Is GPG4Win a suitable tool to use for company-confidential files?

Posted on 2009-04-21
Last Modified: 2012-05-06
I am not so concerned about the application being cracked, but am asking more from a trust perspective. Is it a sensible and reasonable security practice to entrust a companys sensitive data to a program that is developed by a loosely associated group of programmers instead of a traditional company that can be held accountable for its work?

I realize this is more of an opinion question than purely technical, but Id really appreciate your feedback on this issue.
Question by:bibleleagueit
    LVL 14

    Assisted Solution

    I'm not sure about the integrity of GPG4Win as an open source project, but I would regard open source technologies (such as GnuPG on which it's based) as inherently more secure than their proprietary counterparts, due to the extensive peer review that goes on in the community - it's my experience that when security issues occur within an application they are dealt with quickly and (generally) identified pretty soon, as opposed to covered up and ignored for extended periods of time.

    LVL 14

    Accepted Solution

    As an update to that, I've just had a look and the source is freely available from the GPG4Win project.,....

    Have a look at the following article on the IBM website re: peer review:

    The argument is that if anyone puts "anything nasty" in the source code it gets spotted.....with closed source you have to trust the company who sold you the product that their developers haven't put anything in there that shouldn't be.....

    LVL 33

    Assisted Solution

    by:Dave Howe
    There are arguments for and against the "all bugs are shallow" claim, but the real problem is that most people don't use the source themselves, they tend to use a third party binary package (gpg4win) that you have no assurance was compiled against the source that is available.

    that said, I have no reason to distrust the gpg4win project - it seems a good, solid group, and I recommend it/use it myself - but as was proved in /reflections on trusting trust/ you can't even guarantee your compiler won't backdoor a binary, so pre-compiled binaries require that you trust those providing them to you - or build your own from scratch.

    there is certainly no guarantee the commercial equivalent (pgp) is any less likely to have a backdoor, and possibly even more likely (given their source-disclosure licence explicitly forbids you to use code you compiled yourself, you just have to trust the code they show you is the code they compiled from)

    Author Closing Comment

    Thank you for taking the time to respond to my question. I am a big fan of experts-exchange and this experience is an example of why.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now