Skip to content

Instantly share code, notes, and snippets.

@mimoo

mimoo/e2e.md

Last active January 2, 2020 12:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mimoo/6d9d934bcc67a24af5b3869d109dd1e5 to your computer and use it in GitHub Desktop.
Save mimoo/6d9d934bcc67a24af5b3869d109dd1e5 to your computer and use it in GitHub Desktop.
Download ZIP
End-to-end encryption
Raw
e2e.md

End-to-End encryption

Timeline

  • 1981 - RFC 788 - Simple Mail Transfer Protocol (SMTP) is published, the standard for email is born.
  • 1991 - The US government introduces the 1991 Senate Bill 266, which attempts to allow "the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law" from "providers of electronic communications services and manufacturers of electronic communications service equipment". The bill fails to pass into law.
  • 1991 - Pretty Good Privacy (PGP) - released by Phil Zimmermann.
  • 1993 - The US Government launches a criminal investigation against Phil Zimmermann for sharing a cryptographic tool to the world (at the time crypto exporting laws are a thing).
  • 1995 - Zimmermann publishes PGP's source code in a book via MIT Press, dodging the criminal investigation by using the first ammendment's protection of books.
  • 1995 - The RSA Data Security company proposes S/MIME as an alternative to PGP.
  • 1996 - criminimal investigation against Zimmermann and PGP is dropped.
  • 1996 - PGP Inc is founded by Zimmermann, PGP becomes licensed-software.
  • 1996 - RFC 1991 - PGP Message Exchange Formats
  • 1997 - GNU Privacy Guard (GPG) - version 0.0.0 released by Werner Koch.
  • 1997 - PGP 5 is released.

    The original agreement between Viacrypt and the Zimmermann team had been that Viacrypt would have even-numbered versions and Zimmermann odd-numbered versions. Viacrypt, thus, created a new version (based on PGP 2) that they called PGP 4. To remove confusion about how it could be that PGP 3 was the successor to PGP 4, PGP 3 was renamed and released as PGP 5 in May 1997

  • 1997 - PGP Inc is acquired by Network Associates
  • 1998 - RFC 2440 - OpenPGP Message Format

    OpenPGP - This is a definition for security software that uses PGP 5.x as a basis.

  • 1999 - GPG version 1.0 released
  • 1999 - Extensible Messaging and Presence Protocol (XMPP) is developed by the open source community. XMPP is a federated chat protocol (users can run their own servers) that does not have end-to-end encryption and requires communications to be synchronous (both users have to be online).
  • 2002 - PGP Corporation is formed by ex-PGP members and the PGP license/assets are bought back from Network Associates
  • 2004 - Off-The-Record (OTR) is introduced by Nikita Borisov, Ian Avrum Goldberg, and Eric A. Brewer as an extension of the XMPP chat protocol in "Off-the-Record Communication, or, Why Not To Use PGP"

    We argue that [...] the encryption must provide perfect forward secrecy to protect from future compromises [...] the authentication mechanism must offer repudiation, so that the communications remain personal and unverifiable to third parties

  • 2006 - GPG version 2.0 released
  • 2007 - RFC 4880 - OpenPGP Message Format
  • 2010 - Symantic purchases the rights for PGP for $300 million.
  • 2011 - Cryptocat is released.
  • 2013 - The TextSecure (now Signal) application is introduced, built on top of the TextSecure protocol with Axotol (now the Signal protocol with the double ratchet) as an evolution of OTR and SCIMP. It provides asynchronous communication unlike other messaging protocols, closing the gap between messaging and email.
  • 2014 - Matrix is introduced as a modern alternative to XMPP.
  • 2014 - Matthew Green - What’s the matter with PGP?

    It’s time for PGP to die.

  • 2015 - XMPP gets end-to-end encryption with the OMEMO extension (which re-uses the Signal protocol)
  • 2015 - SoK: Secure Messaging
  • 2015 - Moxie - GPG and me

    In the 1990s, I was excited about the future, and I dreamed of a world where everyone would install GPG. Now I’m still excited about the future, but I dream of a world where I can uninstall it. In addition to the design philosophy, the technology itself is also a product of that era. As Matthew Green has noted, “poking through an OpenPGP implementation is like visiting a museum of 1990s crypto.” The protocol reflects layers of cruft built up over the 20 years that it took for cryptography (and software engineering) to really come of age, and the fundamental architecture of PGP also leaves no room for now critical concepts like forward secrecy. In 1997, at the dawn of the internet’s potential, the working hypothesis for privacy enhancing technology was simple: we’d develop really flexible power tools for ourselves, and then teach everyone to be like us. Everyone sending messages to each other would just need to understand the basic principles of cryptography. [...] The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words. [...] Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the “strong set,” and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today’s standards, that’s a shockingly small user base for a month of activity, much less 20 years.

  • 2016 - Messaging Layer Security (MLS) IETF working group is started to standardize an end-to-end encrypted group chat protocol.
  • 2016 - I'm giving up on PGP

    All in all, I should be the perfect user for PGP. Competent, enthusiast, embedded in a similar community. But it just didn't work.

  • 2016 - WhatsApp now uses the Signal protocol, adding end-to-end encryption for its billions of users.
  • 2018 - EFAIL releases damaging vulnerabilities against most popular PGP and S/Mime implementations.

    In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

  • 2019 - Latacora - The PGP Problem

    Why do people keep telling me to use PGP? The answer is that they shouldn’t be telling you that, because PGP is bad and needs to go away.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment