|
|
Subscribe / Log in / New account

GnuPG 2.2.23 released, fixing a critical security flaw

GnuPG 2.2.23 released, fixing a critical security flaw

Posted Sep 3, 2020 18:35 UTC (Thu) by cyperpunks (subscriber, #39406)
Parent article: GnuPG 2.2.23 released, fixing a critical security flaw

If the code is half as complex as the ui I would not be surprised.

Why must security software be this incredible difficult to use?

to post comments

GnuPG 2.2.23 released, fixing a critical security flaw

Posted Sep 3, 2020 21:00 UTC (Thu) by aheinecke (subscriber, #93141) [Link]

Heyo, I'm the frontend designer since 2015. Yes lots of old baggage but we really try to design our Frontends for users withough prexisting knowledge. For example I've redesigned the File Encryption GUI to work like a MUA with the Certificate Storage as the Addressbook.

Anything concrete you find too complicated? Issues at https://dev.gnupg.org are appreciated.

About usability of security software

Posted Sep 8, 2020 8:47 UTC (Tue) by ber (subscriber, #2142) [Link] (1 responses)

Note that GnuPG is the crypto engine, it has to be versatile. And the number of function points needed for cryptography that can be used a few years is large. New algorithms and methods are added, while elder ones still have to be supported. And GnuPG wants to be interoperable with other implementations.

As for the usability: if approaches like the web key directory (https://wiki.gnupg.org/WKD) are used, it is possible to have a much improved user experience which retains many security properties while acting automatic in most situations. Of course more clients, like email clients, need to support it, just like email providers. At the rate of the adoption, you can see the market pressure (low, many people are unwilling to pay more for security in this area).

But there is also a general catch with security (not just in IT): In case of attacks there must be a possibility for humans to defend their assets and to take decisions depending on their security needs. There is no way around this aspect involving thinking and some training. All software products can only support it so much by being informative as good as they can.

Regards,
Bernhard
(Who is part of the GnuPG/Gpg4win team and has been involved designing WKD a few years ago.)

About usability of security software

Posted Sep 12, 2020 9:23 UTC (Sat) by flussence (guest, #85566) [Link]

This is what I guess causes most of the complaints:
> ~ $ gpg --<tab><tab>
>Display all 397 possibilities? (y or n)

GnuPG is cathedral software: it requires dedication and knowledge investment/upkeep to understand and use effectively, or else you have to trust someone else to get all that right and abstract it away out of sight for you (leading to horrors like Keybase), with no in-between.

Most other CLI tools that try to cover as much ground (see most VCSes, build systems, graphicsmagick, openssl) shape their user interface into tiers of binaries or subcommands, so that users can tune out the parts they don't need to get things done. Maybe if gpg had something more like those it would see higher usage.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds