Editing 1181: PGP

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 8: Line 8:
  
 
==Explanation==
 
==Explanation==
{{w|Pretty Good Privacy|PGP}} (Pretty Good Privacy) is a program which can be used to encrypt and/or sign data, including messages sent as emails. Encrypting means encoding data in a way that requires a secret key to decrypt and read; signing means that there is a code included in the data which can be used to verify the identity of the sender and that the data has not been altered in transit.
+
{{w|Pretty Good Privacy|PGP}} (or {{w|GNU_Privacy_Guard|GnuPG}} for the free, open source version) is a program which can be used to encrypt and sign data, including messages sent as emails.  It is often used in combination with email software extensions, such as [http://www.enigmail.net/home/index.php Enigmail] (for Thunderbird). Encrypting the message would prevent anybody from reading it if they didn't have the key to decrypt. Signing the message would mean that the message can be verified as unaltered, if the reader was to check the message against the signature. People who use such a program typically only use the feature to sign the message, since encrypting it (which would give you the privacy) requires that the recipient already be a PGP user. Hence the irony here is that nobody actually verifies the "signature" either, but feel secure that the message appears to be signed.
  
In the case of the email in this comic, it has only been signed; not encrypted (hence, the top of the first line of text can be seen and is legible in normal English). This is more common than encryption, as reading an encrypted message would require the recipient to already be a PGP user. In fact, the use of PGP even to sign email messages is so rare that most people have probably never seen a signed message. Because a signed email is so rare, and because it is already legible and unencrypted, [[Randall]] is making the tongue-in-cheek observation that few users, technical or otherwise, actually know how to use the signature to verify the authenticity of the sender using the PGP signature, and that such users can safely assume that since there ''is'' a signature, that is good enough evidence that the message is authentic. Further, because PGP signatures are so rare and probably ignored by most recipients, he suggests one would not expect anyone to even bother creating a false PGP signature; therefore the mere existence of a PGP header would suggest authenticity.
+
PGP or {{w|Pretty Good Privacy}}, uses {{w|Public-key cryptography}}, which is defined in [https://tools.ietf.org/html/rfc4880 RFC4880]. The blob which makes the signature is a binary (clear sign) signature which is encoded into ASCII using {{w|ASCII armor}}.
  
The title text extends the joke by suggesting you confirm there's a bunch of random characters in the footer (this is the actual signature that PGP generates which can be used to verify the authenticity of the email). Again, Randall is humorously suggesting that the existence of the block is itself sure evidence of authenticity.
+
The use of signing software for email is so rare that most people have never seen a signed message. The joke here lies within the approach of ignoring actual privacy guarantees PGP provides, therefore giving a false sense of security.
 +
 
 +
A similar thing happens on some web pages that simply state "This page is secure" or include the padlock icon in the body of the page, and then ask for your credit card information, while not actually using SSL (and showing that little padlock or an "https").  (Read an old blog/rant [http://www.troyhunt.com/2011/07/padlock-icon-must-die.html about the padlock icon and security]).
 +
 
 +
This irresponsible approach to security is unfortunately quite common with users and even more so for computer security related topics. When confronted with something strange (like the blob at the bottom) most people simply believe it: If it says it's secure it really has to be - even if it actually isn't.
 +
 
 +
Many security geeks would be quite annoyed by this ignorant behavior.
  
 
==Transcript==
 
==Transcript==
Line 18: Line 24:
 
:Look for this text at the top
 
:Look for this text at the top
 
:[In mail header, light grey.] Reply
 
:[In mail header, light grey.] Reply
:[Highlighted, with arrow pointing to it from the text "Look for this text at the top" above.]
 
 
:-----BEGIN PGP SIGNED MESSAGE-----
 
:-----BEGIN PGP SIGNED MESSAGE-----
:[In mail message, light grey.]
+
:[in mail message, light grey]
 
:HASH: SHA256
 
:HASH: SHA256
 
:Hey,
 
:Hey,
 
:First of all, thanks for taking care of
 
:First of all, thanks for taking care of
  
:[After mail message.]
+
:[After mail message]
 
:If it's there, the email is probably fine
 
:If it's there, the email is probably fine
  
 
{{comic discussion}}
 
{{comic discussion}}
 
[[Category:Comics with color]]
 
[[Category:Comics with color]]
[[Category:Email]]
+
[[Category:Computers]]
[[Category:Cryptography]]
 

Please note that all contributions to explain xkcd may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see explain xkcd:Copyrights for details). Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following CAPTCHA:

Cancel | Editing help (opens in new window)

Templates used on this page:

Retrieved from "https://www.explainxkcd.com/wiki/index.php/1181:_PGP"