Pretty Easy Privacy (PEP): Simple email encryption can be so complicated

Pretty Easy Privacy (PEP): Simple email encryption can be so complicated
Pretty Easy Privacy (PEP): Simple email encryption can be so complicated

Glenn Greenwald almost missed the Snowden story because he found PGP / GPG too expensive to set up. GPG, so the alleged reproaches, is complicated, not user-friendly and no longer up-to-date. The obvious solution: PGP in simple and straightforward. It is with this goal in mind that Pep (Pretty Easy Privacy) wants to radically simplify email encryption.

I tried them out and found that instead of living up to their goal, open source encryption software complicates everything, asking GPG users not less but more know-how and undermining hard-won security.

Read More Stories: Forensics: How the blockchain convicts criminals

I have been using GPG since my schooldays and daily. I persuaded friends and acquaintances to use GPG, held workshops, and introduced people to the use of GPG. Every update that I install is checked by GPG using a signature. In short: I am a friend of GPG. However, I did not become a friend of Pep.

Simple chaos

When I first got an encrypted email from a friend a few months ago, whose subject was simply “p≡p” , I was already angry. The friend had flattened his computer, reinstalling Thunderbird and Enigmail, and replaying his GPG keys manually via Enigmail. Since it was already too late: Enigmail ran in junior mode and took over control with Pep. For the established e-mail accounts GPG keys were generated completely automated and without any demand – without password, without expiration date, without everything. After importing the original and self-generated key, Enigmail just kept using the Pep key – and brought the named friend pretty easy to despair.

Google does not support the new YouTube from Microsoft Edge based on Chromium

Pep undermines security

A similar problem also had a club whose club mail address is managed by several people with the same key. Again, the Thunderbird / Enigmail installations of individual users themselves began to generate and use Pep keys for the club email address. The Pep keys were appended to each email sent, after which some recipients began to encrypt their replies to the club with just those Pep keys. The encrypted mails could only read one person at best. In the unfavorable case of another reinstalling, no member of the club was able to approach the contents. The shared encryption of the mail address was gone.

Read More Stories: Fake news has more engagement than real information, study reveals

That Enigmail ran after the reinstallation in junior mode and thus automatically herumpfuscht in their security settings, the software did not tell the club members. They first had to find out what was going on. The deactivation of Pep was at least under Ubuntu anything but easy.

In the Enigmail settings, the junior mode and thus Pep can be deactivated, but under Ubuntu the users are the design settings for the fatal. The individual recruitment riders are not recognizable as such. Only when the tab “Compatibility” has been discovered and the selection of “Automatically decide whether to use junior mode” has been changed to the setting “Use of S / MIME and Enigmail” can GPG be used as usual. Why users have to look for it in the options remains unclear. Many Thunderbird / Enigmail users were also unclear on what each of the options, conspiratorially phrased, meant.

W3C and WHATWG will jointly develop the HTML specification in the future

But that’s not all: Pep also handles the complete key management. In a test, I could cheer Pep any keys.

Trolls with Pep

In order to make e-mail encryption particularly easy for users, Pep takes over the complete key management. Each e-mail sent will be automatically attached to the generated peg key. If the recipient also uses the software, Pep answers automatically with his key. The automatic key exchange is called Pep Handshake. However, not only these handshake keys are accepted, but every key attached to an e-mail.

Read More Stories: YTS and YIFY brought before a US court by film producers

I generate GPG keys for different email addresses with different domain endings and send them as an email attachment to a Thunderbird installation with Enigmail in junior mode. There I open the emails and see – nothing. Unusually, Thunderbird does not even show me that the emails contain an attachment. The keys are literally hidden from the user, but then appear – fully automatically – in the key management of Enigmail and in the key memory of GPG. Even a key for the recipient account, for which Pep has already created keys, is accepted without being asked.

After Wall Street, Alibaba wants to go public in Hong Kong and raise $ 20 billion

If an encrypted email address has already been communicated and a handshake or key exchange has been carried out, Pep will store my underlined keys, but will not use them. For all email addresses that do not, the underlined keys are used. Be it because no key exchange has taken place or because the email address in question does not support encryption with GPG. The user automatically sends unreadable e-mails – encrypted with my keys – to these e-mail addresses.

To a security problem, it may come here only in individual cases, however, Pep is wonderful to troll people.

This robot imitates human writing at a level that makes it difficult to distinguish

However, this automatism can lead to security problems elsewhere: GPG is not only used for encrypting e-mails, but also for signing software. For example, using the signatures before installing a Nextcloud or the Tor browser, you can check whether the software has been infected with a Trojan on the way. Via Pep, users could be subject to fake keys from Nextcloud, the Tor project, or other software projects. If the downloaded software is changed along the way and signed with the fake keys, users could catch malware – even if they have reviewed the software.

Users want to be asked

Key exchange is always a critical point of public-key cryptography, which can be used for example in man-in-the-middle (MitM) attacks. With these, the keys are intercepted and exchanged by both communication partners. Pep does not solve this central problem, but automates it.

Read More Stories: Hacker teenager who invaded Apple servers will not be arrested

In the end, Pep takes a lot of control out of the hand and hardly asks questions. Do you want to use Pep? Do you want to import this key? Pep should ask these questions to users instead of hiding the entire encryption process from them.

Experiments with Dreams: from the Sonic jump to the Metal Gear cameras

In the end Pep does not even reach his original goal. The various operating modes and automatisms do not simplify the life of the user. On the contrary, it confuses them, undermining their choices and thus their safety. In my environment, Pep has done one thing above all: To annoy and unsettle. The joy was usually greatest when the option to disable Pep was found. I have not yet received an intentionally encrypted email with Pep.

Read More Stories: Second-hand laptop Samsung NC10 is for sale for 1.2 million dollars

SHARE
Previous articleForensics: How the blockchain convicts criminals
Next articleHow to prevent iOS iPhone apps from sending your personal info to 3rd parties
Aakash Molpariya
Aakash started in Nov 2018 as a writer at Revyuh.com. Since joining, as writer, he is mainly responsible for Software, Science, programming, system administration and the Technology ecosystem, but due to his versatility he is used for everything possible. He writes about topics ranging from AI to hardware to games, stands in front of and behind the camera, creates creative product images and much more. He is a trained IT systems engineer and has studied computer science. By the way, he is enthusiastic about his own small projects in game development, hardware-handicraft, digital art, gaming and music. Email: aakash (at) revyuh (dot) com

LEAVE A REPLY