Ben Laurie’s Blog drew my attention again this morning when I read his posting about Freenigma, a PGP/GnuPG plug-in for Firefox. This plug-in raises the question as to whether increased user-friendliness justifies a relaxation in security. In my opinion, this is an absolute no no. The objective of such a system must be security with user-friendliness a secondary goal. There’s no point in having a broken security system that’s user-friendly.
There will be claims that Freenigma is intended for people with no understanding of security or crypto, but this makes the situation even worse as these people also have no understanding of the implications of using such a system. Encouraging them to use it is little different to phoning them and asking for their pin number. Try telling a security expert that he should upload his private key to a publicly accessible server. Many security experts wouldn’t even keep a master private key on their own computers, let alone on someone else’s.
Systems such as GnuPG were designed to be bullet-proof from a security perspective. Despite this they still have weaknesses that are discovered and patched on a fairly frequent basis. So how can you even begin to maintain and maintain a good reputation for a security system that’s insecure by design?