people don't know about it.

 

[jobyts]

If the government decides to read or modify your email, they can - regardless of how strong encryption you use.
If the public key is compromised, all bets are off.

I work in a security company and one of the features our team recently developed will do the man-in-the-middle attack, regardless of what algorithm you use.

 

[billiards]

If the government decides to read or modify your email, they can - regardless of how strong encryption you use.
If the public key is compromised, all bets are off.

I work in a security company and one of the features our team recently developed will do the man-in-the-middle attack, regardless of what algorithm you use.

You can download my public key, if you know my email address, it is freely available for download on a server. I want you to download it -- especially if you want to send me an encrypted message. You won't be able to use it to decrypt my emails though.

All bets are off if you get hold of my private key. But unless you hack into my hard-drive and steel it it will take a lot of computational effort to reveal it. PGP also has other layers of protection which you can read about on the wiki page I linked to earlier.

 

[jobyts]

You can download my public key, if you know my email address, it is freely available for download on a server. I want you to download it -- especially if you want to send me an encrypted message. You won't be able to use it to decrypt my emails though.

The trick is the public key that you got from the server is not the public key of the person that you actually intended to communicate. You are actually talking to a gateway that acts as the man-in-the-middle and he gives his public key to you. The man-in-the middle gateway is able to get a fake certificate, certified by a certificate authority (say, verisign), where the actual public key is his, not of the actual user you wanted to communicate.

You encrypt the email with the public key provided by the man-in-the-middle, and he is able to read the email using his private key. Then he re-encrypt the plain text email with the ultimate email recipient's public key and send to the ultimate email recipient.

As long as there is a man-in-the-middle gateway that could give you a forged certificate, both parties are actually without knowing, talking to the man-in-the-middle, not to each other.

 

[billiards]

The trick is the public key that you got from the server is not the public key of the person that you actually intended to communicate. You are actually talking to a gateway that acts as the man-in-the-middle and he gives his public key to you. The man-in-the middle gateway is able to get a fake certificate, certified by a certificate authority (say, verisign), where the actual public key is his, not of the actual user you wanted to communicate.

You encrypt the email with the public key provided by the man-in-the-middle, and he is able to read the email using his private key. Then he re-encrypt the plain text email with the ultimate email recipient's public key and send to the ultimate email recipient.

As long as there is a man-in-the-middle gateway that could give you a forged certificate, both parties are actually without knowing, talking to the man-in-the-middle, not to each other.

Yes I understand it. But this is completely different from being able to decrypt messages. This is tricking the sender into sending the message to the wrong person. Fortunately there are some pretty basic ways to avoid being tricked.

 

[jobyts]

This is tricking the sender into sending the message to the wrong person.

That's how the government reads your encrypted communication. They do not bother deciphering the content by cryptanalysis of the crypto algorithm for bulk of the people.

The communication happens between the two end parties. But the secure session ends at the man-in-the-middle.

 

[Danger]

All of my e-mail input is either spam, notifications from PF or Adventure Quest, or fliers from my pharmacy. Anyhow, I can guarantee that you cannot purchase encryption that the NSA can't decrypt. That's been their sole purpose for about 50 years.

 

[256bits]

All of my e-mail input is either spam, notifications from PF or Adventure Quest, or fliers from my pharmacy. Anyhow, I can guarantee that you cannot purchase encryption that the NSA can't decrypt. That's been their sole purpose for about 50 years.

NSA would have extreme trouble with Lisab's encryption. Deciphering pig-Latin has become a lost art.