
Ask HN: Why are we still not encrypting email? - luxpir
Was it enough for the webmail providers to claim outrage and encrypt internally then act as if we&#x27;re all safe now, if only we use their service?<p>If they cared about privacy they&#x27;d be helping users to encrypt all email to any recipient.<p>If we cared about privacy we&#x27;d be helping the world to encrypt simply, via an open protocol that was actually usable. The EFF&#x27;s efforts to push GPG&#x2F;PGP are falling on deaf ears.<p>Would it be possible to change the protocols themselves to force TLS and potentially inline GPG functionality?<p>Let&#x27;s keep talking and thinking about this. It&#x27;s quite important, no?
======
viraptor
I think the webmail (gmail / msn / yahoo) made email encryption so much harder
than it was when everyone used their own email clients. You need to install an
extension which will talk to your gpg and pray that formatting / line wrapping
doesn't break the content. It's even harder with signing only. (encryption
will at least result in consistent/short lines) Even in outlook you can simply
import your pkcs12 and click sign/encrypt and it's done.

On the other hand, keybase did something nobody else managed before. A number
of my friends who never used encryption before actually have their own gpg
keys. They may not be using them yet, but the keys are there (and probably in
their system keychains) - that's a great first step.

What I think would really push things forwards at this point is an official
google extension for chrome/ff/ie which allows gmail to talk to local gpg for
signature/encryption. No messing around with textboxes - have it interact with
the content as gmail sees it. Of course it would have to be opensource so
people can verify it doesn't change the contents... And it should never touch
the actual keys.

------
zer00eyz
Simply put, folks are lazy and do NOT care.

When 1/2 of your life is already on Facebook, email privacy doesn't seem like
such a big deal.

Lastly, encrypt simply and GPG/PGP can not be used in the same sentence. If we
want encryption to be universal, it need to be built into the system from the
ground up, and transparent for the end user.

If I want to be "secure" email isn't really a system I'm going to be using any
way. Maybe as a delivery mechanism for a already encrypted file, and even then
that use case is marginal.

------
pjc50
Forcing TLS makes almost no difference as the mail is unencrypted at rest.
It's also totally impossible to have private mail on a webmail service, since
in order to operate it provides you with the mail, the keys, and the code that
handles it.

PGP usability is poor, but S/MIME also exists (and is nicer in some respects)
and hardly anyone uses that either. The real problem is key distribution.
keybase.io have improved this slightly but not much.

Most people also prioritise ease of use and ability to read their mail in
varied situations over mail privacy.

~~~
viraptor
Lots of corporate outlook/exchange deployments use S/MIME. Unfortunately users
are not aware of that.

Also S/MIME is included in gpg (gpgsm specifically), but barely anyone knows
about that :(

------
mike-cardwell
Public crypto should be a core service provided by the OS. Applications should
be able to use that core service without having direct access to the keys. The
OS on each of your devices should handle synchronising your keys between
themselves, and should provide a simple facility for key material backups.

If we had this, I'm sure a lot more applications would have support for things
like PGP. Because all they would need to do is interface with an API provided
by the OS. If I had a tonne of money, I'd quit my job, hire a bunch of
developers and work on this full time.

~~~
luxpir
Can we get this guy a tonne of money, please?

Seriously. That's actually a new concept to me and makes a lot of sense. Would
people trust an Apple/MS implementation fully? I'm not convinced, but
something cross-platform that handles all the heavy lifting per machine-
account would make a massive difference.

It might not solve the issue of webmail encryption on its own though, which
would seem to require either a culture shift or an enforced upgrade.

------
conorgil145
I work for Virtru ([https://www.virtru.com](https://www.virtru.com)) and we
aim to make sending encrypted email from your existing email address as simple
as possible. For example, send encrypted email to any recipient (even if they
do not use Virtru) directly from your existing Gmail account in Chrome.

There have been a lot of competitors entering this space in the last few
years, but getting people to change their behavior is incredibly difficult.
Businesses which have a regulatory or compliance reason to use encrypted email
are looking for products and solutions, but I have not seen the individual
customer make a large effort to change their email habits.

I'd love to hear any feedback you might have if you give Virtru a try!

------
WorldMaker
I also think that the problem has always been key distribution and trust.
Explaining such things to the average person is a fun exercise in frustration
and sounds to that person like way too much effort. Classic PGP "Web of Trust"
really is a lot of work, and while the Certificate Authority system is easier
to explain, no one wants to pay an annual subscription to some CA to send
secure emails... and then how are you going to distribute those CA signed
certificates?

I really hope that with the big funding push, maybe Keybase.io helps circle
this square and simplifies key distribution and trust enough that more average
users will feel it to approachable. I'm not sure that they can, though.

------
cweagans
Why is GPG/PGP still a pain in the ass to use? Perhaps not for people reading
on HN, but my grandma doesn't even know what "encryption" means, much less how
to use it. If you want to increase it's reach, you have to make it easy and on
by default in a way that doesn't interfere with normal users (much like how a
lot of websites are redirecting to HTTPS, now: it just works and the user
doesn't have to do anything).

------
mtmail
In Germany two of the largest email services (30m users) started introducing
encryption based on PGP.

[https://www.mailvelope.com/en/blog/gmx-and-web-de-launch-
pgp](https://www.mailvelope.com/en/blog/gmx-and-web-de-launch-pgp)

------
sjs382
I'm working on a project/business that makes it easier to give your users an
easy way to contact you using PGP-encrypted email/messages.

If you like, send me an email, and I'll keep you updated. A launch is
imminent.

------
mr_O
I stumbled over an interesting cross-platform approach that even has been
audited: [https://whiteout.io](https://whiteout.io)

What do you think about it?

------
mr_O
I use GPG/PGP sometimes and Telegram-Messenger often and cut all connections
(Facebook, private Gmail, Whatsapp).

It seems that this is very unpopular because many ppl just don't care about
"this NSA crap" and think of me like "tinfoil hat" when I tell them something
about security.

I really would like to teach some lessons so they know what this is all about
but therefore you have to break the law in germany... They are going on being
lazy and just use "what everyone does", I'm disappointed by humanity
sometimes.

~~~
Noctem
Perhaps I've misunderstood, but are you saying it's against the law to teach
people about encryption in Germany? If so, what law is that?

My understanding was that "with its strict privacy laws, Germany is the refuge
of choice for those hounded by the security services."
[http://www.theguardian.com/world/2014/nov/09/berlins-
digital...](http://www.theguardian.com/world/2014/nov/09/berlins-digital-
exiles-tech-activists-escape-nsa)

~~~
Nadya
I think they were talking about a demonstration of "why they should care".

e.g.: perform a MITM attack on someone to show them why they should care

Doing so breaks the law in many places, I imagine Germany included.

~~~
mr_O
Exactly! PPL don't care for encryption before I hack their WA/FB
communications or show them the content of their "personal documents"
folder... This makes an approach to teach them such important stuff much more
difficult because it's rather theoretical.

A real attacker wouldn't demonstrate that but just use the material he gains
to make money in any way or destroy the lives/careers of the people.

The law is called "Hackerparagraph"
([https://de.wikipedia.org/wiki/Vorbereiten_des_Ausspähens_und...](https://de.wikipedia.org/wiki/Vorbereiten_des_Ausspähens_und_Abfangens_von_Daten))

------
a_lifters_life
This is similar to : why don't companies better protect their applications?
Comes down to primarily laziness.

