undefined | Better HN

0 pointscyphunk11y ago0 comments

Specifically "check a signature". Even everyone that knows how to sign fail to really check anything. Honestly, if it aint boiled down to a green or red icon then people are going to misuse, assume security when its not, or just click "yes".

If you get a new public key for someone, and it's signed by someone else you don't know (most of the time this is the case) are you going to bother to utilise that signature to increase the trust? No. Are you going to assume increased trust somehow regardless? Yes. FAIL.

Modify it further, if it is signed by someone you do know what are the chances your UI is going to give you any sort of indication that this is more trusted that other message workflows? And if it doesn't give you any indication (most leave it up to you to check) who's gonna bother to look just passed "your friend <yourfiendsname@company>" ASCII and actually check the key? no one. FAIL.

PGP WoT fails miserably.

0 comments

mike-cardwell11y ago

I use PGP extensively. However, I haven't bothered with the web of trust, for the same reason I don't publish my address book for everyone to read, privacy.

Torgo11y ago

I have already run into this at work. I have customers whose keys are publicly available, and others who should not be, and so I cannot effectively use keysigning internally to manage relationships. This is because I don't want to upload every key I know about to a public keyserver.

Maybe I am mistaken or maybe there's a way to do that without having multiple keyrings or something, but that's kind of the problem. It's really hard to tell what I would or would not be sharing because there's no "interface" to speak of and I am hardly an expert.

brl11y ago

btw, how is a person signing a key in the usual WoT model supposed to know whether or not the email address specified in the key uid is actually controlled by the person standing in front of them at the key signing party with passport and key fingerprint in hand? Even if you carefully follow the recommended key signing procedure the binding which actually matters for exchanging encrypted email has very poor validation (or none at all).

dublinben11y ago

Best practice is to send an encrypted message to that address in order to confirm the owner controls it.

cyphunkOP11y ago

If you only meant verifying the email as apart of a keysigning party, agreed. Meaning you are looking at their passport and sending an email at the same time. This is better than nothing but wont protect against many directed attacks. For instance, a journalists has to be more careful. Also, in the end if you are sitting in front of each other might as well just verify key fingerprints. Better privacy and security than a simple email verification.

If the author meant actually sending someone a email to see that it is indeed owned by them remotely: NO WAY. Does not work:

me: "hey, just sending you an email to confirm its really you before sending the secret plans?"

them: "yeah, its me. send the plans."

That is exactly what WoT tries to solve but can't due to misuse.

1 more reply

j / k navigate · click thread line to collapse