Ciphire, A Transparent, Easy PGP Alternative 345
mixter writes "Hi. I'd like to point your attention to Ciphire, a fully free and soon-to-be-audited-OpenSource 'Global PKI' project I've been working on for the last three years. As the first three or four thousand geeks started using Ciphire and seem happy, with some tech articles written, I guess the /. community might find this interesting, too. Ciphire hopes to have solved the problems that prevented PGP from a broader deployment, with even higher security standards - as already confirmed by crypto experts Housley & Ferguson. More useful information, e.g. in Wired or in the Nerd^H^H^H^Hexperts FAQ."
Methodology for open sourcing it (Score:2, Interesting)
Q: Are you going to publish your source code?
A: Yes. Once the code is stable and we've had independent code audits, we'll publish the source code.
Hmm, I wonder if this practice is popular among wanna-be open-source security projects. For a regular software project, I'd expect the normal cycle to be: open source it, gather feedback, improve it, and then repeat the cycle.
However, they seem to do it in another order. Is this due to the fact that it's a security product? I don't see why they would do things differently, because as far as I understand it's still an "under construction" project for "testing purposes" without any implied guarantees. More eyes on the source earlier means sooner quality product delivery.
Re:Useless... (Score:3, Interesting)
- no source code
- no free
But the others
- not standards compliant
- GNUPG exists
are not really valid. First off, tell me. Which standards does PGP [or SSH and SSL for that matter] follow? They ALL started off as homebrew projects.
Maybe this format/protocol has improvements over PGP. [probably doesn't
As for the fact that PGP/GNUPG exists... PGP is really just bloat ware and have you seen the GNUPG source code? It's really a nightmare and the maintainers [... Koch] are close minded little SOBs. They don't want to make the code more readable or maintainable. So long as it runs who cares right?
Tom
I'll stick to GPG and SSH protocols, thank you. (Score:5, Interesting)
1) Another 'works perfectly program with WinXp, WinXX, etc.' that claims it will also support Linux/xBSD with no catches....where have I heard that one before?
2) Another Certificates laden protocol in the footsteps of SSL. (ie - you can have security if you pay us the megabucks for that 3 month term Certificate, but ignore those Certificates easily faked, etc.) I wish SSL would die instead of being a Certificate money making machine.
3) Another program that promises it will do everything SSH already does without the certificates....just buy a certificate to make Ciphire work.
Re:yeah right... (Score:3, Interesting)
Re:yeah right... (Score:2, Interesting)
all computers should be sold with hardware and software firewalls, and pgp or a pgp like app built in. i wondered where phil zimmerman was (creator of pgp) and its good to see he's still around. here's a quote from his homepage where he's asked about backdoors in pgp:
"Q: Are there any back doors in PGP? Come on, you can tell me, I won't tell anyone.
A: No. There never have been, and never will be, at least as long as I am associated with the product. I didn't go through all this trouble just to see my product become corrupted. Besides, we publish the source code, so you can check it yourself. "
http://www.philzimmermann.com/EN/faq/index.html [philzimmermann.com]
i knew there was a reason i trusted phil when i used pgp. and am glad to see he's still at it, and urge anyone whos not using it, to start.
Re:GPG? (Score:1, Interesting)
Call me paranoid (Score:1, Interesting)
A: By some very unusual business angels. For the time being they wish to sit in the background."
and "Our commitment is to publish the source before the end of 2005, hopefully sooner than later."
I'd like to know if the "business angels" are, in fact, certain agencies of the government. That would be clever. Let everybody use the so-called encryption that only they can break, and then, after they've caught all the "subversives", they never release the source code. Gotcha!
After the source is released, and after everybody has had a chance to see it, then I might think about using it.
Re:Why not just use enigmail with Thunderbird? (Score:2, Interesting)
Re:S/MIME, anyone? (Score:3, Interesting)
Generating and installing your own certificate is, well, not complicated, but too much hassle for a naive user. You have to find the right function on thawte's website, enter all sorts of personal data, add and confirm your e-mail addresses, request a key and pick the right certificate type, and so on.
And in my experience, this is somewhat difficult to do on Windows for non-techie users. It's easier on the Mac, as usual. So that's where Ciphire is so much easier.
local email proxies are evil (Score:1, Interesting)
"The Ciphire Mail client resides on your computer, between your email client and your email server, transparently encrypting/decrypting and digitally signing your email communication."
This is good in theory, but bad in practice. I used to do front-line tech support for a small ISP. The vast majority of issues regarding checking mail (esp. "no socket" errors from the mail client) involved local email anti-virus proxies from pretty much every vendor at some point. This includes so-called "transparent" proxies popular now from Symantec (and I think McAfee as well), and ones you had to reconfigure your mail client for (like PC-Cillin, I believe). In all cases I saw, the proxies appeared to be configured correctly, they just went into "mumble" mode and refused to pass the traffic through them, even after a reboot. It happened more times than I can count.
So, in summary, concept good, but execution (on Windows, at least) will be ultimately (most likely) be a hassle for the end-user.