PGP 6

software, security, pgp

6, a good number. It is the number of PGP related posts so far on this blog. Recently I was approached by one of the OpenKeychain devs, who wrote about a new Thunderird plugin, called “Autocrypt” (source code). I took a look and I really like it! It is zero-conf, which is the idea behind Autocrypt after all. With some fiddling you can load up your old key. Upon sending, similar to Enigmail but with a clearer icon, you can set the encryption (on or off, overriding a default you can also set) and lookup keys for recipients. It can probe web keys (see Well known) and a recent new sort of key directory, keys.openpgp.org, not SKS. If found, those keys are used and you get a nice green icon. That’s it! And it works, on first try, and reliably, so far. A far cry from my first attempt to setup Enigmail in Thunderbird. The add-on also does not use an external PGP client, so it’s really just a matter of installing the plugin and you’re done!

A little bit on keys.openpgp.org. This directory aims to replace the SKS network, known from URLs such as pgp.mit.edu or keyserver.ubuntu.com. This network has been diagnosed with vulnerabilities to attacks, and is considered obsolete and unsafe by some in the encrypted mail community. Perhaps most concretely, as Autocrypt does not have trustlevels, keys.openpgp.org does away with distributing you signing others keys and such. It is simply a key index: does [email protected] have a public key? Which is, I agree, all most users care about. See also Signal encryption: you’ll communicate through a keypair, and if you really care, you can compare signatures offline. No need for infrastructure around that. Also, I guess in an age of more ephemeral keys, trustlevels are really obsolete.

About OpenKeychain: I tried to use the pEp app on Android for a while, but I stopped doing that in favor of K9mail+OpenKeychain. Yes, it’s slightly more work to setup, but pEp software also encrypts the subject line. Which makes sense of course from a security point of view, but it seems to be an ad-hoc implementation (no mention of subject encryption in the Autocrypt v1 spec). Which means, no other clients or plugins support it and show the placeholder subject which is not very practical. Also, it’s nice to have some compatibility with older users and clients of PGP, and having a clear subject is important I think.

So, if you want to encrypt your mail and you want to do so in an easy manner, I recommend this new Autocrypt plugin in Thunderbird! I’ll trial using Thunderbird alongside Kmail. Thunderbird has other flaws, but perhaps no greater than Kmail at this point. Now I just hope Thunderbird 68 will show up in the Ubuntu repos soon!