Dale Preston's Web Log
  
Friday, September 30, 2005
 

PGP 9.0.x Update

 Originally I reported the cost for the 20 minute incident as $300.00 because the only price available for a support incident as shown on PGP's support page is the $300.00 price. It turns out that you have to add the 20 minute phone incident to your shopping cart in order to see the actual price of $43.00. I have corrected the price for the phone incident in the original post.

The $300.00 support incident exists but doesn't have the 20 minute support limit. They will "work the problem into the ground" according to a PGP employee on their support forums. It does not offer any guarantee, though.

I had a series of exchanges in the forums with PGP's manager of client applications and, in that exchange, I asked if, with the $300.00 incident, there is a guarantee that, one: if they can't fix the problem, will they refund the money, and two: if the problem turns out to be the result of a bug in PGP software, would they refund the money. Lastly, I asked, if since I had two problems, would I have to pay $600 to get my $149 software working and would they guarantee that, for the additional $600, it would work. He quit responding to my posts and has not replied to these questions or any other of my posts since.

The forum administrator, on the other hand, has continued to work on the pgpexch.dll issue and that problem has been resolved in my case, if not overall in the product. At his suggestion, I
  • Uninstalled PGP 9; still had the problem
  • Re-installed PGP 8; no more problem
  • Uninstalled PGP 8; no problems
  • Re-installed PGP 9; no problem - problem solved!!!
Hopefully, PGP Corporation will research what is wrong with their installation package when doing an upgrade and fix it or at least produce a patch that removes the references to the pgpexch.dll add-in. But I suppose that is someone else's battle now.

Now, if only they'd do something about the Shred function that doesn't work.

Oh, let me mention one more thing. It appears they have changed how they handle signing of clear text messages. A PGP customer from Sweden finds that signed messages using Swedish characters aren't transportable from PGP 9 to PGP 8 or PGP 7. I find that very odd. Creating a hash of any data should be a fairly trivial thing (though creating a hash algorithm is not). It should not matter at all what the content of the data is, whether it is binary, text, RTF, Unicode, or ASCII.

There's another thing that makes me doubt the security of PGP 9. PGP 9.0.x's email encryption scheme apparently does not work with RTF emails. The older versions of PGP do work with RTF. If you now have PGP 9 then I guess, as one PGP support forum contributor said, you have to tell anyone with whom you exchange PGP emails not to use RTF anymore. And that workaround is apparently fine with PGP; they released version 9 knowing this condition existed: it is in the Readme file.

This RTF issue, like the signing issue described above, make me nervous about PGP's security because both of these issues seem to mean that encrypting or decrypting is dependent on the data you provide. Like I said about creating a hash for signing, encryption or decryption results should not be dependent at all on the content of the data being encrypted or decrypted.

Is it possible that there are other issues that are not readily visible when encrypting your data? Is it really secure? It is my opinion that they have messed with the encryption/decryption process, or why would there be a difference in how the different versions work with these different data types when these differences do not appear to have existed in previous versions of PGP? Are there other, unidentified, data specific issues with PGP 9 that we don't know about? Are the results of any such data specific issues that the data is no longer secure?

Let me say that I have no knowledge of any other issues or any problems with secured files not actually being secure. The problem I do have is that we know PGP 9 is full of bugs. Since it seems that PGP Corporation would rather deny the bugs exist and blame customers, then what else could they be denying? If they truly believe the product is relatively bug free, then what else could be wrong that their blinders and poor quality testing are preventing them from seeing?

In my opinion, PGP 9.x is still not ready for production and, until PGP recognizes that they have released a faulty product and until they correct their faulty support policies, I recommend against buying or using PGP products at this time. I suggest searching Google for whole disk encryption and reviewing the many products available from other companies.

One such company, whose products I find particularly interesting, is Securstar at http://www.securstar.com/products.php. They have disk encryption, email encryption, and file encryption products. I especially like their support policy at http://www.securstar.com/customersupport_policy.php. What a breath of fresh air after what I have experienced and have been reading on PGP's forums!

There are many other companies with similar products so don't skip the Google.

- posted by Dale Preston @ 9/30/2005 05:02:00 PM  
Comments: Post a Comment

<< Home

Powered by Blogger