[ale] PGP/GPG Keysigning party! ALE Central November 19th.

Michael B. Trausch mbt at zest.trausch.us
Wed Oct 28 10:57:42 EDT 2009


On Wed, 2009-10-28 at 10:41 -0400, Jim Lynch wrote:
> I for one would like to know exactly what this activity is good for.
> I
>  understand that one of the uses of these keys is to be sure an email
>   is from who you think it is.  Exactly what activities are you guys
>   involved in that require that level of security?  Obviously you are
>   doing something other than sending responses to the various
>   questions/issue on this list. 
> 
> I'm not criticizing, just very puzzled 'cause I have no real idea of a
>  practical use for this level of security.
> 
> Thanks for the enlightenment. 

GPG signatures are good for the case where you want to see if the
message was altered in transit.  However, where they really shine is
encrypted communications.  Everything you write on the Internet and send
by way of HTTP (not HTTPS) and email (which is inherently insecure) is
sent in plain old, very readable and modifiable text.

Here's an example.

Imagine that you're writing to a friend to tell her what you're getting
for various members of her family.  Now, imagine that I am her husband,
and I control that network, and that I am a nosy bastard.  Your message
is probably screened through some program and I see it and read it.  I
can also modify it; she'll never know.

Imagine the same situation, but instead, I work for her ISP and am not
her husband.  I can see the message as it passes through my network,
optionally logging it and reading it later should I choose to do so.  In
fact, I have no reason to believe that ISPs don't already do this with
unencrypted communications.  After all, they're the prime points of
interception on this great big network.  They can intercept, modify, and
then deliver the message---without detection.

Now, imagine that I am the President.  (That ought to be good for a
laugh.)  I sign an Executive Order compelling some random other entity
or person in the government to begin collecting and analyzing all
plaintext traffic on the Internet and logging it and attributing it to
those who wrote it, watching for bad behavior and being the Big Brother
we all don't want to have power.  (They already do some form of this
already, actually, or at least they did.)  If it becomes convenient they
can compel an ISP to cooperate and intercept messages so that the
government can modify them and send the modified versions to their
recipients.  If messages carry OpenPGP signatures, this is not possible
(well, not likely*) and the government cannot insert itself into the
dialogue.  With encryption, the government cannot even see what is being
said.  Same goes for the ISP, or that pesky nosy neighbor that is on the
same cable network as you are and is snooping around the node for
anything that looks to be "interesting".

	--- Mike

* Probably possible when quantum computers come out and are accessible
and available, but otherwise, one would have to wait an awfully long
time brute-forcing things before being able to break a message's
encryption or signature.

-- 
Blog:  http://mike.trausch.us/blog/
Misc. Software:  http://mike.trausch.us/software/

“The greater danger for most of us lies not in setting our aim too
high and falling short; but in setting our aim too low, and achieving
our mark.” —Michelangelo



More information about the Ale mailing list