« on: June 05, 2015, 11:37:55 pm »
There's a whole bunch of stuff to respond to in this thread, but the thing I hit reply for was to say that AES is still considered viable by most people. It's at least considered as secure as it was pre-Snowden. For context, I've been working in security for telcos, financial institutions and government agencies for the last ten months (consulting and offensive testing, part of the reason why I haven't had many updates on what I'm doing) and frequently use AES-256. That's not to say that it's impossible that data encrypted using AES-256 to be read by an actor with the resources of a nation-state, but that I think they would be exploiting as-yet-undetected errors in implementation, rather than deliberate weaknesses in the algorithm.
AES and PGP are typically used for different purposes. AES is a symmetric-key algorithm, which means that the encryption and decryption functions use the same key. If you want to share AES-encrypted data, you need to provide the recipient your key. Anyone in possession of this key can read and write to the conversation between you and this other party.
PGP is slower but uses asymmetric-key crypto as well as symmetric. The result of which is that someone can encrypt a message using one key (your public key) and even if everyone else knows this key as well, they cannot use it to decrypt the message. Only your private key can do that. Because of this, it's often better for communications as it ensures that only the intended recipient can read the message and lends itself better to being used to verify the identity of a party in the conversation.
PGP requires both parties to have generated keys and while not super technical, this is not a user-friendly process, resulting in it not being very well adopted by non-tech-folk. To communicate securely with people who do not have a PGP key, I would tend to encrypt it using AES and provide them with the single-use key out-of-band, preferably in person or over the phone/SMS if you're willing to add those networks to the risk register.