Document Management System with WebDav

The topic “Document Management System” (DMS) is discussed very intense in the literature. Most authors understand under the term DMS a product by a large company, for example the Sage DMS system. In the theoretical literature a DMS is sometimes called an Enterprise Content Management System and is equal to the central backbone of a company. But who exactly can such a system be realized? I’ve found a lot of potential examples:

– A wiki which allows uploading of binary files (for example Word files and PDF documents)

– sometimes WordPress is recommended as a DMS and it allows also attachments

– network-filesystems like SMB and NFS can be used to store files for a team

– the version control system SVN is a centralized system which allows storage of files too

– sometimes the Microsoft exchange server is called the central hub

What we can see are two groups. At first, the OS-specific solutions like SMB and Microsoft Exchange and on the other side, the web based systems like Wikis and Blogs. But what needs the user in reality? Then i found a third category, called WebDav. Webdav is comparable to NFS and SMB but works like HTTP. It is mixed system which combines classical operating system technology with modern Internet backbone. The good news is, that Webdav can be used by Linux, Windows and Mac OS X. It is usually integrated into the filemanager.

In the screenshot, the starting point for webdav is shown. But to be honest, I’ve never tried out in practice. In theory, it works similar to an FTP Server, but with an integrated version control system and authentication. The most interesting feature behind Webdav is, that it is not a PHP application which runs in the webbrowser and where the user must uploads his files, instead it is some kind of network filesystem. In theory, many users can edit the files in parallel.

Like I mentioned in the beginning, the topic of Document management system is very complex. There are hundreds of papers available and dozens of products on the market. The main problem is to manage the documents in a company by many users in parallel. A document management system is different from a simple wordpress installation and it is different from a single user PC in which one person stores his documents in folders. It is something in between. The conditions are usually defined by needs from outside the company, that means, the company gets hundreds of E-Mails and Letters and must manage this information. In contrast to scientific documents, each paper has a low amount of information. On the other hand, the amount is high, that means, every day around 200 billion e-mails are send worldwide with a growing rate.

As far as i understand, Webdav is similar to a cloud in which users can upload and download files. They are doing so either by a filebrowser, a command line or with external programs like Alfresco (a commercial DMS). The interesting aspect of Webdav is, that it can be called an advanced form of SMB and NFS. It works on Linux and Windows both.

Let us explain which problem Webdav can solve. It helps to prevent, that users are storing files on their local harddrive. What Webdav doesn’t solve is the question, how the workflow in the network file system is organised. Every user put his file into the directory and then?

Documents in company vs scientific papers

The handling of scientific papers is from a technical perspective trivial. A paper is always stored in the PDF format and the amount is very low. That means, a simple webserver where the users can upload their PDF documents is all what researchers need. They are creating the paper on their local PC and for publishing they transfer the file to a server. In contrast, documents in a company are more tricky. Usually the documents itself are trivial, for example it is an invoice or something similar, But the problem that the amount is higher, and that they are modified by many people in a workflow, sometimes at the same time. How document processing in a company works is unclear. Mostly it doesn’t work or it works but the costs are too high.

We can call the processing of scientific papers from a technical perspective a solved task. A modern webportal like Arxiv is everything what researchers need. Such portal scales well up to million of documents which is equal to hosting all the papers from the world. In contrast, document handling in company is an open question. Existing solutions called Document management systems are mostly a theoretical idea but not realized in practive. What the users are really doing is to send e-mails back and forth, they are deleting important files and nobody is there how is able to manage the chaos.

A while ago, Wikis were introduced as an answer to document handling. And in theory a wiki is great, if all users are using the wiki markup language. But the reality in the company is, that not the publishing of information is important (like in the famous Wikipedia project), but in most cases, the company is a hub in which documents are coming in and going out. It can’t handled by a wiki.

More about Webdav

Webdav seems to be a here to stay solution. Because a document management system needs some kind of network storage. The main problem with webdav is, that apart from a network storage the user has no other option. He can browse through 10000 files, created by other users but doesn’t know what to do with them. There is a need for something on top of Webdav. According to Google, it is possible to create a python application which connects to a Webdav drive. This goes more in the direction of a document management system. Suppose the user is creating a Python GUI app, for visualizing his workflow. Then he can use the frontend, for searching and editing existing files.

A more advanced idea would be to replace a Python gui with a PHP GUI which runs inside the webbrowser and is layered to the need of the user too. But I’m not sure, if a normal Python GUI is better.

But perhaps it is possible to use Webdav in it’s plain version. Let us make a short example. A company consists of 5 employees. Each employee has a clear amount of tasks. These tasks are not defined by the software or by Webdav but by the manager of the company. Every user is creating his own directory in webdav. /user1, /user2 and so on. And in this folder he can store all the files, the employee wants. That means, from the company structure there is no need, that user1 can edit the files of user 3 and vice versa. What is wrong with this workflow? Nothing, because it is the preferred management style in the paper based office, and it works also great in the internet age. It must be called an ideology of software companies, to promote a new working style in which all employee is able to edit all files, which might be from a technical perspective correct but makes on the topic level no sense. Or to make the point clear, the precondition for using Webdav with high productivity is a management structure which is already there before the computer boots up. If the organization structure let it open which user has to do which task, the best document management system in the world can’t answer this question.

The main problem with advanced document management systems is, that they promise make work easier. They don’t. What a good DMS can provide is nothing more what Webdav can provide. That means, the user can connect to a network directory, he can see his own files and that’s it. It is up to the user to decide what to write in the files, and what to do next. IMHO modern Document management system are deliver to much. They have apart from simple file access many other features and the users believe, they must utilize them all to be highly productive.

Advertisements

OpenScience vs PGP

In academia, especially in computer centric subjects, there is some kind of tradition which goes back to the 1990s and is called PGP. Most researcher have on their website not only their e-mail address but also the so called “PGP public key” published which is the same, that is listed on keyservers (a distributed directory of all public keys). The idea itself wasn’t questioned over long time, instead the practice is recognized as normal. Is connecting OpenScience to a PGP public key really a good idea? That will be discussed in the following article.

The widespread usage of PGP is the result of a missing awareness in the community, that this is problematic from a law perspective. Instead, the researchers are arguing with crypto-anarchists idea which sees the government as the enemy and strong encryption as a precondition for a working democracy. This attitude is well known from other youth-cultures for example the Commodore 64 piracy movement which didn’t reflecting about their own activities but see the enemy outside of their own community, for example in lawyers who want to make a legal case against software-piracy.

At first it should be answered if PGP is allowed from the normal perspective which is not located in the crypto-anarchist movement. The best example right now is the Protonmail case, which is a company located outside of EU and US legislation which is trying to earn money with strong e-mail encryption. The other example is the dispute between the FBI and Apple about strong encryption of a smartphone https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute In both cases, the law has a problem with encryption, and they are right. If someone encrypts the communication it can’t be read for security reasons and this is a problem. Using PGP is the wrong way, especially if the idea is to make a commercial business with academic publishing.

I do not thing, that every researcher who is using a PGP public key is automatically a criminal, They are only bad informed and not aware about the legal situation of encryption in the US. That means, it is necessary to educate the researchers that they understand better what PGP encryption is and that it has to be avoided for doing OpenScience. OpenScience has two purposes, the first one is to earn money with academic publication and the second is that the public has access to the papers. Both goals are legitimate and the right choice for future science. But combining OpenScience with PGP encryption, blockchains and other technology used in Darknets is the wrong way. This will result into something different which is not desired. It is important to make clear the borderline between legal and illegal to create an awareness of the individual behavior, so that the researcher will learn how he can publish the correct way and how an academic journal can earn money with it.

Let us referencing to commercial e-mail providers like GMX, yahoo mail and Gmail. All of them earning money with sending millions of e-mails every day. They are doing so without using End-to-end encryption known as PGP. Instead they are providing a backdoor to governement agency. In case of security concerns the gonverment gets access to the e-mails. That combines the interests of the e-mail users, the company who is commercial oriented and the needs of the government in the right way. That means, everybody in the chain is happy. The customer gets e-mails, the Yahoo mail provider earns money, and the FBI can get access in serious cases.

Suppose the same situation for an academic journal. The users are not using simple login accounts but PGP keys, That means, everything is encrypted, and it is also anonymized. The academic journal works on a commercial level, and with a quality control peer-review system. Make it sense, that a mass-market e-mail providers are forced to provide a backdoor for government agency and an academic journal not? No it makes no sense, and it is a sign of misconduct to use PGP in context of scholarly publication. The question which is open is: who is wrong? Are E-Mail providers like Yahoo mail, gmail and others not well informed how useful pgp is and that it can be used for military grade encryption? Or is the hypothetical academic journal wrong who is using PGP as default and in reference to crypto-anarchist tradition.

Why are using beginner researchers PGP?

The answer is simple, because of the same reason non-researchers are using it. Because they want to have more anonymity, they want to build a web of trust, they want to able to control who knows what and because they mistrust the government. To use the advantages of PGP makes sense from an individual perspective. But like in other environments too, the individual has not the right to use technology in such a way. That means, the individual has not to decide if PGP is legal or not, that decision is done by the FBI or a similar authority. Both interests are in conflict and the answer is, that the individual has to renounce of strong encryption. It is not allowed, that an individual has more power, than the society.

Is PGP illegal?

The question seems a bit uncommon and nobody seems to have an answer to it. THat is part of the problem, that the legal status of PGP is not defined in detail. This missing definition is not unfamiliar, it was the normal way in computerhistory and the right way to react to it is the create an awareness about the situation.

At first let us go back into the early day of homecomputers. We are talking about the 1980s. Was copying a copyright protected game in that time illegal? The interesting answer is, that in that period the topic wasn’t discussed, that means perhaps it was illegal, but the actors were not aware of it. Many games were copied in that area by the people, they have described their doing mainly on a technical level. That means, for copying a Commodore 64 floppy disc some kind of copy-software is needed, about this issue many information was given by the magazines. And what was also needed is some kind of community which was was also explained in detail by the magazines from that time. But, if someone is connecting both actions togethers this will result into illegal copying of a game, and this legal situation wasn’t discussed.

That means, at least in the 1980’s the people were only aware what a copy software is, but they were not aware that they are themself computer-criminals. It took a huge effort to exlain the situation to the people until they have understood, that software is a product and is owned by the copyright holder. The most important invention in the home computer area was not the gaming industry, it was the conciseness of the legal aspects.

Today, there is an awareness about copyright protected games. If somebody asks in an online forum if it is legal to copy the current Windows 10 version and adds that he has get the software from a friend, the answer will be very clear. !00% of the computernerds will understand, what the intention is, and that a conflict with the copyright law will happening. In the case of PGP related encryption the situation is not so clear. If somebody asks in the year 2018 if it is legal to install, redistribute or use AES128 encryption for private, education or business reason he will get no concrete answer. The problem is, that the topic itself isn’t discussed and the people are not aware that there might be a problem.

Let us take a look into the WIkipedia article. https://en.wikipedia.org/wiki/Cryptography_law It seems, that there is some kind of law existing which regulates the usage of encryption. But is the article correct or can the article the situation in detail? It is hard to say, the number of ressources are low and in the Academic discussion the question of Cryptography law is seldom discussed. The reason is simple: it is not used very often.

What we can read from the wikipedia article is the situation in France. It seems that weak encryption is legal. That means, if a company is providing an SSL encrypted website and the users enter his password for login everything is fine. The company can earn money with the service, for example as an e-mail provider, as a social network or whatever. But everything which goes above this weak form of encryption is not allowed according to the current law. Let us make a concrete example:

In the computer security literature, PGP and AES-128 standards are described as unbreakable. That means, from a technical point of view it is military grade strong encryption. Encrypting a message in such a way, makes it impossible for a commercial company to read, what is inside the message. Technically the process is very easy. PGP is available as open source and if not, it is easy to invent an encryption algorithm plus RSA-like key distribution from scratch. But, can a company which respects the law use this technology for protecting their website or protecting their customers? No. Even I have found no clear source which backups this opinion it is very likely the case. And that is the reason, why e-mail encryption is not available, at least no strong e-mail encryption.

But what is about PGP encrypted messages which were transmitted today? What is with keysigning parties in which the users are signing each other the keys? From a legal perspective the situation is, that the people are not educated, they are doing technical things without beeing aware that they are cyber criminals. The situation is comparable to the early homecomputer scene. The people are interested in the technology, are trying to learn how encryption works and are searching for people with the same interests. They are missing an awareness about the legal aspects.

The answer to the problem is simple: make the situation transparent. That means, to explain the script kiddies, that encryption is illegal in most countries, and they can use PGP only for private purposes but not for running a business on top of it. From a technical point of view, most cryptoanarchists are experts for PGP, they are using the software correct and convert plaintext to cipher text. But they are missing a reflection about the social implication of encryption. The ideology of cryptoanarchists is the wrong standard, instead the above cited Cryptography law is the better description of the situation.

That means, the ideology of Pro-PGP activists and the Cryptography law in most countries are in conflict. It is important to make clear, that the conflict is there and that the borderline separates the people into normal citizen and criminals. The situation will gets more clear, if we only focus on encryption which is sold by companies. Because what is happening on private level and in the universities for research purposes has more freedom. On a commercial level there are many problems, if a company is trying to promote strong encryption. In the wikipedia the Apple-FBI dispute is linked, https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute The situation was, that on one side a technology company is trying to build a PGP-like algorithm into their product and sell it to their customers, and on the other hand, the FBI doesn’t want so.

Why did Apple is doing so? Because Apple was not aware that encryption is illegal. They only see the technical aspects and they are arguing with computer security. The idea was perhaps, that the data of the customer has to be protected, and from a technical point of view, encryption is the perfect choice for doing so. But from a legal perspective this stays in conflict with the law against Cryptography which prohibits such strong encryption.

Let us go into the technical details. The PGP software itself has no backdoor. That means if Alice encrypts a message, only Bob can read it. The problem is not, that PGP is hard to use or difficult to explain, the problem is that even a man in the middle can not read what is inside the message. That is called strong encryption. The software is technical working, but not legal. Only a pgp algorithm which has a backdoor is legal, because the man in the middle has the opportunity to read also the message and he can do a security check.

From a historic perspective Cryptography law was made as export control regulations. This works quite well in a time before the internet. Today, we have the situation, that in the science literature which is available in every country, strong encryption algorithm is explained in detail, so that any programmer can build his own encryption algorithm. The old export regulations are no longer suitable for prevent such behavior. What the industry need is a new cryptography law, which explains, that using strong encryption is a crime. This will help to establlish an awareness, that PGP is the wrong technology, and it is not allowed to use it apart from private or academic purposes.

Is Academic publishing a crypto market?

The literature defines cryptomarket as a commercial grade trademarket which works with advanced technology like PGP and bittorrent to hide the traces from the law enforcement agency. This is sometimes called the darkweb. What is missing in the literature is, if Academic publishing can also be called a cryptomarket. Here http://pigsonthewing.org.uk/public-key-in-orcid-profile/ is a link to a website, which explains who a researcher can insert his PGP private key into the ORCID profile. ORCID is an author identification standard build by Elsevier, Springer and other. The Orcid-directory under the URL https://orcid.org/ can’t be requested publicly, so it is unclear how many researchers have a dedicated PGP private key in their profile to encrypt their e-mail communication. According to a post on a well known academic discussion group https://academia.stackexchange.com/questions/8984/what-should-a-proper-email-signature-look-like-for-graduate-students/47464#47464 it seems to be normal, that researchers have in their e-mail signature also a PGP public key.

In the paper of Gipp, Bela, et al. “CryptSubmit: Introducing Securely Timestamped Manuscript Submission and Peer Review Feedback using the Blockchain.” Digital Libraries (JCDL), 2017 ACM/IEEE Joint Conference on. IEEE, 2017. https://gipp.com/wp-content/papercite-data/pdf/gipp2017b.pdf is a recent paper from 2017 which give more details. The idea is to encrypt the submission of scholarly papers in a blockchain and make so called trusted timestamps. The same technology (PGP encryption, blockchain, peer-to-peer networks) is used by common cryptomarkets too which are illegal and under surveillance of the law enforcement. I would guess, that crypto-academic-publishing is the dark side of Open Access. On one hand we see that content gets published openly with Google Scholar and Researchgate, while at the same time, new encrypted markets are upraising which are dealing with scientific knowledge which is not public available.

I don’t think that the actors are aware of their doing. Perhaps the excitement about new technology like blockchains and PGP is so big, that they are not reflecting about the social implications of their doing. For example, the pgp software is a very exciting tool which is able to give a new form of privacy. But i think it is a important to discuss the legal aspects of encryption, especially for academic journals.

Bringing PGP forward

Sometimes, it was asked who to make PGP easier. Yes it is possible, but first let us define which part of need needs improvement. What today is missing is a good keyserver search engine with an intergrated OpenPGP.js modul. Such a website isn’t available, but we can simulate the idea with existing tools. At first we are taking an existing keyserver search engine, for example, http://keys.gnupg.net/ But any other search engine is also fine. There we enter the e-mail we want to search. The engine gives us back the public key of the recipient. In a second browser tab we open an Online PGP tool, for example this one https://wp2pgpmail.com/pgp-key-generator/ From a technical point of view, it would make sense to integrate both tools together, but for testing purposes we can switch between the tabs. So what’s next?

In the online PGP tool we generate a new private key and there are also text-boxed in which we can copy&paste the public key from the keyserver. Then a press on encrypt and we get the PGP message. Now, we are open a third browser tab (yes, it could be more easier, but it’s better then nothing) and copy the the encrypted message in there. Now we can submit the message and have send an encrypted e-mail.

Let us describe the workflow a bit more abstract: we need there things, a keyserver search engine, an OpenPGP javascript tool and the e-mail software. The user have to copy&paste the three applications textinformation and at the end he is able to send and receive encrypted messages. Very easy, isn’t it?

Let us go a step further and dream about a potential future. The search engine google contains a Gmail account and a websearch engine. What Google doesn’t provide right now is a keyserver searchengine and an online PGP tool. But in theory it can be upgraded to that features. I think, such a webbased GUI would make sense to make PGP ready for mass-usage.

I think, it makes no sense to hide the PGP interna from the user. He want’s to handle manually the private key text block and the encrypted message. The demand of the user is not to send encrypted messages (PGP is technical broken anyway) but what the user want’s is to play around with the technology which is formally only be mastered by computerexperts and cypherpunks. To make the point clear: The user wants to copy his private key in a textfield of a search engine …

What is PGP?

PGP is self-describing. It starts with a title like:

-----BEGIN PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP PRIVATE KEY BLOCK-----

-----BEGIN PGP MESSAGE-----

These text-elements are located on different persons. Alice has a public key, bob too. The idea is to move the text-messages into the right field, press a button and with magic the e-mail is send over the internet. I think, an easy to user interface must be run inside the browser, because sending the e-mail is only possible with an internet connection and searching the keyserver too. And the user-interface must be grouped around the text-messages. That means, the user must copy&paste manually the text-fields.

OpenPGP.js

PGP is known as a defacto standard for computer security. The company Symantec has for example the product “Symantec drive encryption” to offer which costs around U$189 per year, but PGP is also included in RHEL Linux server systems https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/pdf/security_guide/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf page 153 and is included in Ubuntu and other distributions. The question is, what is missing, why is the system so complicated? That is indeed a problem. The technology itself is nearly unchanged since the introduction of 1990, that was 30 years ago. The encryption algorithm itself (AES) is based on it’s predessor AES, and the RSA technique is also well known. I think the main problem with PGP is, how to educate the people to use it. The most advanced idea is the OpenPGP.js initiative. From a technical point of view it is not very excitinig. The idea is to program the PGP suite not in C but in Javascript, so that other programmer can build on top a HTML website. In my opinion this helps a lot to bring PGP forward. Because a HTML GUI is located outside of the operating system, it is reduced on the key features. That means an online PGP tool contains some textboxes in which the public-private keys can be inserted and some buttons to activate the encryption and decryption. The result is, that the topic is exposed as a computergame. And now, the user can be teached easily how to play this game. That means it is possible to write a manual for explaining how to use a Online PGP GUI right.

The interesting point in OpenPGP.js is, that it contains of two parts, and both are very well understood. The first one is, that the normal PGP algorithm (AES + RSA) has to be programmed in Javascript. That task is not for beginners, but it is not too complicated. All what the programmer has to do is understand existing library like libcrypt and translates it into Javascript. Task #2 is to write a manual of how to use the resulting HTML app. That is also an interesting workitem, because in theory there are many PGP tutorials out there, but there only written for the classical gnupg software which is installed on UNIX servers. If both task around OpenPGP.js are done we get a nice looking and easy to use opensource project which stays on the shoulder of giants.

What OpenPGP.js can change is the way how the computerexperts are talking about encryption. That means, from now on they have something which they can grasp, learn, improve and integrate into their own products, for example in Facebook or in web-email portals.

Can the NSA read my E-Mails?

A while ago a paper was published in which the topic of DNA computing was explained to breaking encryption systems. A more recent development is Quantum computing, both has from a theoretical point of view the power to break AES128 encryption systems. If the NSA has such devices is unclear, perhaps yes, perhaps no. But one thing is true in any case: your boss can’t break AES encryption. That means, if an ordinary company is installing Symantec PGP encryption to handle the intranet-traffic and the employees are sending back and forth encrypted e-mails it is not possible to break the code. Especially not, if the IT-department has some kind of secret server in between to monitor the traffic. They can only see which employee is sending information to which other employee, but what they are pushing over the line is unclear.

That may be surprising to know, because usually the IT-department and also the boss is able to spy on the employees. But in case of pgp encryption this is not possible. The only exception would be, that the average company has indeed a DNA computer in their backyard, but then the boss would have other problems then spying the employees.

The main problem with PGP is not, that it is hard to use or difficult to understand. The main problem is, that according to the recent literature about computer security, the AES algorithm and the RSA algorithm are unbreakable. That means, even if the boss has installed a so called tcp-recorder like Wireshark to watch the data in realtime, he is not able to see, if the employees are sending a private e-mail or an e-mail which has to do with their job. Because on the content level any e-mails looks like noise. It is only known that the E-Mail contains PGP related content but what exactly is unclear. If a company is installing the Symantec PGP server software, he will loose the ability to track the communication of their employees. So the boss must trust them, that they are using the intranet wisely.

The main problem with PGP is, that it is designed for End-to-end encryption. That means, the user in front of the screen decides which certificate is used. PGP bypass any Data loss prevention. Data loss prevention has usually the goal to monitor the traffic and detect unusual behavior. From the standpoint of security the best way is, to block any PGP related content, because it can’t be monitored. The paper “Lazarus: Data Leakage with PGP and Resurrection of the Revoked User, 2016” explains the worst case in detail. The PGP software is a security threat. The term “Data loss prevention” is used in cybersecurity debate to keep control of the internal IT systems. That means, that the boss knows, which computers are used, what the emmployees have installed on their machines, which e-mail they are sending and which websites they visit. The boss doesn’t need detailed information about every employee, but he has to be able to monitor security incidents.

If in the internal computer network of a company PGP encrypted traffic is happening, the IT department lost control over their network. That means, they have no idea, which software is used, what the people are doing with the company computers and what they know. That means, not the IT department but the normal user is in control of the communication. From the perspective to remaining control, the best what a company can do is to block any pgp related content and see it as default as a security incident. Not allowing the employees to use a secret language or encryption is recommended.

Here is an support forum article from CISCO with the same subject, https://supportforums.cisco.com/t5/email-security/data-loss-prevention-dlp-email-encryption/td-p/2864836 In the document https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7_User_Guide.pdf they are explaining on page 431 how to setup Data loss prevention. The system works with a local keyserver. The main problem with PGP, again, is that it was designed different from usual software and hardware. The normal Cisco router or the normal Intranet router has per default some options to monitor the traffic. This is called Data loss prevention and is used to getting control over a network. In the case of PGP, such option is missing. Because PGP is not proprietary hardware, it is an only an algorithm. That means, it needs not special line or special routers, it works all over.

Like I mentioned in the introduction, from an academic point of view an attack to PGP is possible, but right now, no company or router vendor is able to break the standard. That means, their data loss prevention systems are not able to prevent anything.

https://statetechmagazine.com/article/2013/11/how-help-dlp-and-encryption-coexist-0 brings the problem to a point. Quote: “DLP technologies often clash with network encryption […]. To resolve this conflict, organizations must deploy DLP in places where network traffic isn’t encrypted” Also they are writing about endpoint security protection which “include an endpoint-based DLP capability”.

Let us explain the best-practice method to ensure Data loss prevention in cooperate environment. At first, pgp related encrypted traffic should be blocked completely. Second, all the desktop PC should run Microsoft Windows 10, because most Endpoint-DLP software was written for Windows. Other operating systems like Linux or iPhones should be not allowed, because the users there are communicating with PGP all the time and introduce security risks for the company.

Small experiment with an Online PGP tool

PGP is notorious difficult to use. Especially with public/private keypairs. :The symmetric mode of PGP which contains only a passphrase to encrypt a file with AES128 is easy to understand, but the workflow of doing a full key-exchange over the insecure internet is a demanding task even for computer professionals. A possible answer to that problem are PGP online tools. They are a new development and for the example https://wp2pgpmail.com/pgp-key-generator/ I want to make an example.

At frist we need a private key. This can be generated from the main menu. As Input I have to enter:

name:

e-mail:

password:

After pressing the button, I get a public and a private key.

In the next text-box I enter the secret message which i want to send, for example “Hello World”. And after pressing the button, I get the encrypted PGP message.

—–BEGIN PGP MESSAGE—–

Version: OpenPGP.js v2.6.2

Comment: https://openpgpjs.org

—–END PGP MESSAGE—–

Decryption is a bit more complicated. Here we need the PGP message and also the private key. After pressing the button we see the plaintext.

After doing the complete workflow, on the screen are around 6 text-boxes visiable which containing lots of keys, messages and plaintext messages. It is a mess. But I must say, that this GUI makes more sense than the normal PGP programs and tutorials which were published in the past. I do not see, that beginners are able to use the websiite, but more advanced computer enthusiast are able to decrypt and encrypt messages with the HTML GUI. The difference to a standalone application installed on a local PC is, that after closing the browser-tab all the information get lost. That means, I have to write down manually the private key perhaps into a password-program, and for the next trial i can generate a new private key. The danger, that inexperienced users are making serious mistakes in using the PGP online tool is high. For example there is not protection against copying the private key into the email.

The main difference to classical commandline pgp versions like gpg is, that in the online-version the user is doing everything with copy&paste. For example, if he want to encrypt a e-mail he first copy&paste the private key from his password manager into the web-application, then he copies the public key of the recipient from his facebook account in another menu and so on. That means, the game rules are, that the user must copy&paste snippets from different locations and at the end he is sending a PGP message, or not (if he didn’t understand the procedure).