People were talking about potential weaknesses in Cryptocat for some time. Cryptocat ignored those people, then bickered with them. Then someone released a PoC and Cryptocat it turns out was really broken.
You can't use OTR for email. Well not in a meaningful way, anyway.
I think the article[ed:1] misses the point, btw. Yes, managing keys might be tricky - but it's not really rocket science. The thing that's hard is managing trust -- which key one trusts etc. The CA system for web is completely broken. I had some hope for cacert.org -- I think that model (perhaps expanded to include recommending signing gpg-keys as well as x509 certs) has a lot of merit.
I think web of trust is the only thing that can work for managing trust. But it needs to be accessible. Have post offices and banks sign gpg keys on when people come in with valid id. Cacert is a different take -- I like to look on it as a "strucutred eternal keysigning party". I trust that model a lot more than the classic CA model. But as it is based on the CA model, it suffers the same problems with centralized trust. Centralized trust is great for organizations, it's not so great for individuals.
I think the best model would be a world-wide web of trust for gpg, helped by formal and informal signing organizations (ie: like cacert, signinparties -- and with the help of banks, governments, DMV and similar institutions that traditionally help with issuing IDs). Then there should be support for anchoring DNS/CAs (and CAs for openssh) with gpg. So that if you trust someone is a representative of an organization linked to a domain name, you can trust them to autorize a CA for that name (there's technical details here, but I think the idea should be clear enough).
CAs go away, everyone can sign their own certs -- and there's an easy way to link x509 and gpg trust.
People will still lose their keys, and get invalid keys signed etc -- key management is hard. But the really confounding thing is trust -- and knowing how to determine which keys are "proper" keys for a given entity. That's really trust management, not (just) key management.
[ed:1 whops, that was the other article on making key management easy ;-) But I suppose this comment is relevant wrt how to make encryption more readily available...]
It certainly doesn't have to be. A person's trust of long-time friends is an important metric for network security. Not every key-signing party involves government ids.
What do you mean by people can't use OTR for email in a meaningful way?
Almost nobody can use PGP/GnuPG properly and OTR is reasonably easy to use for most people. Isn't this alone a good reason to just tell people to ignore PGP/GnuPG altogether?
Wed Jan 11 00:33:40 EST 2006, CLAY SHENTRUP
CLAY at BROKENLADDER.COM wrote:
>
> On 1/10/06, Daniel Guido <dguido at
> gmail.com> wrote:
>>
>> Correct me if I'm wrong, but there is no
>> working implementation of OTR for e-mail
>> yet is there?
>
> There can't be really. The sender and
> receiver have to agree upon a shared secret
> at the time of transmition, which requires
> at least 3 passes.
I meant that there cannot be a reasonable OTR implementation for email. You can stop using email if you want - I love it, as the last vestige of useful decentralised service on the Internet (I run my own email service, and many organisations do too). You can encrypt your email -- but not with OTR. S/MIME and gpg/pgp do work.
I kind of thought that the web itself was a major example of a useful decentralized service on the internet; kind of odd for email to be described as the last beside of that.
To the extent that HTTPS is the protocol of the web, its primary implementation (the CA system) is, in every meaningful way, centralized along exactly the same lines as much of the rest of society: in governments and corporations.
It was. It technically still is. But large parts of what makes the web useful -- content and search/indexing is being trapped in silos like Google, G+, Twitter, Facebook, Blogspot etc.
gpg/pgp do work for those who can use it properly, which is a tiny minority. Can your parents or non-tech savvy friends use gpg/pgp? Probably not.
And as Assange said, if you are e.g. a journalist in the government watchlist, it could be worse (more dangerous) than not using gpg/pgp.
Text messages using OTR seems like a better way. For widespread crypto usage, telling people to ignore pgp/gpg and use texts with OTR seems more reasonable than keeping projects like GnuPG alive.
If I were running a company like Facebook who's interested in spying on people, I might even fund projects like GnuPG so that unrealistic geeks keep thinking this is a viable solution.
I'm not convinced most people that can't use gpg "properly" are able to use OTR "properly".
As for facebook, as long as they keep the XMPP access open and supported[1], at least they do support OTR. Unlike eg: google.
I don't really understand this "gpg is impossibly hard"-stance. Yes, security is hard. Why recommend OTR? Don't get me wrong, I love OTR -- but verifying OTR keys, and transporting identities across devices (eg: when getting a new phone) is pretty difficult too. Are you saying wrong use of OTR is better than wrong use of gpg, because most people that use OTR use it in a way that allow for MITM anyway?
I don't think you need to be convinced. When 99% of people look at the choice between (a) Thunderbird+Enigmail and (b) TextSecure, they know which one is easier to use (your Mom probably knows more than you do in this regard), not to mention OTR has properties that PGP/GPG lacks such as PFS.
Textsecure is nice, but it's not really an alternative to encrypted email. It doesn't support off-line use, it's inconvenient for sharing large documents.
But most importantly, the point you seem to ignore, it's not secure if you don't verify keys. I'd say most people don't verify keys with OTR -- hence they're not using it in a manner that's actually secure. I do agree that it's a lot better than people using Snapchat.
