At the user end, Keygloo once again verifies this signature by decrypting the Keygloo number and public key using the Keygloo server’s public key. It then compares the public key against the public key in the user’s system, an activity undertaken to thwart any Man-in-the-Middle attack.

Quite a lengthy procedure the public key registration may seem, but all very transparent and hardly troubling to the user in any way.

Once the registration process is over, any keygloo user is free to access the public keys from the server. This he does by sending a request for the public key using the corresponding Keygloo number during encryption. The server responds by sending the public key. Again, this process is transparent and the user is aware of nothing except that the message turns encrypted at the click of the ‘Encrypt’ button.

Public key distribution is not signed. The probability of meeting a man-in-the-middle attacker, who can both substitute the wrong public key during its transit as well as obtain the encrypted message without the knowledge of the message recipient, is small. Weigh this against the considerable burden that would be incurred during verification of signatures from the server and the decision to not sign the public key seems a sensible option.

For the paranoid, future versions of Keygloo will include options to choose between receiving signed public keys and unsigned public keys.