Forgot your password?
typodupeerror
Encryption Communications Privacy Security IT

Ciphire, A Transparent, Easy PGP Alternative 345

Posted by timothy
from the not-just-translucent dept.
mixter writes "Hi. I'd like to point your attention to Ciphire, a fully free and soon-to-be-audited-OpenSource 'Global PKI' project I've been working on for the last three years. As the first three or four thousand geeks started using Ciphire and seem happy, with some tech articles written, I guess the /. community might find this interesting, too. Ciphire hopes to have solved the problems that prevented PGP from a broader deployment, with even higher security standards - as already confirmed by crypto experts Housley & Ferguson. More useful information, e.g. in Wired or in the Nerd^H^H^H^Hexperts FAQ."
This discussion has been archived. No new comments can be posted.

Ciphire, A Transparent, Easy PGP Alternative

Comments Filter:
  • by vladd_rom (809133) on Sunday January 23, 2005 @11:52AM (#11447848) Homepage
    From https://www.ciphirebeta.com/about/facts.html :

    Q: Are you going to publish your source code?
    A: Yes. Once the code is stable and we've had independent code audits, we'll publish the source code.

    Hmm, I wonder if this practice is popular among wanna-be open-source security projects. For a regular software project, I'd expect the normal cycle to be: open source it, gather feedback, improve it, and then repeat the cycle.

    However, they seem to do it in another order. Is this due to the fact that it's a security product? I don't see why they would do things differently, because as far as I understand it's still an "under construction" project for "testing purposes" without any implied guarantees. More eyes on the source earlier means sooner quality product delivery.
  • Re:Useless... (Score:3, Interesting)

    by tomstdenis (446163) <tomstdenis.gmail@com> on Sunday January 23, 2005 @11:54AM (#11447864) Homepage
    Hold on there. Some valid complaints

    - no source code
    - no free

    But the others

    - not standards compliant
    - GNUPG exists

    are not really valid. First off, tell me. Which standards does PGP [or SSH and SSL for that matter] follow? They ALL started off as homebrew projects.

    Maybe this format/protocol has improvements over PGP. [probably doesn't ... but who knows].

    As for the fact that PGP/GNUPG exists... PGP is really just bloat ware and have you seen the GNUPG source code? It's really a nightmare and the maintainers [... Koch] are close minded little SOBs. They don't want to make the code more readable or maintainable. So long as it runs who cares right?

    Tom
  • by Spicerun (551375) <spicerunNO@SPAMgmail.com> on Sunday January 23, 2005 @11:59AM (#11447887)
    Gee, why I'm not enthralled with Ciphire protocols:

    1) Another 'works perfectly program with WinXp, WinXX, etc.' that claims it will also support Linux/xBSD with no catches....where have I heard that one before?

    2) Another Certificates laden protocol in the footsteps of SSL. (ie - you can have security if you pay us the megabucks for that 3 month term Certificate, but ignore those Certificates easily faked, etc.) I wish SSL would die instead of being a Certificate money making machine.

    3) Another program that promises it will do everything SSH already does without the certificates....just buy a certificate to make Ciphire work.
  • Re:yeah right... (Score:3, Interesting)

    by anaradad (199058) <chris.shaffer@nOspaM.gmail.com> on Sunday January 23, 2005 @12:02PM (#11447909)
    Of course it matters. Outlook is the "approved" mail client at my work and throughout the business and educational world. If this program isn't installed by the Exchange admin or desktop support, it won't be used. Even if I wanted to use it at work, I couldn't.
  • Re:yeah right... (Score:2, Interesting)

    by dmancity (852553) on Sunday January 23, 2005 @12:11PM (#11447959) Homepage
    all the more reason not to use either and instead to enhance your own security.

    all computers should be sold with hardware and software firewalls, and pgp or a pgp like app built in. i wondered where phil zimmerman was (creator of pgp) and its good to see he's still around. here's a quote from his homepage where he's asked about backdoors in pgp:

    "Q: Are there any back doors in PGP? Come on, you can tell me, I won't tell anyone.

    A: No. There never have been, and never will be, at least as long as I am associated with the product. I didn't go through all this trouble just to see my product become corrupted. Besides, we publish the source code, so you can check it yourself. "

    http://www.philzimmermann.com/EN/faq/index.html [philzimmermann.com]

    i knew there was a reason i trusted phil when i used pgp. and am glad to see he's still at it, and urge anyone whos not using it, to start.

  • Re:GPG? (Score:1, Interesting)

    by Anonymous Coward on Sunday January 23, 2005 @12:33PM (#11448084)
    learn to READ, it works with ANY email program, it is a proxy.
  • Call me paranoid (Score:1, Interesting)

    by Anonymous Coward on Sunday January 23, 2005 @12:44PM (#11448147)
    "Q: How are you financed?
    A: By some very unusual business angels. For the time being they wish to sit in the background."


    and "Our commitment is to publish the source before the end of 2005, hopefully sooner than later."

    I'd like to know if the "business angels" are, in fact, certain agencies of the government. That would be clever. Let everybody use the so-called encryption that only they can break, and then, after they've caught all the "subversives", they never release the source code. Gotcha!

    After the source is released, and after everybody has had a chance to see it, then I might think about using it.
  • by harky77 (852564) on Sunday January 23, 2005 @01:11PM (#11448314)
    normal people don't know how to do key-exchanges...that's why, and that won't go away with Enigmail.....though if you automate the key exchanges you have to trust the stupid central server, like the pgp keyserver. They are talking about a novel concept, the fingerprint system. That is supposed to prevent abuse by the central authority. If this is really true, then this would be a BIG improvement. You can find that system explained in their report. harky
  • Re:S/MIME, anyone? (Score:3, Interesting)

    by davids-world.com (551216) on Sunday January 23, 2005 @02:05PM (#11448618) Homepage
    For S/MIME, you'll need to retrieve the recipients public key (i.e. certificate) first, which you usually to by receiving a signed e-mail from that person. From then on, everything is easy and, honestly, more conventient than using a GPG plugin with your mail client, because mail clients support S/MIME natively.

    Generating and installing your own certificate is, well, not complicated, but too much hassle for a naive user. You have to find the right function on thawte's website, enter all sorts of personal data, add and confirm your e-mail addresses, request a key and pick the right certificate type, and so on.

    And in my experience, this is somewhat difficult to do on Windows for non-techie users. It's easier on the Mac, as usual. So that's where Ciphire is so much easier.
  • by Anonymous Coward on Sunday January 23, 2005 @05:57PM (#11450164)
    From Ciphire's description page:

    "The Ciphire Mail client resides on your computer, between your email client and your email server, transparently encrypting/decrypting and digitally signing your email communication."

    This is good in theory, but bad in practice. I used to do front-line tech support for a small ISP. The vast majority of issues regarding checking mail (esp. "no socket" errors from the mail client) involved local email anti-virus proxies from pretty much every vendor at some point. This includes so-called "transparent" proxies popular now from Symantec (and I think McAfee as well), and ones you had to reconfigure your mail client for (like PC-Cillin, I believe). In all cases I saw, the proxies appeared to be configured correctly, they just went into "mumble" mode and refused to pass the traffic through them, even after a reboot. It happened more times than I can count.

    So, in summary, concept good, but execution (on Windows, at least) will be ultimately (most likely) be a hassle for the end-user.

Today's scientific question is: What in the world is electricity? And where does it go after it leaves the toaster? -- Dave Barry, "What is Electricity?"

Working...