
PGP habits could be better - stargrave
https://wowana.me/blog/my-and-your-pgp-habits-could-be-better.xht
======
tptacek
What I'm really seeing here is a person documenting a whole lot of
performative stuff they do --- grooming their keys, fastidiously using
4096-bit RSA (whatever breaks 2048 bit RSA is going to end RSA, by the way),
signing other people's keys, creating lots of separate PGP keys and grooming
the metadata on them, publishing a "proper canary" \--- or wish they were
doing.

Which is a big problem with PGP. All the ceremony repels normal users, makes
the system far harder to use, but also tightly binds enthusiasts to its
subculture, making it that much harder to improve.

~~~
sthatipamala
PGP seems like a leaky abstraction. I am highly technical and my eyes glaze
over when I see terms like elliptic curve.

What should I use if want to send dead simple, foolproof encrypted email?
(Foolproof in that I can trust that updating the program will patch
vulnerabilities and incorporate the state of the art methods)

~~~
tptacek
You can't send a foolproof encrypted email. Email is insecure and always will
be. The idea that PGP could make it secure was always a fantasy. Efail should
have been the final nail in the coffin. If you want to talk to other people
securely, use a secure messenger; secure messenger cryptography is its own
distinct subfield of cryptography research, and real secure messengers have
cryptography purposely designed for it. It involves elliptic curves, but you
don't have to think about that.

Signal is the best of the lot, but Wire, or anything else that uses Signal
Protocol is fine.

~~~
johnisgood
> Signal uses standard cellular mobile numbers as identifiers

This is a big no. Even Wire uses metadata but only requires an e-mail account.
I would like to see Ricochet ([https://ricochet.im/](https://ricochet.im/))
picked up by someone. Tor hidden services have been improved with added
features which Ricochet does not utilize. I skimmed through the codebase and I
came across some issues, heck, even the design is a bit obsolete as we have
better algorithms with better parameters. Regardless, the idea is great and
this is definitely doable, even by modifying Ricochet's codebase.

There is Cwtch ([https://cwtch.im/](https://cwtch.im/)) that extends Ricochet
to support multi-party messaging. I did not dig deep into it, but it may use
the same algorithms. Additionally, it uses a language with a GC.

I think a Ricochet-like IM software written in Ada/SPARK using libsparkcrypto
([https://github.com/Componolit/libsparkcrypto](https://github.com/Componolit/libsparkcrypto))
would be ideal.

~~~
dngray
> _Signal uses standard cellular mobile numbers as identifiers_

Exactly and what's to say I want some random guy on the internet being able to
call my phone.

Keep in mind tptacek quite literally pastes replies gushing about Signal/Wire
in any thread related to PGP or instant messaging. They even paste it in
threads which mention PGP but talk about other issues such as file encryption,
signing etc, ie the uses not covered by an instant messaging platform. I have
come to just skimming over anything they say because of it. Come on, put a bit
of effort into your reply.

> _Wire uses metadata but only requires an e-mail account._

It also doesn't offer federation. At this point I think Matrix is the best
hope if you're okay with minimal metadata. It is also making huge strides of
progress if you keep up to date with their development, so that's exciting.
[https://matrix.org/blog/posts](https://matrix.org/blog/posts)

> _There is Cwtch ([https://cwtch.im/](https://cwtch.im/)) that extends
> Ricochet to support multi-party messaging. I did not dig deep into it, but
> it may use the same algorithms. Additionally, it uses a language with a GC._

I have high hopes for Cwtch. It seems to be a common thing people don't want
to address: metadata. That said you can have a fairly meta-dataless experience
with Matrix if you run a server and don't federate.

Ideally I'd like to see this get solved [https://github.com/vector-im/riot-
web/issues/2320#issuecomme...](https://github.com/vector-im/riot-
web/issues/2320#issuecomment-485227466)

~~~
mikekchar
To be completely fair tptacek is a recognised security expert. Yes, he likes
Signal. Apparently like you, I disagree (their refusal to implement non-
personally identifying information as an identity is enough for me). However,
I'm not a recognised security expert (and just between you and me, I'm not
actually a security expert... or even more than mildly competent... maybe not
even that... ;-) ).

He's got his opinions and he states them pretty clearly. I don't think that's
a crime. I've discussed his opinions with him in threads before and I can't
see anywhere where he's obviously wrong. When I've asked him directly about
the identifiers, he's declined to answer -- which makes me think that he
probably agrees but thinks that the other issues are more important than that.
I could be wrong, but that's my impression.

~~~
pvg
_he 's declined to answer -- which makes me think_

You don't have to, it's easy to pull the plentiful relevant hadith:

[https://hn.algolia.com/?query=author:tptacek%20signal%20phon...](https://hn.algolia.com/?query=author:tptacek%20signal%20phone%20number&sort=byDate&dateRange=all&type=comment&storyText=false&prefix&page=0)

~~~
mikekchar
Cool. Thank you. It seems that my assumption was correct :-)

~~~
pvg
About the phone numbers? Not really how I read it. But that's just me - my
impression from reading endless secure messenger HN threads is that both
'phone numbers' and 'federation' are ideological sideshows that have very
little to do with the actual security and privacy properties of secure
messengers.

~~~
mikekchar
I can only give you my feeling. There are 2 issues. One is security of the
message itself. Can someone other than the key holder read the message? Do you
have forward security (i.e. if I expose earlier messages do new messages
become readable as well)? Is any of the meta data exposed? Can a third person
collect information about the message apart from the message itself? Generally
Signal looks good as far as I can tell from those perspectives.

Where it runs into problem is with authentication and protecting users from
third parties collecting information about which people are exchanging
information with each other. Signal makes the assumption that you don't mind
that the person you are communicating with knows who you are. This makes it
unacceptable for certain dissidents. The key you use to identify yourself
allows the government (or almost anyone, really) to find out your name and
your address.

All people in a conversation know who all the people participating in the
conversation are. So even if the target of your conversation doesn't mind
being identified, you may have third parties who make introductions. Those
third parties _must_ be identified with Signal. This allows a potential
attacker to build up profiles of who is associating with whom.

At one point Moxie was discussing the idea of a protocol which would allow
parties to introduce one another without having to reveal their identities. As
far as I know this hasn't been implemented yet (but I haven't been keeping
track of development). Additionally, as far as I can tell, _Signal_ can
potentially know which people are talking to which other people. Now, in the
source code for their server, it doesn't, but there is actually no way to know
that they are _really_ using that source code in production unmodified. The
lack of federation means that there is no way to mitigate this risk (To be
fair, I completely understand their point on federation, but again I find it
disingenuous that all discussion of federation is thrown out of the window as
being too difficult to implement -- without any acknowledgement that we still
have a problem that we need to address!)

I don't think any of these issues are in dispute. The answer is simply: Signal
does not intend to solve these problems. Their goal is to provide end to end
encryption in the context of how you would use SMS. If that doesn't fit your
purposes, then Signal will not work for you.

I honestly feel that people are being a bit disingenuous. There are plenty of
situations where email is a great medium for exchanging information. To say
that "Email can not be secured" and that you should go to a messaging format
is not exactly telling the whole story. There are applications where email can
be secured "enough". There are applications where SMS messaging can be secured
"enough". There are applications where neither is good enough. And yet, the
argument against email is taken to the nth degree (the fact that you can take
the contents of an encrypted email and send it unencrypted is purportedly a
serious security flaw, while the fact that I can take the contents of Signal
message and do the same thing is apparently not).

However, like I said, I don't think tptacek is _trying_ to be disingenuous. He
honestly _does_ like Signal and it honestly _does_ improve security in the
average case. He doesn't care that it doesn't do the things that it doesn't do
because he thinks those things are less important. It's fair. He's an expert
and certainly his opinions reasonably carry a lot of weight. You don't have to
unthinkingly accept those opinions, though.

~~~
dngray
and yes.. I agree with nearly everything you said in your post mikekchar.

The one thing I would keep in mind is elevating a person's opinion because: "
_recognized security expert_ ".

Their comments should be taken at face value and not given any extra special
value because of " _who they come from_ ".

I purposely leave my background, education and employment out of my comments
for that reason. I would not want my opinions to be judged more highly because
of where I work.

> _He doesn 't care that it doesn't do the things that it doesn't do because
> he thinks those things are less important._

Just because he doesn't care doesn't make them any less of an issue.

On that note Matrix also offers a similar method with the phone number (it's
optional to use a phone number) and if you do use it, the identity server can
link you with other people that use it.
[https://matrix.org/docs/projects/other/sydent](https://matrix.org/docs/projects/other/sydent)
(that's also optional, you can run a matrix server without it).

Ideally the best usage would be to have two accounts, an account with your
phone number you use with people that know you, (family, work etc) and one you
use for random people on the internet that does not.

Signal laid a lot of the ground work with
[https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm](https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm)
hopefully now Matrix can take it to the next level (next generation), like
email.

Their cross-signing stuff looks to be particularly interesting.
[https://github.com/matrix-org/synapse/issues/4110](https://github.com/matrix-
org/synapse/issues/4110)

------
qrbLPHiKpiux
PGP is dying a horrific death with the mass electronic and internet user.

Since 1992, I’ve been in this game. It will never catch on.

~~~
ryeights
That which never lived cannot die

------
johnisgood
So what does it criticize exactly? PGP, OpenPGP, GPG, or...?

------
billpg
Using-pink-in-moderation habits could be better.

