[dublinclontarf]

You know, I have GPG, a public key that's on a key server, I also have it attached to all my emails, for about the last two years. And I have yet to receive a single encrypted email, even from techies.

I want to use it but that means someone else has to be using it also.

On a related note, I was chatting to a friend the other week, and he was using Off The Record(it's encryption of IM), now I had gone to the trouble to install it on my machine but he was using Adium and it came default, he didn't even know he was using it. Good job Adium.

Cryptography has failed.

[oakenshield]

It's not that cryptography has failed; it's more that the web-using public is largely ignorant and unaware what security or cryptography means. They think in real-life analogues: a random person on the street hears me talking to my friend outside my house about my weekend plans. Not a big deal, because (1) that random person didn't hear every single word, (2) we'd see if they were eavesdropping too closely, and (3) no human can remember every last detail of speech they hear. Unfortunately, an eavesdropper on the wire can do all this and more, but people don't seem to understand.

I think the right way to go is for providers make strong cryptography standard (like your Adium example). The current GPG usage model and its integration with email is poorly executed, and most of the web-using public won't care to learn how it works let alone create key pairs. The only thing the public at large can understand is secrecy of social communication. I await the day Facebook or Google start automatically generating and managing keys, and encrypting communication between users based on their social connections.

[tptacek]

You mean, except for every time you've ever visited an SSL-protected website?

[dublinclontarf]

Have you not been keeping up on the whole SSL web of trust breaking down recently?

[tptacek]

Hold on. Let me go check the Hacker News archives at SearchYC to see what the last story was that could have convinced you that the SSL "web of trust" (note: SSL doesn't have a "web of trust") has broken down. Gimme a sec...

... ok, back. So, what you're saying is:

* Mozilla shipping a stale RSA-owned certificate shows that SSL has "broken down", and/or

* Kurt Seifreid allegedly managing to get RapidSSL to issue a cert for "a webmail provider" by signing up for the account "ssladmin" shows that SSL has "broken down".

Gotcha. Have you considered asking the banks, retail brokerages, and trading exchanges to stop relying on SSL, because it's so clearly broken?

I'm sorry for the sarcastic response, but this faux controversy gets tiring.

[DenisM]

this faux controversy gets tiring

Just be glad you're not in vaccination business. ;-)