This thread in Source­Forge sug­gests that the GPG­Mail plu­gin, needed to inte­grate GPG with Apple Mail, has found a new devel­oper who is updat­ing it to work with Snow Leop­ard. This is good news, as PGP is once again insist­ing that they will not update their own Mail plugin–they really want to force their cus­tomers into using their hor­ri­bly crappy encrypt­ing proxy, which is some­thing I cer­tainly won’t do.

After try­ing it for three weeks with­out prob­lems, I bought the lat­est ver­sion of PGP Desk­top Pro­fes­sional, which includes whole disk encryp­tion. Both my Mac­Book Pro’s inter­nal hard drive and the exter­nal drive I use for Time Machine back­ups have got­ten along with it just fine, even through the sys­tem update to 10.5.7. For the most part there’s no notice­able impact on per­for­mance, but then my lap­top doesn’t do any­thing really disk intensive–all my pho­tog­ra­phy work hap­pens on a dif­fer­ent com­puter which I will not be encrypt­ing. There did seem to be a slow­down in Time Machine back­ups, but that’s not an area where per­for­mance is really rel­e­vant. I would really pre­fer to use True­Crypt, but as it cur­rently can only do whole disk encryp­tion on Win­dows (where I have been using it for some time), that wasn’t an option.

The rest of the PGP Desk­top pack­age gets a mixed review. I had looked at PGP last sum­mer and dis­missed it as unac­cept­able because of the hor­ri­bly designed proxy it relies on for encrypt­ing email, but this time around I dis­cov­ered that there is also an offi­cially unsup­ported plu­gin avail­able for Mail. The plu­gin works the same way as the GPG­Mail plu­gin, but with fewer fea­tures. This is not sur­pris­ing, as they have the same author. Appar­ently some brain­less prod­uct man­ager at PGP Cor­po­ra­tion had decided to kill the plu­gin (pre­sum­ably to force users into using their worth­less proxy), and it was brought back by pop­u­lar demand.

Since the last time I looked at PGP, it’s lost the abil­ity to com­mu­ni­cate with pub­lic key servers other than the one actu­ally run by PGP Cor­po­ra­tion, which very few peo­ple use. Accord­ing to a thread on the PGP sup­port forum, the devel­op­ers know about this bug and just don’t care about fix­ing it. Well, nobody will ever accuse the PGP Cor­po­ra­tion of hav­ing good cus­tomer ser­vice or QA! For­tu­nately the key­servers have web inter­faces so the prob­lem can be worked around as long as you’re using the “unsup­ported” Mail plu­gin. Any­one fool­ish enough to use the proxy will be out of luck, though.

I ulti­mately decided to switch from GPG to PGP for my email needs, at least for the moment, because while both of them have huge prob­lems on the Mac, PGP’s refusal to work with key­servers that aren’t owned by the PGP Cor­po­ra­tion is less of a prob­lem than the hideously unus­able key­chain man­age­ment that GPG inflicts.

In light of the recent news about SHA-1, I decided to replace my ten year old work PGP key.

This was posted on the PGP-Basics mail­ing list by Robert J. Hansen:

Some researchers are claim­ing they’ve been able to make the Sheng­dong
Uni­ver­sity attack on SHA-1 a fac­tor of about 2000 times eas­ier. If
their research is cor­rect, that means SHA-1 is now attack­able by reg­u­lar
people.

These results are not unex­pected. We knew this day would come. For the
last cou­ple of years most crypto nerds have been strongly rec­om­mend­ing
peo­ple either migrate away from SHA-1 imme­di­ately, or at the very least
have a migra­tion plan put together.

If you have already migrated — then you may ignore this development.

If you have not — then it is increas­ingly urgent you do so.

Orig­i­nal URL:

http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf

Review: PGP Whole Disk Encryp­tion for Mac OS X [Paul Sta­ma­tiou]

Another good review. This one doesn’t men­tion Time Machine, but goes into more detail on cold boot attacks.

Secur­ing Your Disks with PGP Whole Disk Encryp­tion [Tid­BITS: Mac News for the Rest of Us]

A gen­er­ally good review of the new PGP disk encryp­tion soft­ware, but I do see a cou­ple of prob­lems. First, the author only hints at how it works with Time Machine, which is an area of inter­est to me. In the­ory it should be fine (although obvi­ously you’d need to encrypt Time Machine’s backup vol­ume too), but when it comes to soft­ware com­pat­i­bil­ity the­ory and prac­tice often diverge.

Sec­ond, the author says that it’s a “lim­i­ta­tion” that PGP Whole Disk Encryp­tion only secures your data when the com­puter is off, and not just while it’s asleep. I con­sider that a nec­es­sary func­tion, not a lim­i­ta­tion. Because it’s entirely pos­si­ble to recover sen­si­tive data (such as the passphrase for the hard drive) from a “sleep­ing” computer’s mem­ory, claim­ing to encrypt when a com­puter is put to sleep would only be pro­vid­ing a false sense of security.

I’m inter­ested in this prod­uct for my own use, but given PGP, Inc.‘s rather spotty record to date (they’ve man­aged to ren­der their main PGP prod­uct unus­able in the name of usabil­ity improve­ments), I’m wait­ing for a while to be sure that there aren’t any hid­den problems.

How To Talk So The Gov­ern­ment Can’t Lis­ten. Part 1: how to encrypt your e-mail in Gmail with GPG (for use with Gmail or other web mail inter­faces on Fire­fox in Win­dows) [Rad Geek People’s Daily]

A good detailed tuto­r­ial on how to use GPG to pro­tect your email within Gmail. The parts deal­ing with key man­age­ment are Windows-specific–the state of Mac sup­port for GPG is con­sid­er­ably infe­rior and Linux sup­port (at least in the Ubuntu dis­tri­b­u­tion) is bet­ter, but the details are different.