PGP Appears to Suck
Well, it's official. It looks like newer versions
of PGP are just going to suck and there's nothing you can do about it. Their
ridiculous new email (sorry - messaging) system is here to stay. The official
word from a posting by Earle Lowe, a Dev Manager at PGP from June 11,
2006:Obviously there is a philosophical (and fundemental) disagreement about the nature of email encryption. The current technology was felt as clearly the best path forward for PGP as a software product. It solves numerous issues with integrating into the various email applications that people want to use. It supports PGP/MIME. It supports centralized policy management. It enables a much simpler experience for the user (we have not yet achieved this obviously). The list continues.
The way you want PGP to work where you actually see the ciphertext was and continues to be simply not possible in any number of email clients. The old architecture was neither maintainable nor extensable. As an example, Outlook Express, for all its obvious faults is a popular email client. Prior to PGP 9, the PGP rip-in for this email client was a significant amount of tricky code requiring substantial developer expertise (and was prone to break frequently - particularly with MS updates). PGP 9, on the other hand, has zero specialized code to handle Outlook Express.
OK
- I can completely understand the problems with keeping up with email clients.
It's a pain in the butt. But removing security so it's easier for the end user?
What a dumb statement. Why not just remove all encryption from the product? That
will make it even easier. In fact, this is basically what they have now
anyhow.Their craptastic "easy to use"
messaging proxy defaults to settings so you don't have to change anything in
your email client to make it work. Seems like a convenient feature. All emails
could be encrypted/signed on their way out. Except if the proxy ever fails, that
email you just sent doesn't get
encrypted - it just gets sent because your
mail client doesn't know the difference. It just uses the same old settings it
always did. This failure mode is completely unacceptable. I can't even believe
they offer this as an option. Dumber than
hell.The really screwed up part about
this is that their proxy does fail for non-obvious reasons, mostly because it's
a pain in the ass to set up and get working properly, even with their auto
detection running. In my case, emails from one account went out signed, another
didn't - all because my SMTP port wasn't something they were expecting and were
trapping (and there is no way to change this either, apparently.)
My advice? Don't even think to use
this hunk of junk for email on the Mac (or anywhere else for that matter.) It's
not worth it. Stick to using GPG. It actually does the right thing, despite
lacking the nice key management front end. I didn't even test anything else in
their software. What other crap doesn't work or is broken in non-obvious
ways?I feel sorry for all those n00bs
out there running this crap and thinking they are secure in any
way.Update:
I posted to their forums about these concerns.
Despite tons of "views" no one has answered. Based on the posts they actually
answer on their forums, it looks like their target market has changed to be
those customers who think running something called "PGP" magically makes them
secure.
Posted: Thu - July 20, 2006 at 09:21 AM