
I'm giving up on PGP - FiloSottile
https://blog.filippo.io/giving-up-on-long-term-pgp/
======
psiconaut
I find very interesting the point about the split between what WoT was
supposed to be, in theory, and what little it represents, in practice, in
terms of practices about key verification.

It has been said many times that the lack of adoption of pgp in mail was due
to the average user not being able to grasp the concepts behind the proper
operation for key management, but the article points to common practices among
"power users" that will drop the theoretical best practices and switch to
fallback, unsecure modes, given the effort needed to properly verify a key
binding. If the community that cares about encryption and privacy is not able
to routinely verify keys, the whole system definitely has a weak link.

I wonder if pgp is fundamentally flawed, or we have a deep conceptual
usability issue here.

And to me, assuming that the most usable thing we can use instead is something
that relies on mobile phone identifiers, more often than not tied to a
phisical world identity, is really something to worry about.

~~~
dom0
> I wonder if pgp is fundamentally flawed, or we have a deep conceptual
> usability issue here.

I don't think the "WoT" is conceptually flawed, and frankly, the argument that
"people of average intelligence" can't grasp the concept comes from a very
high horse and is also untrue. It's simply that any and all software for PGP
utterly fails in the UX and functionality department when it comes to key
management.

 _Web of Trust_ implies such a glaringly obvious visual metaphor that I am
truly in awe that not a single program works that way.

Tabulations of keys are not a WoT, period.

I don't verify keys one-by-one, that's bullshit. I get one good key that's
part of a WoT, and then go from there, and can easily see _from the web
structure_ that other keys are good and what their relations are. None of that
is accomplished by _any_ PGP frontend.

Instead I get stupid and unhelpful error messages ("no key available" \- I
just downloaded it!) and some of the most terrible crypto UI I've seen ("How
much do you trust this key? [ ] Not at all [ ] A bit [ ] Fully [ ] Totally" \-
w-t-f).

A technical criticism of PGP/GPG is of course also possible. The whole thing
is a museum of early 1990s crypto, with default ciphers like CAST5 and
messages not being authenticated - and even if the message is authenticated
most parts of the PGP protocol are not, meaning that you got that big bunch of
C code maintained by that one German guy over there that parses
unauthenticated bytes that you shipped through half the internet with a big
neon-red sticker on it saying "I'M PGP PLEASE TAMPER WITH ME".

~~~
user5994461
I have to partially disagree with that.

Calling PGP an utter failure is an understatement. Just like calling a cat a
small tiger.

PGP is possibly the WORST experience in usability for any well known software
that ever lived.

This thing should be taught in courses for decades to come as how to fail a
product by 1) having no UI 2) no integrations with anything 3) zero usability
4) not even trying to give a fuck about normal users 5) in fact, not even
trying to make it possible to use for advanced users.

\---

You want signed email & identities. It's simple.

Just get the national government to distribute RSA USB keys to every citizen.
Then they can use them on public government websites (taxes & jobs stuff) to
confirm poeple's identities, just plug in the key. Quick and simple. (And
that's not incompatible with ALSO asking for a password that was send in a
different paper letter. 2FA-style.).

Then later, citizens can sign the emails they send to everyone with
gmail/hotmail because they'll add the feature to recognize the national USB
identity key, now that there are X millions people using it.

~~~
at612
> Just get the national government to distribute RSA USB keys to every
> citizen.

I lived in a country that did exactly that. And it was a disaster. The keys
were trivially easy to steal, even by accident (personal experience here), and
you still have the same trust problem as before, except that with a central
authority now you do not have as much control.

I have also used the electronic-signature-comes-with-your-ID-card thing, and
it was a similar disaster, with dodgy drivers and half-arsed crypto
implementations in common software. E.g., try using the same token in Firefox
and Thunderbird (or anything else) at the same time.

PGP is fine. It's just that proper security is not easy. And the same applies
in the physical world as much as in computing.

~~~
ryukafalz
>The keys were trivially easy to steal, even by accident

So distribute keys on smart cards that don't allow you to export the key. This
is what Estonia does, and - concerns about their election infosec aside - it
seems to work pretty well.

~~~
at612
> So distribute keys on smart cards that don't allow you to export the key

That's what I covered in the second paragraph. :-)

The thing is, both those implementations were a disaster from either a
technological or a security point of view. We're not even getting into whether
a central source of trust is a good idea or not (you will look at the state of
HTTPS and make up your own mind on that). So, to repeat, proper security is
hard.

------
Arathorn
The conclusions here (avoiding long-lived per-identity keys and having the
option to easily rotate and re-validate per-device keys) are very much what
we've aimed for in the end-to-end crypto for Matrix.org
([https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-
en...](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-
security-assessment-released-and-implemented-cross-platform-on-riot-at-
last/)).

Rather than using a silo like Signal or WhatsApp, it _is_ possible to get the
flexibility of an open federated network built on an open standard, whilst
still having the lighter weight approach of trust common to E2E messaging apps
like WhatsApp. Or at least that's the hope :)

~~~
buzzybee
When I mention Matrix, a lot of people seem to pigeonhole it as a chat system
alone because Riot is such a dominating part of the application ecosystem.

It would be really great to have more code and demonstrations available;
adding Matrix was suggested for Mastodon[0] to potentially gain chat and
private messaging features that aren't part of GNUSocial, but as of right now
it's considered out of scope.

[0]
[https://github.com/Gargron/mastodon/](https://github.com/Gargron/mastodon/)

~~~
Arathorn
Hum, just found the bug at
[https://github.com/Gargron/mastodon/issues/311](https://github.com/Gargron/mastodon/issues/311)
\- shame that folks there haven't grokked what Matrix is. Yes, pigeonholing it
as a chat system is kinda missing the point, but it's an easy way to kick the
tyres and prove its potential.

Once threading lands in Matrix we'll be adding in gateways for SMTP, IMAP,
NNTP, Discourse, and possibly Gnusocial etc - either written by us or from the
community. Then hopefully the bigger picture will be more obvious(!)

------
eriknstr
Good points, but also I would like to point out that
[https://www.usenix.org/system/files/1401_08-12_mickens.pdf](https://www.usenix.org/system/files/1401_08-12_mickens.pdf)
linked from the blog post was an entertaining read so for anyone that didn't
read said PDF, do.

~~~
LongTermBond007
> “But James,” you protest, “there are many best practices for choosing
> passwords!” Yes, I am aware of the “use a vivid image” technique, and if I
> lived in a sensory deprivation tank and I had never used the Internet, I
> could easily remember a password phrase like “Gigantic Martian Insect
> Party.” Unfortunately, I have used the Internet, and this means that I have
> seen, heard, and occasionally paid money for every thing that could ever be
> imagined. I have seen a video called “Gigantic Martian Insect Party,” and I
> have seen another video called “Gigantic Martian Insect Party 2: Don’t Tell
> Mom,” and I hated both videos, but this did not stop me from directing the
> sequel “Gigantic Mar- tian Insect Party Into Darkness.

This is hilarious, thanks for pointing this out!

~~~
acqq
I like:

"It’s like, websites are amazing BUT DON’T CLICK ON THAT LINK, and your phone
can run all of these amazing apps BUT MANY OF YOUR APPS ARE EVIL, and if you
order a Russian bride on Craigslist YOU MAY GET A CONFUSED FILIPINO MAN WHO
DOES NOT LIKE BEING SHIPPED IN A BOX. It’s not clear what else there is to do
with computers besides click on things, run applications, and fill spiritual
voids using destitute mail-ordered foreigners. If the security people are
correct, then the only provably safe activity is to stare at a horseshoe whose
integrity has been verified by a quorum of Rivest, Shamir, and Adleman."

For his claim "YOU’RE STILL GONNA BE MOSSAD’ED UPON" I still don't know how to
interpret the fact that Snowden seems to be relatively fine. Maybe that he had
the idea about the blind spots of the system in which he worked.

His opinion on PGP "web of trust":

"“Chains of Attestation” is a great name for a heavy metal band, but it is
less practical in the real, non- Ozzy-Ozbourne-based world, since I don’t just
need a chain of attestation between me and some unknown, filthy stranger— I
also need a chain of attestation for each link in that chain. This recursive
attestation eventually leads to fractals and H.P. Lovecraft-style madness."

It is an opsec problem that all the connections are then cryptographically
provable.

~~~
dom0
> For his claim "YOU’RE STILL GONNA BE MOSSAD’ED UPON" I still don't know how
> to interpret the fact that Snowden seems to be relatively fine. Maybe that
> he had the idea about the blind spots of the system in which he worked.

What reason would any agency have to un-live Snowden? Any damage he has done
was already done in HK and before; he has nothing more to reveal. It would
only turn public opinion against the agencies.

~~~
oldsj
True that it would hurt public opinion even further of the agencies if they
were to take him out - but I thought he only revealed a portion of what he
grabbed.

~~~
dom0
My understanding is that he handed everything off to the journalists.

~~~
xorxornop
Yes, for precisely the reason that he did not want to be the arbiter of what
is released. That's probably why he's still alive. It was a good decision

------
lmm
> Yeah, about that. I never ever ever successfully used the WoT to validate a
> public key.

If you ever installed a Debian package then you did. A long-term identity as
"Bob Jones" might not be terribly useful - but that's not the kind of long-
term identity we care about a lot in real life either. A long-term identity as
"Debian release manager" or "Signatory on bank account xyz" or even "Wikileaks
committee member" is a lot more important, and for those cases PGP becomes
very useful.

> Then, there's the UX problem. Easy crippling mistakes. Messy keyserver
> listings from years ago. "I can't read this email on my phone". "Or on the
> laptop, I left the keys I never use on the other machine".

These are real problems. We should fix them. But we don't need a new crypto
standard to do so! It never fails to amaze me how many people/organizations
are like "I don't have the time/money/patience to write a high-quality OpenPGP
libary (or a high-quality GPG frontend), but I'm perfectly placed to create a
new cryptosystem from scratch."

> Your average adversary probably can't MitM Twitter DMs (which means you can
> use them to exchange fingerprints opportunistically, while still protecting
> your privacy). The Mossad will do Mossad things to your machine, whatever
> key you use.

This is pets vs cattle in the opposite direction. Can Mossad Mossad you
personally? Yes, if you're a big enough target, but they can't Mossad
everyone. Whereas the NSA can MitM key fingerprints exchanged via Twitter on
an industrial scale.

> Mostly I'll use Signal or WhatsApp, which offer vastly better endpoint
> security on iOS, ephemerality, and smoother key rotation.

If you're using iOS you've already given up against state-level attackers.
Anything actually encrypted (e.g. IRC with SSL) is more than adequate in that
case. Most people don't need the jump up to PGP, sure. But it's important that
the option is there for people that really do need it. It bears repeating that
we know, from their complaints in leaked emails, that the NSA can't break PGP
when used correctly. That's an extremely strong seal of approval for the most
critical use cases for encryption.

~~~
nothrabannosir
_> If you're using iOS you've already given up against state-level attackers._

Wasn't the recent apple vs FBI debacle evidence to the contrary?

~~~
deno
It ended because FBI just cracked the device anyway. How is it contrary?

~~~
nickik
Insofar as that the FBI has to actually crack the device and don't have
universal key of some sort. Newer version will (and already are) more secure.
Its not perfect because this was 'just' the FBI and 'just' the legal way, but
at least its something.

------
module0000
PGP may have broken down for the author, but it's still used _in a lot of
places_. For example, to communicate with our bankers at work, every email has
to be properly encrypted and signed - or it goes into a blackhole. The only
way to exchange public keys(initially) is in person. Once that is done, new
keys are provided from that person, and the WoT expands.

tldr; it doesn't work for the author, but it _does_ work for lots of
individuals and even more companies with secrets to protect.

~~~
runn1ng
PGP is also used very heavily on darknet on drug marketplaces.

OTR (or even Signal) is not possible there, so people stick to good-and-tried
PGP.

~~~
TheGrumpyBrit
I think darkweb marketplaces are a slightly different use case though. The
requirements for a darkweb transaction are the ability to tell the vendor your
address so they can send you illegal goods, while hiding it from the
marketplace itself in case their servers are seized. A random PGP key with no
real name and no verification is entirely adequate for this purpose - indeed,
any kind of identity validation would probably be seen as a negative for such
a situation.

------
joveian
Summary: The author decided that being connected to long term keys does more
harm than good, partly due to the pressure to stay with potentially
compromised keys due to the difficulty of starting over. The author will
instead focus on secure IM using short term keys bootstrapped by social media
accounts.

1) As others have pointed out, I really think the author is overestimating the
effort required to compromise a twitter or other social media account. There
are many accounts of this happening, including to people like Brian Krebs who
knows he is a target and does everything possible to avoid the attacks.

2) Encrypted IM as the primary higher security communication channel seems to
be a popular option these days, mostly leaving those of us who don't like IM
to look at alternatives.

3) Briar (briarproject.org) is a promising alternative for messaging, although
not ready yet and currently only targeting android, which has its own major
security issues. Due to the focus on enabling offline, forward secure
messaging, it can be used to defeat mass (network) survailance. It can also be
used online and addresses some of the specific concerns raised.

4) General purpose computers are both handy and necessarily have security
issues. Special purpose devices for more limited secure communication would
help with many issues.

5) Secure communication isn't much of a goal; it is more helpful to consider
specific threats. If you do something non-trivial towards a vague goal, it is
easy to find a way it doesn't meet that goal when you feel like not doing it
any more. I'm not sure what the author was trying to achieve with PGP in the
first place.

~~~
colejohnson66
Kind of off topic: I really like iMessage. Not to be an Apple fanboi, but it
really is one of those things where It Just Works(tm). Encryption shouldn't
have to be something the end user has to worry about; it should be transparent
to the user while still being as secure as possible (HTTPS and TLS are a great
example of this). For the user who cares about encryption, they don't have to
configure anything. For the user that doesn't care, they still benefit.

By baking it into the OS, Apple ensures that anyone with an iDevice benefits
from it. Compare that to having to download an app that may change depending
on possible compromises. Anyone who's tried to convince a family member to use
Signal, Telegram, etc. knows how much of a pain it is.

~~~
click170
> By baking it into the OS, Apple ensures that anyone with an iDevice benefits
> from it.

But _only_ people with iDevices benefit from it. I prefer Signal to iMessage
_because_ iMessage is iOS only, and I'm disappointed with Google for not
including an iMessage equivalent with secure messaging by default.

> Compare that to having to download an app that may change depending on
> possible compromises.

If you mean what I think you mean, using iMessage will not save you/them from
this any more than using Signal would, the only benefit to iMessage is that
it's already installed on iDevices when you buy them and has secure-messaging
enabled by default.

Which is still a step above Android currently - which has no default-installed
secure messaging app _at all_.

I'm lookin at you Google!

------
parennoob
To me, Keybase ([https://keybase.io](https://keybase.io)) seems to solve the
"PGP has a bad user experience" problem correctly for like 90% of the
population. You post proofs of your public key to known media (Twitter,
Github, your website, etc.) which you control. These can be checked by anyone.

Even if the remote person doesn't know they are talking to you (as a human
entity), they know they are talking to the _combined online persona of all
those accounts_ , which is all that matters for the vast majority of them.
Yes, it is possible for all these services to collude and post false proofs,
but that would be relatively easily detectable, and realistically not a
concern for the majority of people out there, whose alternative is to not use
_any_ encryption. People who are really concerned can always fall back to
standard PGP.

[Edit: Looks like I didn't read the article carefully enough, the author
himself says he actually does use Keybase too.]

~~~
stonemetal
The combined online persona of those accounts is only as strong as their
combined security. aka: Why would services need to collude when they can get
the job done by ineptitude?

[https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-...](https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-24eb09e026dd#.ap51boulz)

~~~
parennoob
I agree, a lot of services displayed a shocking amount of incompetence in that
post. However,

a) The more proofs you have, the harder it becomes to force them. YC for
example is one location, and is run (in my opinion) by very smart people where
it would be hard to get a compromise.

b) My point is that this is an excellent alternative to not using anything in
a way that is both friendly to people ("just make this post on [website]") and
compatible with an older, better method of privacy (PGP) that people have been
using for years.

It may not be as perfect as some of the more esoteric alternatives that people
have suggested elsewhere in the thread (I'm not sure about this, can an
incompetent phone company employee compromise some of the phone-based ones?
I've come across a lot of incompetent phone company people), but much easier
for the regular person to use.

------
devilsavocado
People who use PGP keys, can you give examples of your use? I'm genuinely
curious. Who are you contacting, or who is contacting you? The author says he
only receives 2 encrypted emails a year. Not only do I not have a PGP key, I
don't think I've ever found myself in a situation where it was even an option
to use one.

~~~
vacri
Signing .deb packages. Debian and its derivatives are core users of gpg as
it's basically a requirement to sign installation packages - if the user
doesn't have the key in their trust store, they get a big fat warning when
they try to install said package.

~~~
mnw21cam
Debian package managers comprise a surprisingly large proportion of the
strongly-connected set.

------
runn1ng
I will add what I wrote on a different thread

PGP is used very heavily on online drug marketplaces. You really can't use
Signal or WhatsApp there - leaking too much metadata - and even OTR is leaking
too much data.

PGP is quite good for this, and people use it for encoding their
communication.

------
milge
I've been thinking a lot about PGP and other encrypted messengers lately. It's
incredibly hard to get a lot of people to agree on one messaging app besides
default SMS. I wish there was an open source suite of tools for mobile/desktop
that easily layered PGP on top of SMS/email experience and would fall back in
the absence of keys. Perhaps bluetooth for swapping keys with friends. It's
something that needs to be seamless enough that the end user can't tell the
difference. I don't think messaging encryption will achieve mass adoption
until something like that is built or built into mobile OS's.

~~~
erelde
Carriers would need to change the way they handle SMS, and everything a
carrier does is subject to state regulations. And states seem to like clear
text.

~~~
milge
Why's that? I understand the message would increase in size because of the
encryption, but I think it would be technically feasible now. Didn't even
apple just introduce encryption into their messenger? My issue with apple's
encryption is it's closed source and apple only.

~~~
heartbreak
iMessage end-to-end encryption is not a recent introduction. It has been in
place for several years, though I can't find the exact iOS version it was
introduced in.

~~~
milge
Recent to me is the last few years, technology-wise. Your timeline may look
different.

~~~
heartbreak
Fair point. We are talking about a 5 year old product though...

------
simias
I have given up on the "web of trust" a long time ago for most of the reasons
the author states. I think in order to work PGP would need to reach a critical
mass of users that seems totally out of reach at the moment. Maybe if Google
or Facebook starts issuing mandatory PGP keys linked with each account or
something like that. Not sure why they'd want to do that though.

That being said there's still a lot of good and useful in PGP even if you
ignore the WoT completely. I use it to secure my passwords, log into remote
servers securely with SSH and I sign all of my emails with it, which is
probably useless 99.9% of the time but at least it can be used in retrospect
to prove that I did write those messages. I can also use it to sign git tags
so that my code can still be trusted even if there's a breach in, say, github.
I have a rather vast choice of GnuPG tokens I can purchase if I want an added
layer of convenience and (hopefully) security.

Sure, WoT is simply unusable currently unless you're communicating mostly with
hardcore PGP enthusiasts. That won't be enough to make me give up on PGP.

------
upofadown
One perfectly valid way so solve the web of trust issue with PGP is to simply
ignore the web of trust issue with PGP. Just stick your pubkey on your website
and you are done. You just understand that there is a very low chance that any
encrypted email from an unknown entity is actually from a composite entity. If
you think that you are of interest to entities that have the ability to MITM
your pubkey, you might want to mention the problem to potential unknown email
senders as a disclaimer on your web page. In practice an entity with the power
to MITM pubkeys is not going to use the facility unless they are really really
sure as they are eventually going to get caught at it.

Things like Signal and Whatapp don't solve the web of trust issue either so
you are not any worse off by using the head in the sand approach.

------
danielweber
Years ago I worked with a guy who literally wrote a book about how to use PGP.
I asked him if he could help me set it up and he said "I don't use it, it's
too hard."

~~~
3131s
It's not too hard, at least not on Linux and for anyone with some familiarity
with the terminal. Getting started can be done like this...

Install GPG:

    
    
      sudo apt-get install gnupg
    

Generate a key:

    
    
      gpg --gen-key
    

Export your public key as ASCII text and then post it somewhere publicly:

    
    
      gpg --armor --export $your_uid > your_public_key.gpg
    

Import my public key:

    
    
      gpg --import my_public_key.gpg
    

Verify my key by viewing my fingerprint (type _fpr_ ) and confirming it with
me, then sign it (type _sign_ ):

    
    
      gpg --edit-key $my_uid
    

Encrypt the file message.txt and then send message.gpg to me via any medium:

    
    
      gpg --output message.gpg --encrypt --recipient $my_uid message.txt
    

Decrypt my response to you:

    
    
      gpg --output response.txt --decrypt response.gpg
    

I know that's pretty complicated for an average user, but it's not harder than
any of the day to day work that we do as programmers. I have not used GPG in
years though since my deep web adventures, so hopefully I didn't mess anything
up and prove the point that GPG is too hard!

------
makecheck
I use MacGPG to sign commits on GitHub but I have to admit that the E-mail
portion has fallen by the wayside. (The last time I really used it was to
E-mail a professor of a cryptography course for an assignment!)

While I also don’t know many people that use this for E-mail, it doesn’t help
that virtually every OS update in the last 5 years has consistently broken it,
taking sometimes months for a fix.

For those reasons, this needs to be baked into the OS to be viable. Only when
somebody like Apple can install it _by default_ , and _make sure_ it works
between updates, will it have the reliability and widespread availability that
is necessary for success.

------
keeganjw
After all that, he was only getting two encrypted emails a year! Damn. That's
crazy.

~~~
jgrahamc
This has been my experience. The only "good" experience I've had with
encrypted messages through email was a back and forth exchange I had with a
fellow Keybase user where I manually copy and pasted blocks of encrypted text
into/out of their web interface.

~~~
Nadya
From my experience - the only PGP users I've spoken to were all on Keybase or
interested in a Keybase invite. It was about 6 people for the entirety of last
year - and 3 people this year...it certainly has a problem of "almost nobody
uses it" but Keybase seems to have eased things slightly - or at least made it
easier to discover people who also use PGP.

I see the two problems being "People don't bother with the clunkiness of using
PGP when sending an email about what to pick up from the store" and "most
users have no reason to talk to most other users".

I'm considering making it a point to message people with interesting Keybase
avatars or social profiles tied to their Keybase if only to have an excuse to
use PGP more, as silly as that might sound.

~~~
nickik
Keybase has clearly moved away from PGP. They want to use Saltpack whenever
possible, NaCl based encryption. They want to solve the problem of multiple
devices and not having to share the private key between all of them.

As far as I know they are working on a messaging app as well.

~~~
stinkytaco
I admit my ignorance of saltpack and keybase's implementation of it, but don't
they propose storing the key for you? That seems to create a trust issue,
which is precisely what the author is complaining people don't pay attention
to, trust.

On the other hand, perhaps the argument for this would be a "trusted 3rd
party" model (a la S/MIME).

~~~
nickik
Well, you can have your GPG Private Key online if you like, but thats not my
point. The new system moves away from having any sort of master key.

Rather every device has a new key, and they all sign each other. You can add
new devices without old proves being invalidated.

See: [https://keybase.io/blog/keybase-new-key-
model](https://keybase.io/blog/keybase-new-key-model) and
[https://saltpack.org/](https://saltpack.org/)

I would really like a solution using this stuff that is highly integrated with
my mail client.

~~~
stinkytaco
That's an interesting solution. Rather than having keybase keep your key, your
devices are communicating directly to validate each other? I'm going to have
to review this in more detail, thanks.

~~~
nickik
Currently you have to use a paper key to do it. You then upload a public prove
chain. Its not where it should be yet, but the concept is pretty good.

------
rbcgerard
Usability is the "key" \- it's hard enough to get people to use signal ("why
do I need another messaging app?")

~~~
erelde
If they don't have Signal you could get them to either use Whatsapp, or only
use the encrypted conversation feature of Facebook's Messenger.

They should have one or the other already installed if they're complaining
about "another messaging app".

~~~
ReverseCold
This works fine until you get someone who only uses iMessage, and you use
Android.

~~~
floatrock
Exactly what finally convinced me to add whatsapp.

------
orblivion
How is the author so seriously involved in PGP and only receive two encrypted
emails a year? I'm basically just a dude who uses PGP because it's cool and I
get tens of them. You just need one friend who also thinks it's cool.

~~~
andrey_utkin
Even Zimmermann, PGP author, has given up as this journal says
[https://www.scmagazine.com/phil-zimmermann-doesnt-encrypt-
em...](https://www.scmagazine.com/phil-zimmermann-doesnt-encrypt-
emails/article/532484/)

~~~
Nadya
A rather large misrepresentation of what was actually said.

 _> Zimmermann later clarified in a Motherboard article that PGP, acquired by
Symantec in 2010, isn't compatible with his MacBook, and the technology never
worked with any iOS device._

------
mixedCase
Dark Mail seems to be dead. Are there any efforts to make e-mail secure by
default and e2e encrypted?.

~~~
kkl
Most interesting e2e projects have abandoned email, specifically SMTP, as a
secure messaging platform. I would look outside SMTP-based solutions if I were
to start using a different project (assuming doing so is an option... I hope
it is!).

My recommendation here is Signal:
[https://whispersystems.org/](https://whispersystems.org/)

~~~
NoGravitas
Signal is nice, and I use it. But it's an instant messaging system. Email has
different use cases.

I think what we're going to need is a new, non-SMTP protocol, which preserves
all of the good things about email, while providing e2e encryption and
(pseudonymous) identity assurance. I don't know enough to be involved in
designing that protocol, though, other than saying what I want to see as an
end-user.

~~~
kkl
What properties does email have that asynchronous messaging services (e.g.
Signal) do not?

~~~
ThatGeoGuy
Cross-platform (Chrome web-apps don't count), Federated, Distributed, to name
a few. The reason email is so entrenched is probably because of these reasons
entirely. Being able to send a message from any provider to any provider
certainly helped spread adoption easily.

------
andrey_utkin
> I never ever ever successfully used the WoT to validate a public key.

TOFU, anyone?

From: Werner Koch wk at gnupg.org

Date: Fri Dec 4 14:06:49 CET 2015

Subject: [Announce] GnuPG 2.1.10 released

Hello!

The GnuPG team is pleased to announce the availability of a new release of
GnuPG modern: Version 2.1.10. The main features of this release are support
for TOFU (Trust-On-First-Use) and anonymous key retrieval via Tor.

...

------
koevet
"Yubikeys would get exposed to hotel rooms."

Can someone please elaborate on this?

~~~
kardos
I took that to mean he left it in a hotel room while going somewhere, exposing
it to any number of maids, possibly including those of a malevolent nature.

~~~
koevet
As far as I understand, it is not possible to extract a private key from a
Yubikey [1]

[1] [https://www.yubico.com/2012/12/yubikey-neo-
openpgp/](https://www.yubico.com/2012/12/yubikey-neo-openpgp/)

------
CalChris
I think his security threat model was _nation state_ when he really needed
_APT_ , annoyingly persistent teenager. There are elements of what he did that
I'd do if they were automated. But if the NSA, Mossad, Hacking Team want to
get me, they're going to get me. And it would only be vanity to say they are
even thinking of me.

So this is the perfect being the enemy of the good. I need good privacy and
good security. I'm not going to torture myself for perfect privacy and perfect
security. Cut to the last scene of _The Conversation_ where Gene Hackman's
character tears apart his office ripping down the walls to find the bug and
the eavesdropper taunts him. Who is torturing whom?

------
Drdrdrq
Yeah. A friend of mine said it best: "if there is a conflict between
convenience and security/privacy/anything else, convenience always wins." PGP
didn't stand a chance.

------
kzrdude
gpg is promoted as a kind of swiss army knife of privacy, but its interface
always puts email first. If you use it for something else, you must paranoidly
guard every command so that it doesn't by mistake publish information about
your privately used keys, for example.

~~~
lmm
Very true. A high-quality library (that was actually built as a library) for
OpenPGP would be a very valuable thing to have.

------
fbis251
Who here is using keybase to manage your public key being distributed? It
seems like a great idea since your key is tied to your online identity

~~~
elahd
Keybase is great for managing my keys, but I haven't found any services that
make it easy to natively use them. They've sat unused for the ~2 years I've
had a Keybase account.

That said, I have about 25 invitations. Anyone want one?

Edit: Not true. I used my keys once to sign a GitHub release for a novelty
project nobody uses.

------
blunte
The #1 problem, beyond the usability issues, is that most users still just do
not care. They are willfully ignorant (a mentality which is actively
celebrated these days in some influential countries), and cannot be convinced
in the value of privacy or security.

I have tried without much success to get people to move to ProtonMail. I have
tried without much success to get people to move to Wire messenger. (And
incidentally, the author mentions Signal and WhatsApp... I wonder why he
doesn't use Wire?)

So without consumers who care, the only audience for PGP and other security
focused tools are the geeks who too easily tolerate bad interfaces.

------
zitterbewegung
Me too. The reason I gave up on PGP is I couldn't find anyone that would
willingly use the service through email. With Signal I can find people that
use it.

------
esseti
I've been using PGP for mostly 1 year and yes, I agree. I still send around
signed email, but never received one encrypted so far. Generating keys and
backing them up is tricky and I have probably made mistake in generating or
storing them at some point in time. Is there a step-by-step good-practice on
how to use PGP?

------
stefek99
I gave up 3 years ago: [http://blog.mostlydoing.com/2014/03/how-to-securely-
store-pr...](http://blog.mostlydoing.com/2014/03/how-to-securely-store-
private-keys.html) (I don't trust myself to securely store my private keys)

------
qrbLPHiKpiux
9/10 end users just don't understand that security and convenience are
inversely related.

~~~
epistasis
Systems like Signal and WhatsApp show that that's not necessarily true to the
degree of previous solutions.

~~~
orblivion
I think that the analysis is a little more involved than that. Roughly, I'd
say that at any given point you can make "trivial" tradeoffs between security
and convenience. However there can be some groundbreaking advances in one that
don't cost you on the other. And then that point you may be able to do a
"trivial" rebalance if you'd like.

------
nickik
I feel the pain as well. I'm not ready to make the same jump however.

I really do support Keybase, there I see the potential to solve many of the
issues. I would love some better integration into the E-Mail ecosystem, but
sadly its not there jet, and its not there focus.

------
technion
My ongoing concern is around where reasonable alternatives fit in.

\- Securedrop, where users upload messages and they are automatically
encrypted

\- Darknet services

\- Businesses where users communicate via desktops.

Signal/ etc works in a different space and doesn't provide an alternative to
these.

------
m3ta
There isn't a lot to unpack in this article. Most is set-up; explaining how
connected he is to a community that is enthusiastic about PGP yet doesn't
apply secure operations in practice.

Then there is the main complaint:

> I haven't done a formal study, but I'm almost positive that everyone that
> used PGP to contact me has or would have done (if asked) one of the
> following:

> \- pulled the best-looking key from a keyserver, most likely not even over
> TLS

> \- used a different key if replied with "this is my new key"

> \- resent the email unencrypted if provided an excuse like "I'm traveling"

I haven't done a formal study either, but no one I know that uses PGP would do
any of these things under any circumstances. PGP works fine for myself and the
group of people I know that use it, because we adhere to security protocols
that are just as important -- if not more -- than using PGP itself.

~~~
FiloSottile
That is definitely not my main complaint, and I suspect it might have caught
your eye because it's the one that wouldn't apply to you (which is absolutely
possible).

The article is about the flaws of long-term identity keys, and it would stand
even if there weren't UX, adoption, or security protocols adherence issues.

Maybe try to unpack a bit more :)

~~~
m3ta
You're right, long-term identity keys are bad. Long-term identity keys are not
a concept mandated by PGP, they are a result of how people use PGP or how PGP
is implemented in a third party app.

No part of PGP requires you to use a key more than once. This phenomenon is a
result of a consensus of people deciding on a terrible operations strategy
over a long period of time.

Edit: this comes to mind
[https://gist.github.com/grugq/03167bed45e774551155](https://gist.github.com/grugq/03167bed45e774551155)

~~~
FiloSottile
Agreed, I link to that Gist exactly in the "Moving Forward" section ;)

~~~
m3ta
I must have missed that.

I don't understand what the point of your blog post is, in this case. You
understand why PGP is needed and how it's important, how to use it correctly,
etc, yet you "give up" on it because no one you know uses it correctly.

Is that it?

By the way, how are you going to send someone a 5GB file securely using
Signal?

~~~
anc84
Encrypted in any way, hosted anywhere safe, sending the passphrase via Signal,
done.

------
theszak
?What experiences have folks with ZixMail [https://www.zixcorp.com/why-
zix/email-encryption](https://www.zixcorp.com/why-zix/email-encryption)

------
ergot
"One click encryption is one click too many" \- Bruce Schneier

------
ritonlajoie
On a related thought, using a 'secure' (or so they say ?) email provider à là
protonmail is just secure if you send your email to another protonmail user.

Problem with services like that is they omit to tell their users that email is
not E2E, and sending from protonmail to gmail will just disable the benefits
of using protonmail.

So yes, if you are trying to send encrypted email to a GMAIL user, your only
way is to use GPG. Or to get them onboard of protonmail and the likes. It's...
impossible.

~~~
j-conn
When sending to a non-protonmail account, you have the option to encrypt the
message contents-- recipient has to open a link and enter the password. I
think decryption is done in the browser in that case too (not 100% sure tho)

~~~
pfooti
That is correct. The recipient can reply from that webpage as well, however
you can't have a conversation there (your replies to their replies don't show
up in that page, they have to get new URLs in their email).

------
a3_nm
The proposed solution is to use Twitter to use Signal or Whatsapp. This forces
your correspondents to use one of these centralized services, and also to run
proprietary software to be able to use them.

I'm also irritated by GPG and OpenPGP's shortcomings, but it still gives
people a way to contact you with reasonable security and without having to use
specific proprietary services.

------
cestith
There was not a single mention of CA-signed S/MIME certificates. That seems
quite an oversight.

------
cdevs
Never heard of yubikeys, pretty cool. Thanks.

------
pfooti
So, to distinguish, there's web-of-trust things and general pgp/gpg encryption
(and signing) UX. Both of these are pretty abysmal for non-technical users.

I don't think "muggle" users would be interested in the web of trust at all,
and I doubt they can really handle it all that well. But I'm a pretty
technical person (MS in Computer Science, PhD in a different field), and well:

[http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=eric...](http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=eric+eslinger&fingerprint=on)

I don't think the web of trust really matters- would you look at that and say,
"hey, this Eric fellow has a 2004 key for his gmail, and an unrelated 2016
one, I'd better not trust him." Doubtful.

Honestly, in today's internet (I know, dangerously political...) I think there
should be a stronger move toward broad-spectrum encryption of all emails. I
actually generate trust with most of my email correspondents independently,
but I sure would like to encrypt my communication. Signal is good for shorter
messages, but email is still email.

It isn't like I have state secrets in my email, but I _do_ have stuff I don't
want random government snoops reading, especially if they're bulk-collecting.
Furthermore, I think it's important for more people (even people who don't
need it) to encrypt their correspondence, so we can provide cover for people
who really do need it. Journalists and dissidents won't stand out as much if
everybody is encrypting.

To that end, I think pgp / gpg is still pretty cruddy for UX. There are decent
solutions for each platform, but nothing really _good_ , and my friends /
family aren't likely to use a mail client or webmail that's not at least
almost as good as gmail/inbox just because I am worried about privacy.

I've recently moved to protonmail for most mail, since it has a very slick
user experience and I want to know it well enough to be able to recommend it
to other people. However, protonmail doesn't let me have my private key (or
its analogue - I'm not 100% sure how things really work, but I have a public
key that I can give to other people, and those other people can send me
encrypted stuff from off-platform. I just can't reply in the same fashion).
That means if I lose my protonmail account, woops, I can't read the emails you
sent me encrypted to my @protonmail.com account, even if I get the emails.
This is more of A Thing now that you can set up protonmail as your MX, and
therefore get emails addressed to domains you control on the platform - if I
ever swapped my personal domain around, I'd like to have the key.

So, for end-to-end encrypted simple messages, signal is great. I just wish
protonmail did interop, and then I'd really recommend it to other people.

------
mtgx
I guess this is a good opportunity to review Matthew Green and Moxie's posts
on PGP, too:

[https://blog.cryptographyengineering.com/2014/08/13/whats-
ma...](https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-
pgp/)

[https://moxie.org/blog/gpg-and-me/](https://moxie.org/blog/gpg-and-me/)

~~~
sgarman
I really like what moxie wrote here. There is a big difference from the best
thing and the thing that can actually exist in the real world right now.

------
khana
The 'deficiency' of PGP lay in the leaky nature of the computer itself. How do
you maintain your all important private keys? On disk? In memory? USB? All are
leaky from the get go. And this, I posit, is the problem gents.

------
torrent-of-ions
Why is WhatsApp trusted? Isn't it proprietary and controlled by Zuckerberg?
What am I missing here?

------
zobzu
it is mainly the tools that are blamed even in this post.

nobody wants to make a better sks keyserver or gpg cli. why? because you dont
get no fame or money from it.

filippo show me your gpg commits.

------
gkya
What's this? But seriously what is this? I use GnuPG and am quite fond of it.
I've a pubkey.asc up my website, and I use gpg to encrypt some files and my
backup tarballs. PGP is not a mail tool, it's for encrypting strings. Yhis guy
does not know what it is and cries for having done much ado for nothing. Key
signing parties? I certainly have better things to do. Just generate a key and
put it on mit key server, call it done.

And he complains he don't get encrypted mail. So what, I'd rather be happy.
It'll be useful when it'll be w/ email, and has many other uses otherwise.

~~~
camiller
He clearly knows what it is. He isn't ranting against PGP he is ranting
against the WoT. If you got an encrypted email from Linus Torvalds, how would
you verify it was him?

[https://news.ycombinator.com/item?id=12296974](https://news.ycombinator.com/item?id=12296974)

~~~
gkya
I wouldn't. If I'm going to get an encrypted mail from someone, I've alread
verified the sender.

