Why I Use GnuPG Over PGP
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
I’ve been catching up on my mail and one list I read [PGP-Basics] has been particularly busy of late. The bulk of this traffic seems to have started in a thread in which somebody wanted to know which PGP version they should use.
Along the way it became something that serves to underscore why I don’t think there’s going to be a wealth of franchise opportunities for selling PGP products anytime soon.
The discussion got around to the fact that PGP v9.x uses a proxy system to automatically sign / encrypt all outgoing messages automatically and also to automatically decrypt incoming encrypted messages. The person who brought this into the discussion called it a security flaw.
Following that there was an exchange that seemed to grow more heated as it went along. This person wanted their encrypted messages to remain encrypted after receiving them but PGP 9.x and it’s proxy has them decrypted before the mail client ever sees them and thus they’re stored decrypted.
It was made clear that it worked this way because PGP customers want this feature. It was also pointed out that the ability to save messages in decrypted form is one of the most requested feature for the enigmail plugin that allows Thunderbird to make use of GnuPG.
I think that the key factor here is that PGP should make the use of that proxy optional and it’s behavior should be possible to control via user settings. Sure, they’re going to put in default settings that maximize user convenience but at least people who desire to change that behavior could do so.
I agree that automatic decryption is a bad idea. A worse idea is that PGP users are apparently not given a choice. (note, I’ve never seen PGP 9.x and never will outside of either a video demo, somebody else using it on their computer or from inside a virtual machine.)
All of this is just more good reason to use GnuPG over PGP. Other reasons include: It’s open source, it’s free, it’s written to comply with the OpenPGP standard, and Enigmail stores encrypted messages in encrypted form. I figure if I want a decrypted copy I can decrypt it and save the body text elsewhere.
Technorati Tags: security flaw, pgp proxy, enigmail, gnupg, privacy, pgp, thunderbird, encryption
If you enjoyed this post, make sure you subscribe to my RSS feed!
