Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For technical folk, yeah. For nontechnical folk, nothing seems to come even close though. The great thing about HTTPS, for example, is all users need to care about is a little green lock. (And frequently, they have no idea what HTTPS is, but know that little green lock === safe)


> little green lock === safe

Which is not true. Little green lock means the site has HTTPS, being safe requires much more than that. Security is hard to explain.


Of course, but this is nonetheless the view for typical end users.


And THIS is the problem. Yeah the app is a pain to install, but security is a mindset, not just an app.

I even wonder how many people download an ISO or installer from a website, and do any sort of due diligence to find the signer's key from another 3rd party location, then verify previous builds, or require multiple signers of a key to give any semblance that the key is not fake? Or do we all just download the ISO and the .iso.asc file from the links provided and call it good? Even security minded people can be lazy in this situation.


HTTPS is easy because it only provides encryption in transit. It is analogous to opportunistic encryption of SMTP, which is already in widespread use.

Another reason HTTPS is easy is that it uses a centralized trust model, relying on CAs to vet each website.

GPG is neither. It tries to provide encryption at rest, and relies on a web of trust that we cannot reasonably expect everyone to operate securely.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: