Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

PGP may have broken down for the author, but it's still used in a lot of places. For example, to communicate with our bankers at work, every email has to be properly encrypted and signed - or it goes into a blackhole. The only way to exchange public keys(initially) is in person. Once that is done, new keys are provided from that person, and the WoT expands.

tldr; it doesn't work for the author, but it does work for lots of individuals and even more companies with secrets to protect.



Oh, how I would love it if my (personal) bank/utility/isp would send me PGP-encrypted/signed emails, instead of emails saying "There is some updated information for you on our web site, please log in to see it".

But given the general competence demonstrated by such organisations, it's something I will never see.


PGP is also used very heavily on darknet on drug marketplaces.

OTR (or even Signal) is not possible there, so people stick to good-and-tried PGP.


I think darkweb marketplaces are a slightly different use case though. The requirements for a darkweb transaction are the ability to tell the vendor your address so they can send you illegal goods, while hiding it from the marketplace itself in case their servers are seized. A random PGP key with no real name and no verification is entirely adequate for this purpose - indeed, any kind of identity validation would probably be seen as a negative for such a situation.


He doesn't say that it's useless but that it's too much hassle to use even for someone that works in security.

It works in companies because you don't get a choice if you did most people wouldn't use it.


In otherwords, it only works in controlled environments, not out in the wild


Not to be glib, but this is true in much the same way as secure http. Really the only way to do it properly is to control the root key for your organization. The chain of trust starting with the vendor you got the computer from is bonkers.


It's pretty bonkers that you trust a computer vendor to control the firmware on your PC but not the CA chain. If Dell is determined to listen to your conversations, they can spy from the hardware, keylog beneath the OS, or literally listen through an embedded microphone.


People don't trust their hardware vendors because they're trustworthy, they trust them because they don't have any real choice.

If my preferred OEM offered me the choice between a locked-down opaque system, and an /equivalent/ system that is completely open and verifiable, I'd choose the second option every single time. I expect many would as well.


Sure. I'm just saying it's easier to verify the CA list than verify the hardware, and the hardware gives the OEM a superset of what they can do with the CA list.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: