OpenPGP has shortcomings I noted, but their impact on experimental results has been low see the list of registered vulnerabilities. The security researchers in these organizations review, vet and recommend that software, compared to alternatives. The fact that a security product is used by organizations dealing with highly sensitive information in fact correlates with the quality of that product. I think most people would agree that OpenSSH is secure (although SSH is a similarly dated protocol). If you measure software security track record by the number of known CVEs per unit time per unit task per LOC, the track record of GnuPG/OpenPGP is about that of OpenSSH/SSH and OpenVPN see the site I linked. One needs to also prescribe a threat model, provide other information, etc. It’s hard to meaningfully define and measure software security. Which is why Sequoia's years of support of (I think?) EAX mode AEAD encryption hasn't moved the needle for the moribund PGP ecosystem. Obviously, the documentation of a proposed design for AEAD support in an RFC doesn't close the gap - users care about results, as you say, and so what matters, to the exclusion of all else - is what the installed base of GnuPG clients supports. I haven't, of course, worked for all the banks, so if you've got a counterexample, please provide those facts for us to evaluate. The industry standard "secure email" system for banks is simply a TLS web interface that you post your emails to banks don't use PGP for secure communications. I don't think your supposition that GnuPG is beloved of "NSA and state-level actors" really qualifies as "facts". Nobody would implement a tool like GnuPG in 2021 the way GnuPG is implemented we accept its implementation because of path dependency, not because it's especially sound. This does not look like an especially reassuring track record! People should keep in mind that GnuPG is a legacy C codebase. It turns out that $150K isn't actually that much of a windfall. Nonetheless, a fundraising campaign followed just two years later. > Given the ramshackle state of massive GnuPG code base, it's not clear what's the best path forward. The project got a nice boost after that article, leading to this Ars Technica story about the windfall: Recall that this was in the wake of Heartbleed, a vulnerability that exposed our dependence on OpenSSL, another critical, and chronically underfunded project. Now 53, he is running out of money and patience with being underfunded. Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany.
0 Comments
Leave a Reply. |