Hardware Reference
In-Depth Information
Reflecting on the Crypto Wars
Zimmerman's battle is considered a resilient victory. Many other outspoken supporters of
strong cryptography, known as
cypherpunks
, also won battles popularizing and spreading
encryption technology. But if the Crypto Wars were won in the early nineties, why hasn't
cryptography become ubiquitous? Well, to a degree, it has. When you make purchases on-
line, it should be protected by strong cryptography. Almost nobody would insist that their
bank or online store
not
use cryptography and most probably feel more secure that they do.
But what about personal privacy protecting software? For these tools, habits must change
as the normal e-mail, chat, and web browsing tools are insecure by default. This change
causes tension and resistance towards adoption.
Also, security tools are notoriously hard to use. In the seminal paper on security usability,
researchers conclude that the then PGP version 5.0, complete with a
Graphical User In-
terface
(
GUI
), was not able to prevent users, who were inexperienced with cryptography
but all of whom had at least some college education, from making catastrophic security er-
rors (Whitten 1999). Glenn Greenwald delayed his initial contact with Edward Snowden
for roughly two months because he thought GPG was
too complicated
to use (Greenwald,
2014). Snowden absolutely refused to share anything with Greenwald until he installed
GPG.
GPG and PGP enable an individual to protect their own communications. Implicitly, you
must also trust the receiving party not to forward your plaintext communication. GPG ex-
pects you to protect your private key and does not rely on a third party. While this adds
some complexity and maintenance processes, trusting a third party with your private key
can be disastrous. In August of 2013, Ladar Levison decided to shut down his own com-
pany, Lavabit, an e-mail provider, rather than turn over his users' data to the authorities.
Levison courageously pulled the plug on his company rather then turn over the data.
The Lavabit service generated and stored your private key. While this key was encrypted to
the user's password, it still enabled the server to have access to the raw key. Even though
the Lavabit service alleviated users from managing their private key themselves, it enabled
the awkward position for Levison. To use GPG properly, you should never turn over your
private key. For a complete analysis of Lavabit, see Moxie Marlinspike's blog post at
ht-
Given the breadth and depth of state surveillance capabilities, there is a re-kindled interest
in protecting one's privacy. Researchers are now designing secure protocols, with these
threats in mind (Borisov, 2014). Philip Zimmerman ended the chapter on
Why Do You
