Hacker News new | past | comments | ask | show | jobs | submit login
Stop Using Encrypted Email (latacora.micro.blog)
475 points by lvh on Feb 19, 2020 | hide | past | favorite | 547 comments



Hey 'tptacek and 'lvh. You definitely make valid points. But your arguments here on HN could perhaps be reduced if you adequately framed the problem:

RFC 822/2822/5322 e-mail, on top of RFC 5321 SMTP and RFC 3501 IMAP, can't be secure. (And more RFCs I'm probably forgetting).

To most people in the target audience (LARPers, technologist, and others), "email" isn't necessarily that. It's whatever Google/Outlook/... does for them. It isn't a concete set of protocols. But a _type_ of messaging. A particular set of ergonomics.

When framing it from that perspective, people (programmers?) will go "well duh". Then we can move on from the unproductive discussion about semantics and move on to defining new standards, clarifying threat models, and building a real replacement people and companies will adopt. It'll take a lot of coordination and cooperation that can't happen until we've convinced enough people what the real problem is. And as long as we're using vague, subjective terms like "email", I don't think we can.


Nobody is going to adopt a new email standard that lacks the problems SMTP has. People will instead build new secure messengers that come closer and closer to the ergonomics of email, and that's what people who see a future for "secure email" should be looking towards, not some doomed effort to get the Internet to migrate to a new email protocol.


Hmmm perhaps. But while we keep calling "email" the problem, we limit ourselves to creating "not-email". That's an admittedly large box, but when $politician and $businessperson is still addicted to "email" and asks for it by name, you can argue as much as you want, but not get 100% traction. It is a people problem. A naming problem. A publicity problem.

IMO, better to leave "email" open as a generic term, with the hopes that one of these new messengers (hopefully, Signal) can eventually be standardized and opened to other implementations for adoption inside $bigcorp.

But what do I know?


I don't know what you know, but I can say that Signal and Signal Protocol have protected so many more messages than PGP that, by comparison and to a rough first approximation, we could say that PGP has protected effectively no messages. Signal isn't even the most popular messenger with end-to-end encryption, and its uptake so far outstrips that of PGP email that the two aren't even comparable.

So appeals to the email userbase aren't especially interesting to me. My concern is that nerds are continuously trying to convince normal people that they should be encrypting email. That's dangerous, and wrong.


Then say that.

Look, your article reads as a general attack on (encrypted) email. Independent of how it is implemented. You mention "PGP" 7 times: 5 times buried in the last paragraph of the intro, 1 time in a random paragraph on key rotation, and 1 time at the very end, as if your entire post was about PGP specifically. Hell, your title doesn't even mention PGP.

You mention "identity" 3 times, "metadata" 5 times, "keys" and "plaintext" 9 times each, "user" 11 times, "messages" 23 times, and the substring "encrypt" a whopping 41 times. IMO that "plaintext" and "PGP" are roughly equal in usage--and that "encrypt" dominates that!--says something far stronger. Here you're here saying "this post is about no PGP" and I'm saying "but you wrote no (encrypted) email".

I'm in agreement about PGP. I'd even go a step further and say you could say any encryption scheme on top of or underneath email would be weak. (Filippo's age? Jason's wireguare? $unicorn? etc.)

Why? Because of the concerns you enumerated in the post that are fundamental to the way the above RFCs work.

---

Think of the numbers and relative scales. x < 0.0001% of email users encrypt using PGP. and LARP. Fine. Attack those users in your blog posts and comments. But y >>> x of emails users play some part in replacing email in the grand scheme of things, with a more secure alternatives.

The expected impact of writing a blog post and convincing ~nobody to quit using PGP is much, much smaller than writing a block post and convincing someone to start consider building, investing in, or supporting others to build that replacement.

And IMO, you're 99% of the way to the latter, and 80% of the way to the former.


I can't say this any better than the article already does. If we replaced PGP with Age (a cryptosystem I like), email would still not be safe --- for all the reasons the article gives. This is not simply an argument about PGP.


tptacek: > This is not simply an argument about PGP.

That's what I was just saying... Go reread it!

But you also wrote:

> My concern is that nerds are continuously trying to convince normal people that they should be encrypting email. That's dangerous, and wrong.

I'm (just) trying to convince you to broaden the stated impact of your post. You're wanting table scraps from people who won't listen and who have no impact in turn. Ask for something bigger from people who might but have lots of impact when they do. You're nearly there.


> I don't know what you know, but I can say that Signal and Signal Protocol have protected so many more messages than PGP that, by comparison and to a rough first approximation, we could say that PGP has protected effectively no messages

I can believe it about Signal protocol, since it’s implemented on Whatsapp and Facebook Messenger. But, if you talk just about Signal proper, are you sure it protected more messages and more people than PGP?

I see this claim fairly often, but no data to back it up


Anecdotally I've received e-mails from two people with S/MIME or PGP signatures and zero encrypted e-mails. There are about a dozen people in my contact list with Signal, some of whom I exchange messages with regularly.


It is causing issues for forensics (before that people were using SMS, IMAP, and SMTP; all without TLS). It isn't fool proof, for example if your adversary can gain access to Google Drive or iCloud via a warrant. Although making backups via such platforms is optional.


This is the same problem faced by another worthy goal, replacing DNS. What does cipherboy.example.com even mean, without DNS? Similarly, what does cipherboy@example.com mean without SMTP?

It's a hard problem. If I tell someone "my email address is samatman@newawesomeemail.com, no, you can't email me from gmail you have to use AwesomeEmailClient", they're going to be confused and nonplussed.

If they can email me from gmail, well, they will. And I have to reply with SMTP, and nothing useful was accomplished.


What is a worthwhile replacement to DNS? We don't have one. That's part of the problem: differences of opinion.

Try HTTP/HTTPS: we have separate ports, browser preferences, and lots of unified messaging deprecating HTTP.

Suppose we reuse the same format (name@dom). What would a migration plan look like?

Early stages: - DNS record indicating support. - Separate ports. - Reduced spam (because nobody is using it). - No warning messages.

Mid stage: - Lots of dual-stack systems. - Something like HSTS and preloading. - Warning indicating insecure delivery (the client can detect this). - Buy-in from most large corps (Gmail...)

Late stages: - Old, insecure port goes away almost entirely. - Revisions to spec, improvements.

We're still at the tail end of this for HTTPS, and we're building on top of a well-known, supported encryption protocol (TLS, which gets reused elsewhere).

The point is, if Gmail doesn't buy in, you've not made meaningful progress, because they have billions of users alone. And unless they move, most large corps/... won't also move.

That's, in my opinion, why Signal and stuff (while nice, secure, ....), won't replace email.

So how do we get there?

First we need a security protocol with the constraints outlined in the post. - Forward secrecy, - Handles key rotations, - Notifies of device changes potentially. - ...

That's going to take time to design, develop, and standardize. Whether we tie the messaging protocol and format (SMTP/...) tightly to the security protocol (TLS) remains to be seen. It takes time for formal verification too.

Then we need Gmail support. If it is a closed, non-standard protocol (like Signal), it won't be adopted. The RFC process is the only process I know that can influence those types of changes.

And yeah, now? It won't be secure. But we'll have a path from getting to "mostly plaintext" to "mostly secure". And we'll have to live with the fact that it takes time.

If you're not reusing the same address scheme, then yeah. You would have to educate a lot of people about the difference. But if you push that onto the developers, I think that's better. And you can make it mostly transparent to the end user, except at critical times.


Can we also stop pretending Signal was some genius stroke that happened in a vacuum? With all due respect to Moxie signal was born out of years of experience with OTR and SCIMP for XMPP and the need for asynchronous key exchanges in chat systems.


Sure: is there a specific place where you feel I've done that? I think everyone involved would happily concede that Signal, like almost everything, stood on the shoulders of giants. It seems fine to both acknowledge that and also say that making it more accessible (literally go install this thing from the app store) and developing it further (the Signal protocol builds on OTR and SCIMP, sure, but Axolotl, 3XDH and the formalization of Noise are meaningful developments that also warrant recognition).


Moxie Marlinspike and Trevor Perrin.


The thing that's hard to swallow is that you're recommending a plan that maybe solves the problem by 2050. Remember, STARTTLS was standardized 22 years ago and you still can't reject emails from servers that don't use it unless you're okay with missing business-critical messages, in my experience. Meanwhile, Signal works today. It would be cool if there was a group working on the solution you've laid out, and maybe it'll still be relevant when it arrives, but if you have any privacy needs before you retire we have to point you at Signal.


Sure, but HTTP was started in '97, and yet we've gotten a decent replacement rate towards HTTPS.

It's all about publicity and messaging. We made an explicit, coordinated push to get rid of HTTP. We're still working on it. Think of how many people were/are involved.

We've not had a coordinated push for SMTP. TLS doesn't satisfy anything but a trivial threat and trust model (for secure messaging, when done at the SMTP layer). And that would involve a lot less people if we get it "right" (and it's only a new protocol and not a new app).

If it were up to me (it's not), we'd have a solid technical spec and then try and make this happen. Rather than pushing STARTTLS.

There is kinda a group working on a solution. I don't know what the current status is and what their funding levels are:

https://darkmail.info/

For these purposes, the branding is all wrong. I've not read a recent version of the spec, but there's still commits as of 6 months ago.


Sure, but it seems to me that improving email is more similar to improving email than to improving HTTP. I think the STARTTLS push has gone more slowly than HTTPS for reasons that are fairly fundamental to email - it requires hitting more providers to get decent coverage. Chrome has >60% market share, while GMail is <30%.


> IMO, better to leave "email" open as a generic term

Be conservative in what you do, be liberal in what you accept from others

If you attempt to redefine the term 'email' to be something broader, then you will inevitably be breaking and/or confusing users who expect the current implementation.

The current meaning of the word is simple and useful. Given someone's e-mail address, I can be reasonably sure of a way to send a text that will be received.

A world where 'e-mail' means a family of incompatible (by necessity, if we're enforcing secure communications) implementations would be worse than today.


Would you, in ~10 years, prefer a new standard (Signal-Mail, RFC 424242) and have "secure" (for a given definable threat model) standard called email that obsoletes the above RFCs and has 80% market share over current email standards...

...or have 30 different walled-garden, not-interoperable, partially-working (for a given ergonomic use case) apps?

Considering that much of present day communication happens on async on email (including important conversations inside and between banks, governments, land-lords and tenants....), I'd say its something that should happen. And if we can convince the right people, it will happen. We'll live for the next ~5 years in a state of hell (just like we do when we upgrade TLS protocols), and then for the majority of people, things will get better.

My 2c.


And to expand on this a little:

Users don't care. They'll use whatever is given to them, as long as there is no friction. That's why PGP-encrypted email never took off, except as something that tptacek likes to argue against.

Concretely, we (the security-conscious community) need to convince people (engineers, executives, managers) at Google, Microsoft, Oracle, countless other companies, and a myriad of open source communities that this is something important to build, invest, and collaborate on.

The first part is messaging. Then comes networking, convincing individuals in private. Then comes public collaboration. Proof of concepts, test networks, RFCs, production apps.

But until there's a need and money, this won't happen. And it'll be people arguing past each other on the internet.


> ...or have 30 different walled-garden, not-interoperable, partially-working (for a given ergonomic use case) apps?

In having to choose from about 5 to 6 that I have to now, it would certainly be a nightmare if it fragmented to 3 dozen or so. That would be a major problem.


> If you attempt to redefine the term 'email' to be something broader, then you will inevitably be breaking and/or confusing users who expect the current implementation.

An interesting parallel could be Apple's introduction to iMessage in the Messages app, to the point where many use the word "text" to actually mean "sending an iMessage".


> when $politician and $businessperson is still addicted to "email" and asks for it by name, you can argue as much as you want, but not get 100% traction

Since it's obvious that no on-the-wire compatibility is possible, it's fair to give it a new name for branding/marketing. Sometimes the progress happens that way, the new name becomes fashionable with $politician and $businessperson and using "email" now signals your low status, etc.

BTW, the new-non-email could facilitate fighting spam and attention-fishing through some micro-payments scheme.


What we need is something with the interface of outlook or gmail, where you can send messages and attachments to address much of the form username@domain.com where delivery of the message is under control of the owner of 'domain.com'.

These are the ergonomics that people call e-mail.


One use case I don't see mentioned, though, is "I sent you an email that I think you might tamper with the contents of. By doing authenticate and then encrypt, you might be able to claim you never got it, but I prevent you from claiming the email to be different than it is."


You can generally just claim that it was never signed, so you usually need some other mechanism (technical or legal) anyway. This does work the other direction (term of art “non-repudiation”), where the sender can’t claim the message wasn’t theirs or said anything other than what it said. That’s generally considered an undesirable property for messaging systems (because the privacy trade off) but as you point out there are use cases.


Crucial use cases. Official digital signatures use X.509 (including S/MIME) for this exact reason.


OP has an extravagant threat model. Yeah if I were trying to hide communications from some dictator where even the metadata of recipient and timestamp is damning then of course email is out.

PGP is a good way to communicate under the right circumstances. Say I'm writing to someone I trust and have verified their key fingerprint via a secure channel (in person, over the phone, etc). If I were sending them login credentials for a shared site, or bank info for setting up a payment, or even just wanted to block general corporate snooping then what's wrong with PGP? It's "pretty good privacy."

It's nice that I can apply the cryptography on a local machine and then send the result over email. I don't need to sign up for the paranoid chat app du jour.

( In fact PGP is useful for more than signing/encrypting mail, see https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.h... )


What you describe sounds more like using PGP independently of email. I mean you could just as well put your secret data into a password-protected zip file and send that using a variety of methods.

But I do think op has a point that there are two groups of people using encrypted emails:

1. Nerds using it for fun where accidental de-encryption doesn't matter too much.

2. Non-technical people where decryption might be a life or death situation and so they imitate what the nerds do, because they don't know that the nerds willingly tolerate the decryption risk.

Op is now arguing that group 1 should stop so that group 2 doesn't get misled.


FYI, password protected zip is completely insecure. Use age, or magic wormhole.


There are modern versions that are not completely insecure.


That’s true, but they’re not widely supported, so you can’t count on them to communicate. It’s also really hard to know for laypeople if the result is safe or not, so it’s dangerous to train them to accept encrypted ZIPs. Plus, as long as you don’t care about compatibility, you’re probably better off with encrypted disk images (DMGs or LUKS), because they don’t have completely dominant unsafe implementations.


The filesystem drivers in most linux distro's (and I'd argue Mac and Windows too) have never been under scrutiny for security bugs. I wouldn't trust an ext4 image I got from the internet unless it was signed and from a trusted source, that's worse than ZIP files.


What about a bare tar ball though?


Acceptable but tar's have their own set of issues (mostly efficiency and being tape oriented)


You're not guaranteed compatibility. If you use AES to encrypt (using 7zip or whatever), the recipient won't be able to open it with Windows Explorer: https://superuser.com/questions/1255917/do-windows-8-1-or-10...


Either they are secure, or they are not.


Could you elaborate or provide some link to your first claim? I'm really interested to know more.

Thanks!


Specifically ZipCrypto is bad, which is the only supported crypto if you're password-protecting in Windows Explorer and the like. If you use 7zip or similar software you can use AES instead, which is fine.

http://math.ucr.edu/~mike/zipattacks.pdf

https://en.wikipedia.org/wiki/Zip_(file_format)#Encryption


There are multiple ways to password protect zip files. A user usually won't be able to tell whether the way used by their software is secure or not. The old way is insecure.

http://math.ucr.edu/~mike/zipattacks.pdf

https://github.com/hyc/fcrackzip

The modern format uses PBKDF2 like many password hashing formats and needs to be attacked with john the ripper or hashcat.


Have you read the article?

The problem isn't just the metadata leak, far from it. Some problems mentioned:

1. PGP is old and broken and messages can potentially be decrypted without access to private key

2. Because email's default is plain-text, in real world conversations you end up with people replying in plain text with your whole message being quoted

3. Archived messages will leak. An e2e channel needs to have a way to inform receivers that messages should be deleted after some time

4. Private keys eventually leak, therefore it is important that when it happens, the system makes it hard to decrypt old messages (by combining it with ephemeral keys).

So if you have login credentials to send to someone, if you value that info and I assume you do, otherwise you wouldn't use PGP, then this is precisely the use case that encrypted email is terrible for.

PGP usage is also very user unfriendly so you’re not losing anything really,.


> 1. PGP is old and broken and messages can potentially be decrypted without access to private key

GPG works.

> 2. Because email's default is plain-text, in real world conversations you end up with people replying in plain text with your whole message being quoted

Don't quote

> 3. Archived messages will leak. An e2e channel needs to have a way to inform receivers that messages should be deleted after some time

Don't archive

> 4. Private keys eventually leak, therefore it is important that when it happens, the system makes it hard to decrypt old messages (by combining it with ephemeral keys).

Delete them before they do.

The "new wave" of encryption like on from the guy calling himself Moxi Marlinspike is the prime definition of an unproven technology.

The screaming headline is because he wants to make noise, and get cred for his crowd.

His argument: GnuPG — a proven, and well reviewed technology is broken because some minor bugs were found, despite the fundamental crypto behind it still being more sound than anything else.

He then follows to say that a fundamentally less sound, complex unproven system, is a better alternative. And that even when the novel crypto messengers themselves are dogged with daily minor security bugs being found.

If I met the man in person, I would've said some warm words to him.


> His argument: GnuPG — a proven, and well reviewed technology is broken because some minor bugs were found, despite the fundamental crypto behind it still being more sound than anything else.

I don't think we've read the same article. Nowhere in the article does he mention a "minor bug" that can be avoided by using the latest versions of GPG. He explains in length why encrypted emails, and also GPG in particular, is broken by design. That's really two different things.

I'd also hesitate to call something that hasn't reached the masses a "proven system." It's only a tiny fraction of *nix users that actually use the software.


We read the same article, and you did not understand it beyond the screaming claims, and shallow statements.

No, him saying it's "broken by design" is really not substantiated. SigSpoof is certainly not a design specific bug, but an implementation flaw.

On other hand, the "new agey" crypto messengers mess up the protocol and the app internal mechanism hard, and that's compsci101 mistake no matter how much they gaslight that.

It's them benefiting from their stuff not being subject to serious security review because of lack of adoption, not the other way around.


The article is not talking about SigSpoof. The person you're corresponding with appears to have read the article more carefully than you have.


Your messages are only as secure as the least careful person you correspond with.


But that's true no matter what methods you use. When you send a message, you don't enjoy any security at all from the recipient. If they decide to leak your messages, your messages will leak. If the way they decide to do it is by being incompetent, your messages will still leak.

Look at the HackerOne reward policy for Snapchat: https://hackerone.com/snapchat

Among many less notable findings that aren't considered security issues, you can see that "screenshot detection avoidance" is a non-qualifying "bug". It's not really a bug. It doesn't qualify for a reward because your messages cannot be secured against people who are supposed to read them. Security against the recipient is (or was; I don't know the current marketing) a major marketing point for Snapchat, but it's never been something they actually offer.

How is "your messages are only as secure as the least careful person you correspond with" more of an argument against PGP than it is against Signal?


The parent is focusing on carefulness, and not malicious intent. If being careful requires you to be knowledgeable in computer security or cryptography, we're never going to have a secure communication system because people aren't going to spend years learning those things to simply talk to people. Secure defaults matter, and not being able to configure and use GPG correctly is hardly "incompetence."


Exactly this. tptacek's article talks about issues like someone replying (with the messages quoted) in cleartext by mistake, or leaking their keys. In a messenger like Signal, there's no easy way to accidentally reply in cleartext, and key management is handled for you so it's not possible to accidentally send the private key instead of the public key. It's not enough for _you_ to never do those things, you have to trust your correspondent to be capable to do those things without error (which is different than trusting them to not intentionally disclose).


That will always be the case though


Exactly, and therefore i think the whole 'stop using encrypted email' is a rant that could apply to anything. Basically comes down to, you don't want people to know something, do not write it down.... not in email, not in pgp encrypted email, not in whatsapp, not even native American smoke signals....


> Don't quote

ha ha ha, seriously? Even if I don't quote, go and explain 99% of my recipients they should not quote when replying ...

> Don't archive

Maybe I miss to read the irony in your message, otherwise it is useless, or we don't live in the same world. But in mine, everybody archive emails in separate folders. period Fear of discarding information, especially in the business, is a great thread.

[edited for formatting]


> Don’t quote...don’t archive

The risk is that somebody else quotes or archives an encrypted email you sent.


Practically speaking using PGP (or any other design of the same type) doesn't work to preserve privacy due to the architeture of email.

Pervasive use of TLS for clients (IMAPS, web clients) and SMTP (STARTTLS) has had a far greater practical impact on securing email. Let's Encrypt has helped in enabling that.

I haven't seen a report on whether GMail warning when domains were not using TLS has had an impact, but it did for me, because I told my accountant he had to get it done or I would change accountants. GSuite actually lets you prevent sending cleartext, i.e. making MitM downgrade attacks cause fail secure, rather than fail open. https://support.google.com/a/answer/2520500?hl=en


> and messages can potentially be decrypted without access to private key

This is about e-fail, right? As far as I know this has been migrated and it worked in the first place only because of html messages. In addition to that it was not really the fault of gpg but rather the fault of badly implemented programs (because they did not check the mdc tag).

> Archived messages will leak

This is a bold assumption

> An e2e channel needs to have a way to inform receivers that messages should be deleted after some time

Surely the sender could mention this in the message.

> 4. Private keys eventually leak, therefore it is important that when it happens, the system makes it hard to decrypt old messages (by combining it with ephemeral keys).

This is a big usability trade-off. I avoid using wire because it takes ages (as in hours) to decrypt messages if I have not used it for a while.


If a bug happens in more than a handful of implementations, there’s a good chance the protocol is to blame. Perfect examples of where this emphatically is the case is MDC (PGP and Telegram are the only two common protocols in use I can think of where you don’t get a real MAC) and JWT’s alg debacle. Both were obviously ridiculous, and both led to serious vulnerabilities in almost every implementation under the sun.

Mind you: with efail, some tools were using GPG directly. GPG produced unauthenticated ciphertext. GPG is also the dominant implementation. If GPG itself does this obviously broken thing, how do you expect third party implementations to get it right?


> PGP is old and broken and messages can potentially be decrypted without access to private key

This would be a lot more effective / helpful / convincing with a reference.

> Because email's default is plain-text, in real world conversations you end up with people replying in plain text with your whole message being quoted

This is more about the UI of mixing "normal" email with encrypted email. If you can insist that everyone install Signal, you can insist that everyone install Enigmail or some other piece of software which refuses to reply to encrypted mail without also encrypting.

> Archived messages will leak.

The specific argument from OP was "Searchable archives are too useful to sacrifice".

I have a hard time expressing how obviously self-contradictory this line of argument is. Insofar as people are unwilling to give up archives, they will be unwilling to give up email. Insofar as people are willing to have email deletion policies, this isn't an argument to get rid of email.

He's advanced the premise that people will never give up archivable messaging. So who exactly is he expecting to influence with this diatribe? Anyone who is unwilling to give up archiveable messages is going to be unwilling to give up email, period. At which point it's just pointless ranting.

If you believe that people want encrypted, archivable messaging, then you need to give them the best solution possible, not just tell them not to want it.

> Private keys eventually leak, therefore it is important that when it happens, the system makes it hard to decrypt old messages (by combining it with ephemeral keys).

So one of the arguments against using PGP is that it gives people a false sense of security; and that having "experts" using it will encourage people to send messages which "should not be sent at all."

In the case of ephemeral keys, you're still trusting the other party to delete both the keys and the messages after the stipulated time. But what reason do you have to believe that the other party is actually doing that? It would be dead easy for someone to write a client which didn't delete the message or the ephemeral keys -- either on purpose (because having an archive is convenient) or by accident.

Wouldn't it be better to just tell people, "You can never guarantee that anything you send won't one day be decrypted, no matter what method you use. Take that risk factor into account when sending any message"?


When the author talked about broken pgp, he referred to an earlier post: https://latacora.micro.blog/2019/07/16/the-pgp-problem.html granted, it proposes some alternatives, not for email though.


You can make people install engimail, but there are problems with email enigmail does not solve (this article), problems with with PGP it does not solve (our other PGP article), that have directly resulted in serious vulnerabilities for Enigmail.


> This would be a lot more effective / helpful / convincing with a reference.

There is a long thread about PGP in the same blog[1].

Full disclosure: I have not yet read the post but you might find more information about the claim.

[1] https://latacora.micro.blog/2019/07/16/the-pgp-problem.html


If the login credentials are used within 24 hours by the intended recipient to log in and then change the password then perhaps it doesn't matter if the message is decrypted by an attacker six months later. So I can think of worse use cases.


OP has recently endorsed, or failed to deride, WhatsApp for this exact same reason.

> 3. Archived messages will leak. An e2e channel needs to have a way to inform receivers that messages should be deleted after some time


well PGP still has a very useful role in bootstrapping private communication in an OpSec sense.

practical scenario to safely pivot would be to create a plain text file with this content:

"please do not reply to this email - if reply or don't stick to the following steps I must assume you're compromised and have to ignore all other attempts at contact for both of our safety. Please send instead a message on <ricocet/signal/wire/session> with this exact content <proof/hash> so I know it's you, my userid is <userid>. I expect a reply until <time in the very near future>"

Then encrypt that (using cli not the mail user agent) and send without subject.

If they deviate from the agreement, or if there is a long delay in comms immediately cease all contact. Should give you reasonable confidence about the authenticity of the message after the pivot. Certainly beats using whatsapp or gmail to pivot to secure comms.

But as you said, I wouldn't use it for anything else, not because I don't trust myself but the moment you share a secret it is no longer a secret and you have to take its halflife into account.


"1. PGP is old and broken and messages can potentially be decrypted without access to private key"

Absolute nonsense, PGP is perfectly safe. Blame the broken cowboy software implementations.


I'm going to say the same thing I said last time this came up -- so what should we use instead, then? What do we use if we want secure messaging, but with the (social) affordances of email? There still doesn't seem to be any answer to that!

No, Signal is not an acceptable answer; it replicates text messaging, not email. In more detail:

1. Email is potentially long-form. I sit down and type it from my computer. Text-messaging is always short, although possibly it's a series of short messages. A series of short emails, by contrast, is an annoyance; it's something you try to avoid sending (even though you inevitably do when it turns out you got something wrong). Similarly, you don't typically hold rapid-fire conversations over email.

2. On that point, email says, you don't need to read this immediately. I expect a text message will be probably be read in a few minutes, and probably replied to later that day (if there's no particular urgency). I expect an email will be probably read in a few hours, and probably replied to in a few days (if there's no particular urgency).

3. It's OK to cold-email people. To text someone you need their phone number; it's for people you know. By contrast, email addresses are things that people frequently make public specifically so that strangers can contact them.

So what am I supposed to do for secure messaging that replicates that? The best answer I've gotten for this so far -- other than PGP which is apparently bad -- is "install Signal on your computer in addition to your phone and just use it as if it's email". That's... not really a satisfactory answer. Like, I expect a multi-page Signal message talking about everything I've been up to for the past month to annoy its recipient, who is likely reading it on their phone, not their computer. And I can't send someone a Signal message about a paper they wrote that I have some comments on, not unless they're going to put their fricking phone number on their website.

So what do I do here? The secure email replacement just doesn't seem to be here yet.

(I'm guessing in case (3), the authors would suggest just using unencrypted email, but what about problems (1) and (2)?)


I was going to write the same thing, but less eloquently!

The solution seems simple. Create something much like signal, but with the user-interface of e-mail! This addresses your points 1 and 2 perfectly. I'd want my UI to include actual working archives. None of this 'this message will be deleted automatically after x days'. Because e-mail is non-ephemeral communication. Hence I want to be able to access it.

However, point 3 introduces a relevant technical difference between signal and e-mail that affects the user experience.

Federation.

This is what makes cold e-mailing possible. It is what allows anyone who controls a domain to start accepting e-mails at that domain without needing permission, or any central service.

I don't have enough of the infrastructure of signal's ephemeral key pre-sharing front of mind. But I really hope there is some way to get this to work in a federated system. I could eventually see this replacing e-mail.

Point 3 has one more side-effect that hurts any e2e encrypted form of communication: spam-filtering. Because content-based spam filtering essentially requires access to the plain text. And for it to be effective, you want to base your filtering on a large dataset. Even if you were to move applying the spam filter to the endpoints (ignoring compute and trade-secret issues), you still need access to plain-texts to train your spam-filter.

Sure, you could probably share any false negatives back to some aggregator to train the spam filter. Because generally spam sent to you doesn't need to remain confidential. However, false-positives i.e. emails that are wrongfully marked as spam, are not things you'd want to share back to some aggregator. I suppose MPC could be of help here, but that would 1) fix the algorithm used and 2) have huge computational overhead.

In summary, if we can federate e2e encryption and get spam-filtering to work, we could and should replace the entire user experience of e-mail with an e2e encrypted protocol.


> I don't have enough of the infrastructure of signal's ephemeral key pre-sharing front of mind. But I really hope there is some way to get this to work in a federated system.

Well, there's one major hurdle: multiple devices. Pre shared keys (and one time keys, and ratchet keys) are generated on the user's computer. If there's several of them, say a Wintel desktop and an Android palmtop, messages sent with the desktop's pre-shared keys can't be decrypted by the palmtop¹.

So we need a need to synchronise those keys between the devices. The easiest way to do it is to store the private half on the recipient's server. But then you need to encrypt them to prevent the server from breaking forward secrecy. The encryption key must then be shared across both desktop and palmtop. (UI wise, it's pretty easy: connect both devices to the server, then manually type on the new device some low-ish entropy secret the old device is displaying on screen.)

[1] Commonly misnamed "phone"


In theory, both Matrix and XMPP+OMEMO handle multiple devices. In practice, I've found it to be less than smooth.


Matrix has gotten much better about this. Most scenarios where device lists get out of date are caused by the device list cache for federared homeservers being out of date. But with synapse 1.10 (released a few weeks ago), homeservers will refresh the device list much more aggressively in circumstances where it's clear that the cache is old (such as receiving a new message from a federated user on an unknown device).


If what you really need is security, then I don't see how (1) and (2) can be overriding concerns. If I were in a situation where my life depended on my messages being confidential, my choice of medium wouldn't turn on the convenience of long-form messages or social conventions around reply time.

To put it another way: if I'm in a situation where being able to type an easy-to-read long-form message is more important than it being end-to-end encrypted, I'd just use Gmail. I don't see why Signal needs to satisfy both use cases; at worst it's kind of ergonomically awkward, but it isn't making false promises of security, which is worse than useless.


Oh hey Mickey :)

Obviously, if what I really need is security, these aren't overriding concerns! But I think part of the point is that you should be using these things even when you don't need security -- otherwise when you do use it, it's potentially suspicious. Secure messaging needs to be ordinary, not something special you only do when you need security. Signal accomplishes that well for text messaging! Nothing, apparently, really accomplishes that well for email while also being seriously secure.

Edit: Or to put it another way -- tptacek talks about people "LARPing" by using attempts-at-secure-messaging when they have no need for security. But, such "LARPing" is actually important, as it creates cover for those who do need it! Just, y'know, we still need the actually-secure part.


Yeah, to me, this is the most important response.

In theory, you could layer an email UI over a federated secure messaging protocol, like Matrix's E2E or XMPP+OMEMO. In practice, no one has done this, and infosec people only seem to care about instant messaging for some reason.

Besides all of the points you make above, Signal Desktop is terrible. I often want to use it to avoid typing on a phone keyboard, only to find that the experience of using Signal Desktop is actually worse than that of typing on my phone.


Sort of just generally, to word this post more simply: whenever the point is made that encrypted email is cryptographically inferior to secure messengers, people respond with a litany of ergonomic reasons why secure messengers aren't viable: they don't have the right platform support, nobody wants to type on their phones, people want decentralized platforms, nobody wants to install new software, and on and on.

The problem with these arguments is that they have nothing to do with security. There's simply no case that can be made that encrypted email is as secure as a modern secure messenger. People tolerate shoddy encryption in email because ergonomics are more important to them than security.

The problem here is that there are real people who depend on the security of their messages who would be taking unreasonable risks in trying to get an encrypted email workflow going. Rather than telling these people to read a GPG tutorial or install Enigmail or whatever, we should be telling them either to use a secure messenger, or not to put themselves at risk at all.


The problem with arguments by security experts is that they ignore the reality of ergonomics and convenience. If you're in security and you ignore these, you're being naive and likely making dangerous recommendations.

Why do I make this claim? Because if you were realistic, you'd acknowledge that people will inevitably choose the easy route over the secure route. The path to genuine improvements to common place security has to include a focus on methods that are ergonomic and convenient.

Just look at the outdated password complexity rules as a perfect example of this. Sure, in some ideal world where everyone did the hard thing this would be secure. In reality these rules just drove people to write their passwords down on sticky notes under their keyboard.

Signal in the current form is not and will never be a replacement for email due to UX. It's a great messaging platform, but it doesn't solve the use cases that email does.


I encrypted email were the "easy" route you'd be right, but obviously, it is not. It has vanishingly small usage and is notoriously unusable (see: several generations of "Why Johnny Can't Encrypt" papers).


If email served the same purpose as messaging, if the messaging apps were as capable as email, this also wouldn’t be an issue. Email is the “easy” route to encryption because there are no alternatives.


If there was some kind of magical answer to the problem of the network effect, we wouldn't be in this mess with say privacy disregarding Facebook.

All this article is doing is explaining how encrypted email is akin to snake oil, and how we can break the network effect of email (by not recommending it for serious comms).


> There's simply no case that can be made that encrypted email is as secure as a modern secure messenger.

-- BEGIN SCRATCH THIS

Of course there is. I can send an encrypted email to anyone and be guaranteed that only that person has access to it, even if I have to give them instructions on how to decrypt it.

I can't do that with Whatsapp because it's closed source. I can't do that with Signal because nobody has Signal. Everyone has email.

-- END SCRATCH THIS

There's also the problem that messengers like Whatsapp and Signal are tied to my phone and so to my identity. With email I can make a free, new email account with almost any provider and send an anonymous, encrypted email from a public Wifi with a spoofed MAC.

You can't get that level of anonymity that easily from using a phone. Every phone provider I know will at least want to keep a record of your ID before giving you a new SIM card.

EDIT: I concede my first argument sucked.


> I can't do that with Whatsapp because it's closed source. I can't do that with Signal because nobody has Signal. Everyone has email.

Are you saying the install base for people who use GPG with e-mail is larger than the user base for Signal, or are you saying you can send people instructions for decrypting e-mail but for some reason not instructions for installing Signal?


You know what. I'll accept that it's not that good of an argument and scratch it, leaving the other.


So use a secure messenger that isn't tied to your phone. Wire is an example. I'd strongly prefer Signal, because the reason Signal is tied to your phone is so they can piggyback on your contacts database and not keep a plaintext contact graph serverside where it's vulnerable to interdiction. But Wire is still vastly better than encrypted email.


using the contacts feature of the phone, in most cases means the contact graph is shared/synced with google, apple servers. It's great Signal does not need a copy, but by outsourcing the contacts they have already leaked and its just pretending to solve the problem.


> I can send an encrypted email to anyone and be guaranteed that only that person has access to it, even if I have to give them instructions on how to decrypt it.

Genuine question: how would you send me an encrypted email, and give me instructions for how to decrypt it? I have no published public keys; you'd have to send me a keypair that you yourself generated - how would you do that part securely?


The way this happens today in the real world is that I send you an email with an encrypted zip file attachment (and I make sure I've chose an appropriately secure encryption method) then I call you (or meet you in person) and tell you the password.

Symmetric encryption has ergonomics which are actually easier than asymmetric encryption with the tools we have today.


You could associate your public key with a DNS record that you control?

e.g. https://tools.ietf.org/html/rfc7929


This is orders of magnitude more difficult than just telling someone to install Signal. Even people who are somewhat tech savvy are going to have trouble with these instructions. I freely admit that I have no idea how to do what you're proposing I do.


The MitM problem is not with sending the public key. They can just email it. The MitM problem is with intercepting the instructions from person A, having the MitM person generate them, and provide the pair to person B while impersonating A.


If you know you want to email alice@example.dk and if you trust DNSSEC, then fetching the public key for alice@example.dk from the DNS should be at least as secure as visiting https://example.dk in your browser.

(If you don't trust that Alice's email address is alice@example.dk then you shouldn't send an email for her to that address regardless of MitM attacks.)


> ... and if you trust DNSSEC...

I don't, thanks.


You're omitting the part that example.dk could create a fake key for alice@example.dk, publish that, decrypt a copy for themselves, and reencrypt it for alice@example.dk's public key.


Well, I said it's at least as secure as visiting https://example.dk in your browser, where your attack is equivalent to the hosting company or DNS provider generating a new TLS certificate for that domain without the knowledge of Alice, the nominal registrant. (The web PKI also has the problem that any CA can issue a certificate for any domain).


The catch is that the primary reason to choose encrypted email is to prevent your hosting email provider from reading your email, so the inability of encrypted email to provide that guarantee kind of renders it worthless.


Of all the attackers you could worry about, I wouldn't put your own email hosting provider at the top of the list. MTA-STS is nice, but it's hard for an email client to guarantee that the hop-to-hop links between itself and the recipient's inbox are going to be protected with TLS. Passive snoops between mail providers seem like a much more realistic threat.

Also, by putting a public key in the public DNS, it means that Alice can catch her mail provider's DNS server giving false information about her public key, which would come with cryptographically signed proof of which entities were involved in that lie. Ideally there would be an equivalent to the Certificate Transparency system for keys that are used or protected by DNSSEC.


I can also send you the commands to copy-paste into your terminal to generate the key pair and ask you to give me the public key.


That could def. be MITM’d though


That would have to be someone actively engaging in MitM and not merely listening and keeping record.

Even if that's the case though, you can raise the difficulty by doing it through a phone call.


Instead of instructions for how to use PGP to you could give instructions on how to use Signal.

A new SIM card isn't free, but it seems like it would be easier to reliably cover your tracks by buying a burner phone with cash than concealing your PII through the process of setting up a new email account.

That's at least the case in the USA; I don't know if you live in a country where it's more difficult to anonymously obtain a new SIM card.


>I don't know if you live in a country where it's more difficult to anonymously obtain a new SIM card.

ie. most countries.


I wasn't aware. Do you have some specific examples, for my own edification?


This page seems to track them. The linked paper has some nice maps

https://privacyinternational.org/long-read/3018/timeline-sim...


That's a great link! Thank you, very much


Ecuador us one such country.


Isn't authentication just as important as encryption for secure communication?

What is the benefit of being both anonymous and encrypted?


You can do authentication with the party you're communicating with as your real identity or as a pseudo-identity without letting everyone else know who you really are.

With PGP, just use an identity that identifies you to that party and sign your emails with it. It doesn't matter what address you send them from.

However, anonymous emails where you don't even authenticate yourself to the party your communicating with is also useful. It's like when someone wants to make an anonymous report to the police. Why leave a trace with the phone company? I imagine people that make these reports typically use street phones (in countries where they're still plenty).


This is all true, but it's still a real problem that a secure messaging service with the ergonomics of email doesn't exist at the moment. No, I'm not going to use Signal instead; I mean, I do use Signal, but it has the ergonomics of text messaging, not email. I don't use it as an email replacement. So, uh, somebody please build one I guess? :-/


> The problem here is that there are real people who depend on the security of their messages who would be taking unreasonable risks in trying to get an encrypted email workflow going.

But how do you decide who is taking unreasonable risks?

Surely there are also some people who would be taking unreasonable risks communicating via any means other than a one-time pad exchanged in person!

And yet I suspect most security professionals will say that in most use cases the ergonomic disadvantages of one-time pad make it not worth the added security. Which is the exact same form of argument you said is problematic regarding secure messaging services.


Cryptography engineers virtually never use one-time pads, because the ergonomics are impossible and the security benefits over a modern (as in, past the 1970s) cipher are marginal. Ironically, similar to encrypted email, a reason not to attempt one-time pads is that you will inevitably screw them up (and there is, like with PGP, a history of operational screwups to point to here).

If your point is that the risk calculation isn't literally binary, that's true. But it's pretty close to discrete.

Is encrypted email sufficient for the LARPing use cases that almost all encrypted emails represent? Sure. But when we discuss secure messaging as a generality, we have to consider the cases where security actually matters, and in those cases encrypted email is not fit for purpose.


How is email cryptographically inferior? Only thing I can think of is if you want perfect forward secrecy, you can segment and deliver parts of the email with different encryption keys (except you could if you have it and send each blob in a thread).

That just depends what encryption protocol you use.

You could say that the user experience around encryption in email is inferior. Is that what you mean?


The answer to your question is in (in fact, is) the article.


I think you could still hack around it, but in a way that would make non-secure emails come across as gibberish to those that weren't using a special email client.

For subject line, locally you could encrypt it via the same key that you encrypt the message body, so that it would look like gibberish until the end client decrypted it.

For send time, nothing you can do there. If you wanted to hide the sender address, you could likewise obfuscate that by proxying based on a secret key, but at that point you need a custom email server.

I guess I'm thinking that it would be useful to have an email client can:

  - do it's own custom security thing (probably not even on SMTP protocol) if the receiver is also using secure mail
  - send a normal email if the receiver is not using secure mail
At that point, I'd guess you probably wouldn't call it "secure email" though :)


Okay, so what blend of secure messenger is your friend-group using? I am hoping Signal becomes more mainstream but it isn't nearly the population that uses GPG for email..

(I do agree with you)


Everyone I talk to uses Signal; even my siblings, who are not technologists and who I do not talk to about this stuff, use Signal (sometimes to my annoyance, since iMessage works just fine when we're figuring out what each of us is bringing to dinner). But for the purposes of this post, almost literally any secure messenger is better than email.


Do I read you correctly that you are actually admitting that there might actually be room for more than one type of messaging?


Try tapping that mr NSA! :) 1st word over whatsapp, 2nd word over telegram, 3rd over signal, and so on. Each word of course PGP encrypted ;)


I wonder if you're in a bubble. Only 3 people I know use Signal, and it was a hassle getting one of them to start using it. Most people are still happy with SMS or Facebook (or probably iMessage, but as someone who avoids Apple, that's not an option for me).


Do they use Signal of their own accord, or because you asked them to and they were receptive to using it? Do they use it when talking to other people that aren't you?


It is not because I asked them to. I'm the one telling them to go ahead and use iMessage.


I'm more talking about how they initially chose to use Signal. Did you tell them about it, or did they learn about it on their own? Do they prefer it because of its encryption or security features, or for other reasons?


I did not tell them about it. Signal has received a lot of press coverage. They use it because it's what they think they're supposed to use.


I switched over to Keybase from Signal about a year ago. I avoid SMS, iMessage, and email as much as possible. I've had no regrets, and almost zero downsides. The cross-platform support was the biggest driver for me, along with other bonus features.

Many people in the circles I run in have adopted it recently.


Here's what it boils down to.

I don't trust you.

My threat model is what happens when the CIA plants child porn on Joe Average Developer's laptop and he gets a plea deal.

For RFC4880 the answer is "one implementation of the standard is compromised".

For Signal, Wire, Whatsapp and everyone else that provides an end to end solution the answer is "everyone in the world is fucked".


One of my suppliers sends me PGP encrypted email invoices using an automated system. It works perfectly well for my threat model. Security vulnerabilities in processing this may exist, but so they might in every other system; there's no special vulnerability in email or PGP here.

I understand that this article is for the secure human-to-human messaging use case. That's fine; I have no argument with this. But outside that context, it makes no sense, yet generic claims like "encrypted email is bad" are being made. This is too broad.

I understand that the majority of perceived demand* for encryption may be for secure messaging. On that basis, maybe you think it's OK to disparage encrypted email because a win in getting universal secure personal messaging with the modern desired properties would be worth the cost. But isn't this a strawman? Who exactly is a proponent of encrypted email for secure personal messaging anyway? Who is using PGP for personal encrypted communications today who is being harmed?

* Because most people don't care; it's only a minority of advocates who, rightly or wrongly, believe that everyone should.


> It works perfectly well for my threat model.

What threat model is this?!

(In all honesty, I don't believe you. I presume you're paying those invoices, in which case whatever attacker you have in mind can just follow the money and monitor the metadata to learn everything they need to know about those invoices. Or, more likely, your threat model is "nobody's seriously gonna snoop on my payments to this supplier; I just think it's fun to play with PGP.")


This is great. Which supplier if I might ask?


Typical security industry contrarianism.

"Stop using that thing that mostly works as intended and is integrated into lots of email clients and systems, and has a number of independent implementations, and has the decentralized properties that match email."

"What should we use instead?"

"shrug You can send encrypted stickers in Signal, isn't that neat?"

If you're going to advocate for everyone to stop using something that they rely on, make sure there's a viable alternative for them to switch to first (or throw your weight behind making/enhancing one). Otherwise you're just telling people to stop using plastic straws and giving them shitty paper straws in exchange. People know they're bad but the alternatives are worse to them so they stick with the bad thing.


If you consider PGP something that mostly works, and Signal the fringe contrarian view, then we have wildly different experiences around usability, and the relative popularity of those tools.

I couldn’t get any of my friends or family on PGP to save my life, and some of them are programmers. I am now at a 50/50 split in volume on Signal v WhatsApp, and most people I never even suggested it to. And they use it correctly (because that’s the only way you can).

Seriously: how is PGP something that mostly works, and how is Signal contrarianism? Isn’t it the other way around by now?


Signal is non-federated. That, alone, is a showstopper as an email replacement.

Open and federated protocols and services should be our target. It is hard designing them, but if we could do that in the past, we should be able to do so today.


Two replies about email replacement; I feel like we’re getting off track. Signal is for secure, end to end encrypted communication. Ideally that would be all communication, but that isn’t realistic in today’s world.

TFA merely says: if you were gonna use PGP, use Signal instead. It’s a trade off. While we target these open and federated protocols, let’s not throw people who actually need encryption today under the bus.

So to the question of replacing email: unless all your email is currently PGP encrypted, you don’t need to drop your email just yet.


> So to the question of replacing email: unless all your email is currently PGP encrypted, you don’t need to drop your email just yet.

You don't need to drop email at all. If you trade protocol openness for encryption, you are acquiring technical debt. How long are going to do this dance of switching between instant messenger protocols? ICQ -> AIM -> MS Messenger -> Hangouts -> WhatsApp -> Signal -> ???.

Open protocols (open in specs and federated in access) are the only way to stop this madness.


In the past Google and Facebook supported xmpp(jabber) protocol. That was real step in right direction. You could use your client and OTR plugin to encrypt all communications. It all ended in 2015.


Do you have an opinion on why that happened?

(I think a lot of useful Signal properties are much harder to do with federation, but that’s a subtle enough problem that it warrants a long form post, not a HN comment. I agree that ceteris paribus federation is better than not—but c.p. is doing a lot of work there :))


Is there some reason to believe it didn't happen (mostly) for the reasons stated by the respective parties at the time? 'federated' is often brought up as an unalloyed good so casually but as you point out yourself, there's a huge overhead, conceptually, operationally, etc.


IMHO, Matrix currently has the best shot at becoming the standard for the open internet.

Those who value the freedom of choice should push for Matrix before Signal becomes the de-facto standard and is acquired by one of the tech giants looking to lock down control of communication.


Matrix is too dependent on it's only vendor in existence, their only server in existence has performance issues. Also, a monolith standard is hardly viable for federated networks, where all nodes can't upgrade all at once.


> [...], their only server in existence has performance issues.

This is either misinformed or disingenuous: https://www.hello-matrix.net/public_servers.php


All these server instances use the same server software, provided by the same vendor.


Ah, I did not realize you were referring to the software. In that case, there is also Construct[^1]. There are other implementations in the works, though progress is somewhat slow.

Synapse is much better with regards to resource usage these days, though. The RSS of my instance is 355M right now and the CPU usage is hovering around 0-10% (15-min server load ~0.5).

[^1]: https://github.com/matrix-construct/construct


Fortunately Signal is a well funded non-profit which reduces the likelihood of its acquisition significantly.


Anybody using keybase? I think they have excellent security, Superior to telegram and signal in some ways.


I wouldn't use keybase where I need reliability due to their vague TOS (that came into effect around the beginning of this year): They can ban you from their service if they deem your actions outside their platform unacceptable.


Interesting, I had to check their ToS and found this which seems a bit vague:

"[...]use the Services to store or transmit any inappropriate content, such as content that: (i) contains unlawful, defamatory, threatening, abusive, libelous or otherwise objectionable material of any kind or nature" [1]

(My emphasis)

[1] https://keybase.io/docs/acceptable-use-policy


Lots of pros

1) we use it as a slack replacement 2) git integration 3) stellar Blockchain payments 4) encrypted file sharing 5) great system for key management


I'm still using ICQ...


> Signal is for secure, end to end encrypted communication. Ideally that would be all communication, but that isn’t realistic in today’s world.

Do you seriously believe that ALL communication working through a single proprietary non-federated service would be a good thing? !


I’m having a hard time believing just how polar opposite of my point people are taking me, I must be explaining myself very, very poorly.

Let go of the idea of “good”, nothing is currently good. Everything is terrible. The only thing that’s “good” is a federated, open, and secure in practice protocol (I.e. not just for people who use it properly, but for people who is it full stop. Like HTTPS, for example.) Today, we don’t have that. Let’s work towards that. Let’s make it happen tomorrow.

But today: federated or secure, pick one. (See TFA)

Meanwhile , there are people , today, with a real need for encryption. (See TFA) A need that transcends our long term plans. These people look at what “techies” do and say, and they imitate it. That’s the way of the world.

It is currently PGP. That is not secure, in practice when used by those people (see TFA). Therefore, we need to stop using PGP, use Signal for now, until we have an actually good solution that is better than Signal and PGP.

That’s the summary of the article.

Nobody is talking about replacing all email. Nobody says the status quo is good. Heck, nobody is really arguing for Signal, as much as arguing against PGP, and signal winning by default. That’s all.

We’re all on the same side here, guys. It’s just a matter of temporary compromise.


> We’re all on the same side here, guys. It’s just a matter of temporary compromise.

I get that, and I actually agree with you on almost this whole comment. The problem of the temporary compromise on Signal is that I don't believe it is temporary. Signal is actually good enough to prevent the transition to the optimum. Being non-federated, Signal will always have a single point of failure, but this will get masked until it is eventually exploited.


But if you rule out Signal there isn’t another choice for the users in question.

There is not a federated messenger that provides the same security as Signal.

Your argument reduces to (for the user segment under question) “don’t use electronic because I value federation”.

I value it too but that seems incredibly selfish.


> There is not a federated messenger that provides the same security as Signal.

Actually, there are federated messengers that provide better security and privacy than Signal. Yes, XMPP ones. They might not have the same convenience yet, yes, because they are not tied to phone numbers, but don't even get me started by trying to say that tie to phone numbers is a plus.


Name a federated message tool that is more secure than signal for a user who is not a tech expert and whose life is potentially on the line.


Conversations, Xabber, Chatsecure. Any of these is more secure than Signal: they are not tied to phone numbers (means: way more privacy), work with TOR easily, and starting a secure conversations is no more difficult than 'add contact' (enter contact XMPP id) -> 'press lock' -> you're ok, chat is private, and your phone number is not exposed.

Actually, this phone number thing is the main reason why I find it hard to suggest using Signal to anyone who's life is on the line.


Can you explain why any of this is more secure than signal with sealed sender? What is the privacy impact of tying to a phone number, beyond the one bit: I have signal?

As far as I can tell, sealed sender leaks less metadata than omemo currently does, which makes tor etc. Mostly irrelevant. Plus, I'm not going to fuck up signal, while I will misuse Tor.


Tying to phone numbers makes identities expensive.


What's the threat model that requires multiple identities?


From privacy point the standard is using separate identity for every action, if possible. - That's also a major bummer for Briar.


That's not a threat model, and not generally possible (or even desirable) with something like a messaging app. So again, what is the threat that you wish to address that you believe is only solvable with multiple identities?

This is an important question, because cryptographic repudiation and secured metadata prevent most of the dangers that I can think of, but I might be missing some.


If your life is actually on the line you are better off doing some research on how to use PGP properly. Otherwise you have no good way to know if you will end up with something strong enough to use against state actors. The simplicity and strength of PGP is hard to beat. Riseup.net has an entire section mostly about OpenPGP:

* https://riseup.net/en/security/message-security


The actual article were commenting on right now is literally about why this doesn’t work. That’s the whole point of the article.

One example (from the article) is other people accidentally replying to your encrypted messages in plain text, including the entire reply history.

This is what TFA is about. PGP is not safe for people who actually need encryption.


Here's the Signal version of the riseup.net article:

> Purchase a modern android or iOS device and install Signal. Your communications are now secure.

Given the security provided by signal, why do I need to understand the message authentication schemes, private key management, keyservers, versions, etc.

> The simplicity and strength of PGP is hard to beat. Riseup.net has an entire section mostly about OpenPGP:

Given that, in practice, basically no one's use of PGP provides security or privacy beyond what I get when using Gmail or Outlook, I beg to disagree.

How in god's name can you claim that a 6 page article describing the ~20-30 steps to correctly set up a keyring (oh and then keep up your opsec for the life of your communication because pgp doesn't provide forward secrecy and the protocol makes it possible to transfer plaintexts unencrypted) is simpler than "Install signal, and send messages"?


They're secure right up until the point someone with the ability to do so spoofs your phone number.

And yeah, Signal will detect that and inform the other side that "security number has changed". At which point they'll promptly confirm the new one, because they don't understand its purpose anymore so than private key management etc - because they simply installed the app from the store, and expect it to "just work".


> Signal will detect that and inform the other side that "security number has changed"

Specifically, it will say "Your safety number has changed...This could either mean that someone is trying to intercept your communication, or that <other party> reinstalled signal."

Even for a layperson, if they have reason to be concerned about a powerful attacker that's reason enough to stop.


I have switched quite a few casual users to Signal by now, and in my experience, none of them have paid any attention to those regardless. They don't even bother asking the person through some other channel - just confirm the new number.


Assuredly, but most people aren't actually that concerned about state sponsored attacks on their communications, and for those people Signal is still as good as (or better than) PGP email, but they can safely ignore these notifications because, well, the likelyhood (and the risk due to) a state sponsored attack is relatively low.


Signal can't work on an air gapped system. So it is entirely subject to all the available attacks on the rest of the system it is running on. Someone risking their life no the overall security of something like, say, a smart phone is not being wise.

Something like Signal is OK for most people, particularly if they trust the Signal company. But when things get serious you have to:

1. Know what you are doing.

2. Keep the device that is doing the encrypting as separated from the rest of the world as possible.


> Signal can't work on an air gapped system

If this is the kind of thing you're resorting to claiming, we're well beyond reasonable forms of argument, and so I think it's safe to say that you agree that signal is better.

No communication protocol works on an air gapped system, and a modern Android or iOS device is going to be secure enough that you really don't need to use a special device for your messaging.

The riseup article doesn't mention anything about using a special device for your secure messaging, so I'm not sure why you think it's so important all of a sudden.


You mean gmail?


> TFA merely says: if you were gonna use PGP, use Signal instead.

The article mentions Magic Wormhole, age, and Signal, IIRC.


So ergonomics trump security for you. That's fine. Stop telling people that they can safely follow your lead, because you've prioritized things other than their safety.


An incremental evolution may cause us to get stuck in a local maximum. You are correct that the incremental step is necessary. You are ignoring that this incremental step sets us onto a path of closed protocols. In time we'll be worse off.


So that's two things you think we should prioritize over people's safety: ergonomics and technological progress. You're digging the hole deeper for your argument.


Only one. I never mentioned ergonomics.


That's what federation is. All else being equal, you'd prefer people use less secure messaging so that you can have greater choice of clients and servers, and run your own server.


I don't get the implication between federation and ergonomics. Federation is the ability for competing providers to operate in the protocol space. Does it lead to better ergonomics, worse ergonomics?

I don't think it impacts ergonomics.

What federation does is:

a) Remove the single point of failure present in Signal;

b) Promote competition between service providers.

None of these can be argued against.

Note that I'm not defending we stick with email. I'm defending we shouldn't move to a non-federated protocol. That fixes one thing and breaks another. Choose xmpp, matrix, design a better messaging protocol, ... Just don't take a step forward when facing the abyss on the merits of taking forward steps.


They can be argued with, easily. But we don't reach that argument, because it has nothing to do with safety. You make choices in favor of "federation" and "progress" because your life is not on the line when you send messages. That's fair! Most people's lives aren't on the line! But when we talk about messaging security, we have to consider the users for whom secure messaging is intended: people who really are entrusting their lives to software.

It's helpful to compare secure messaging to medical software. If we were talking about the software that controls the radiotherapy machine, no rational person would would have any priority other than safety. But of course almost nobody interacts with radiotherapy software, and everyone interacts with messaging software, so it's hard to see the connection. But it is there.


So, it is not about ergonomics or any other argument, except for security in an undisputed altar. I disagree with the principle, but personal principles are not challengeable. We'll have to disagree.

Just keep in mind this principle is personal, not shared with you by everyone. For example, I distrust security by central organizations, like Signal.org. They're an amazing target for bad actors.


Correct: in this particular problem domain, safety is the overwhelming priority, just like we don't care about the UX framework or the open source-ness of radiotherapy machines.


You should care about opensourceness of personal medical devices like pacemakers and insuline pumps though. Precisely for safety concerns.


Haha this comment must be maximum HN. Hats off!


Nobody talked about usability or widespread adoption.

Article was targeted at people who are using PGP and urged them to stop using it without, offering a viable alternative and the parent comment called it out.


> Nobody talked about usability or widespread adoption

This directly contradicts the original comment.

> Article was targeted at people who are using PGP and urged them to stop using it without, offering a viable alternative and the parent comment called it out.

The article has an entire section explaining alternatives. The first link in the article [1], also written by the same author, has an even longer list of alternatives. It's hard to miss.

[1] https://latacora.micro.blog/2019/07/16/the-pgp-problem.html


> Seriously: how is PGP something that mostly works

The entire Debian infrastructure is secured with PGP. PGP emails, PGP signatures, PGP encryption.

Seriously: it doesn't just "mostly work". It's rock solid battle tested for 20 years, and thousands of people use it without needing hand holding.


The topic here is “PGP in e-mail”, not PGP full stop. It’s all in the TFA, including a comprehensive list of reasons why it does not just work. Even with handholding, let alone without. If you disagree with any of those specific examples, please do elaborate, but at least address them. They’re good points.

Nobody is suggesting people switch to Signal for distributing .debs...


There's a lot of good things to say about Signal, but if it should replace email:

How do I export it for long time storage and for auditing?

Edit: to avoid confusion, I read in the help files that I can export my chats, but it seems clear that those exports are only supposed to be imported into another instance of Signal.


I don't think Signal should replace email. I don't think email is going anywhere.


Edit:

So, your point over the last couple of years can be distilled down to:

- use Signal if you need actually secret mesaging.

- otherwise: anything goes, including iMessage and email.

- don't participate in security theatre

?

(Was:

------ So, again if I read correctly:

- unencrypted mail good,

- encrypted mail bad

?

------

But this is a not so subtle reference to Animal Farm and while it is probably funny it goes far beyond what I mean. )


If you consider PGP something that mostly works, and Signal the fringe contrarian view

We're talking about email here, so yeah, the number of encrypted emails I've received with PGP is non-zero and through Signal is zero.


I don't think either are good options. I was reading on here recently about the $2.1M that the US gov paid (indirectly) to Signal, with the implication of the associated compromise of integrity. And PGP is so labyrinthine that most of the mail tools implementing it had been compromised for more than a decade. [1]

Whatsapp? It's owned by Facebook, as we know, and I wonder if we can believe that we put on there is actually safe. I think that would be naive.

[1] https://arstechnica.com/information-technology/2018/06/decad...


Hi, I'm having trouble finding any information on the 2.1M that you said the US gov paid Signal Foundation. Do you have a source? I'd love to know if this is true.


The OP is probably referring to financing that Open Whisper Systems (precursor to the Signal foundation) received from Open Technology Fund (https://www.opentech.fund/results/supported-projects/open-wh...) which according to the Wikipedia has ties to the US government (https://en.wikipedia.org/wiki/Open_Technology_Fund). I guess the idea was to provide encrypted means of communication to dissidents in US-hostile countries.

Though I think it is a moot point. Signal foundation is a US organization and its officers are US citizens. I don't think the US government will have any trouble coercing them to do its bidding regardless of whether it financed them or not.


I see. Since the PATRIOT act was put into place the US government can pretty much justify anything at this point so i tend to share the same viewpoint. Thanks for the sources man.


>None of the vulnerable programs enables verbose by default,...

So the compromise is mostly theoretical...


The author is not saying to stop using email. He wants you to stop pretending it can be secured. If people think that "works as intended" means their email communication privacy is secured, and their personal safety depends on it, then those people are in danger.

Basically, he argues you can't trust encrypted email for any content you would not also be fine to send over an TLS secured wire.


The title is "Stop Using Encrypted Email" though.


Yes, which confirms the parent comment's point. Note the title refers to encrypted email, and not email in general.


That sounds congruent with both GP’s point, and the intent of the author.


And you should. Because it’s pointless, as he demonstrated quite well.


That sounds awful close to advocating in favor of more plain text and less encryption.


It sounds like that, but because of how encrypted email actually works in the real world, it's actually the opposite.


That sounds like an extra ordinary claim that telling people to encrypt their email will cause more unencrypted emails.

Claims like that need extra ordinary support. Spend money on a study where one company employees are told to encrypt their work emails, with an other company being told to not encrypt their work emails. At the end of the study, see which one encrypts more.

Common intuition say that the one being told to not encrypt will not have more encrypted email conversation than the other. At worst both have the same amount, and at best the one being told to encrypt has more encrypted conversations because they are more security aware.


If it's an extraordinary claim, it's backed by extraordinary evidence. Modern secure messengers make it difficult (or even impossible) to accidentally send a plaintext message. Meanwhile, plaintext replies to encrypted emails are such a widespread phenomenon that practically everyone who has used them at any kind of scale has witnessed them. The reason those opsec lapses aren't newsworthy is because the underlying messages are unimportant, so nobody cares. Which is why it's important that people understand that almost all encrypted mails are LARPsec.


Failure in opsec does not prove that telling people to encrypt create worse security than explicitly telling people to not encrypt.

I do not see any extraordinary evidence that support your claim. It still sounds more like you are advocating for plain text, and since the encryption wars has been on going for the last 40 years it is worrying to see a new front being formed.

There are two requirements: Plain text should be banned from the network and sensitive data at rest in the hands of third parties should always be encrypted. Advancement in email security has gone forward enough that if both sides of a communication are running their own email server than the need for PGP has been made redundant. If however an untrusted third party is used by either side then the second requirement is not unfulfilled and sensitive data is leaked.

People can pretend that they don't have sensitive data and a single look at the company CRM, HR, customer registers and so on will show that it is really hard to operate a company without handling sensitive data which under GDPR has some real legal ramifications. A single email attachment and now a third party has a copy of that, and a data breach later at the service provider and a law suit happens. With that threat model and enough cases ending up in the news the cost of running unencrypted email goes up.


I'm not telling people not to encrypt. People should encrypt. I'm telling them not to encrypt email, because email is unsafe. You're going to have to engage with my actual argument rather than fleeing to abstractions.


I'm not the person you replied to, but there's no fleeing to abstractions here.

The point being made is that you continually fail to account for data at rest (among other things) in your arguments against encrypted email. Something doesn't have to be perfect to be useful. Most people don't need to fear for their lives if a single message leaks, but that doesn't mean they want plaintext copies of everything cached all over the place for who knows how long either.


> The point being made is that you continually fail to account for data at rest (among other things) in your arguments against encrypted email.

Encrypted email with PGP doesn't give you data-at-rest encryption, though. See https://efail.de ... or the fact that forward secrecy was not a design consideration when it was designed in 1990.

> Most people don't need to fear for their lives if a single message leaks, but that doesn't mean they want plaintext copies of everything cached all over the place for who knows how long either.

This is the heart of the argument. You need to treat email (encrypted, or not) as if there are copies cached all over the place forever. You should assume that about any email you send (again, encrypted or not). This is why it's called security LARPing ... if your argument is simply "I don't want people reading my stuff, it's private"... well, no one cares about your emails. But the moment they do start caring, they can go back and read all of your emails, encrypted or not.


PGP most certainly _does_ provide data at rest encryption. Efail isn't relevant here - it's a live exploit against an active target, not something that can be used against data at rest for which you lack the keys. And forward secrecy is hardly relevant to the point I made either (other than being a generally desirable feature).

> You need to treat email (encrypted, or not) as if there are copies cached all over the place forever.

That's my _entire point_. Assuming there are copies cached all over the place forever, I would strongly prefer that they were encrypted. How is this not an obviously desirable thing?!

> the moment they do start caring, they can go back and read all of your emails, encrypted or not

I do not believe that this claim is correct. Given a block of PGP encrypted text for which one lacks the private key, I am not aware of the existence of any practical attacks against the algorithm. If such an attack does exist, please point me to it - I would very much like to know about it.


Is Signal supposed to be more secure than point to point TLS?

That doesn’t sound correct to me, and makes me wonder what the complaint about email is.

TLS encryption over a relay network seems like state of the art security, and something I’d trust much more than Signal to hide my metadata — which is how you’ll actually get killed in a “life or death” situation.


Email-over-TLS provides encryption to your mail server, not to end-to-end encryption to the recipient of your email. That's what this entire discussion is about (and "encrypted email" in the article refers to PGP encryption, not TLS.)


> and has a number of independent implementations

Actually it's slightly more than that: it's standardised. Signal for all it's niceties isn't. Even if you did emulate it (and you can because it's open source), it's a moving target so there is no guarantee what works today would work tomorrow. AFAIK, all existing reimplementations are incompatible.

Worse, it's infrastructure is centralised. There aren't 10 different lookup servers you can use interchangeably and cross validate. There is just one, situated in one country, and it happens to be a country whose government intelligence agencies have a long and colourful history of infiltrating and compromising organisations just like Signal.

The other thing major different is the PGP ecosystem does have key validation system, and in my experience it is actually used. People go to key signing parties and take them seriously. Signal also has very good key validation of course, but nobody uses it.

So while it's true to Signal can let kids chat to each other securely, the reality is it that security is very weak because they don't want to go to all that tedious setup the PGP / X509 ecosystems wants them to do. When they start a chat with someone new, they don't get a warning that could be anyone unless they use Signal's inbuilt (and very well designed) validation system. I guess such a warning might get in the way of the "frictionless experience" seems to love about it. As a consequence, when someone changes phones they have no idea of the importance of porting their Signal identity across, and when the other end gets the "Warning: Person XYZ changed their identity" (or whatever the wording is) they just shrug ignore it ("they must have got a new phone"). And with that whatever security Signal does provide collapses like a house of cards.

If the security industry claims Signal provides the same security as GPG/PGP while being easier to use, all that tells you is how little the people claiming to represent the security industry know about security. (This isn't to say if you use it correctly Signal won't provide a similar level of security - it does. But they it becomes as burdensome to use as PGP.)


These are arguments about things other than safety. In discussions about whether things are "standardized" or "federated" or how their "ecosystems" look, the safety of actual people is an externality. That's especially so because the overwhelming majority of technologists with strong opinions about secure messaging never send a message that needs real cryptographic protection against a motivated adversary; the entire concept of safety is an externality to those people. But the real, life-or-death cases are not rare. It is malpractice to suggest that people entrust their lives (or their life's savings) to shoddy encryption so that other technologists can have a federated ecosystem of standards.

If this were and engineering discussion about tie rods holding elevated walkways in a downtown hotel, we'd have no trouble setting aside all the other arguments and recognize the core, overwhelming priority. But because our discipline is not an engineering discipline, despite pretending otherwise, we're forced to humor these frankly unethical debates.


>There is just one, situated in one country, and it happens to be a country whose government intelligence agencies have a long and colourful history of infiltrating and compromising organisations just like Signal.

Whereas that same agency is under fewer restrictions for targets hosted in other countries.

>the reality is it that security is very weak because they don't want to go to all that tedious setup the PGP / X509 ecosystems wants them to do.

Being tedious doesn't automatically improve security. See https://latacora.micro.blog/2019/07/16/the-pgp-problem.html and https://blog.cryptographyengineering.com/2014/08/13/whats-ma... and https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d695...: see the section on why broken stuff there won't be fixed.


This, to steal a term from Paul Graham, is a lowbrow dismissal. You could make it without having read the article; in fact, there's no evidence in this comment that you have read the article at all. And the rebuttals to this comment are all in the article, which does not talk about "stickers" or require people to run Signal.


> Stop using that thing that mostly works as intended and is integrated into lots of email clients and systems, and has a number of independent implementations, and has the decentralized properties that match email.

I want to be sure I don’t misrepresent your point. By the thing that works as intended and has plenty of implementations, you’re referring to GPG/OpenPGP?


You seem to think poorly of Signal, but you don't give any reasons. What are they?


I agree with the points made here but based on my experiences I've not yet seen anything that could replace archaic solutions like email and SMS for me. Here's what I've tried and why it's failed:

(Note: This is an "everything sucks" type of comment but it's solely based on my opinion and my experiences. I'm not trying to devalue the work of the people who made the respective solutions and I'm not trying to frame this as general truths. I'm sure a lot of what's listed here just comes down to my specific circumstances.)

- Signal: Afaik it requires a smartphone (Android or iOS) and a phone number which are two things I don't wanna be bound to. Additionally, last time I tried it, messages got noticably delayed and I didn't recieve any notifications. I assume this is because I don't have the Google Services Framework installed even though I checked and Signal should (?) work without it.

- WhatsApp: Metadata falls rights into Facebook's hands so no thanks.

- Matrix+Riot: Message delivery was kinda wonky and slow when I tried it. Also it looks incredibly complex which means someone I communicate with will inevitably screw up just as described in the article.

- XMPP+Conversations: This actually looked like it works for a while. What drove me away from it in the end was that file transfer didn't work for some reason in my environment as well as push notifications for some people I talked to. Presumably they ran a version of Android that mandates Firebase Cloud Messaging and Conversations doesn't use that. We did not want to delve into debugging this further.

- other (mostly "decentralized web") solutions: Message delivery was either unreliable, slow or it straight up didn't work. (No hate on the dweb though.)

Email is kinda bad but so is everything else. What kind of solutions do y'all use and why? Is there some "promised land" I've missed?


I think your review isn't that far off. But looking at your other comments you kind of mix requirements all over. For example your beef with WhatsApp is Facebook owns the metadata, but when someone says Wire you say it's too hard to self host. But somehow SMS is fine.

I think you need to separate them by requirements. But anyway for all purposes Moxy and tptacek keep touting Wire is way better.

- It's not tired to a phone number, but can be if you want to. Meaning finding connections is just as easy.

- it uses signals encryption

- it's message delivery is better than signals

- It's UI and UX is a million times better than signals. I let my mom use it years ago already. And you looking pretty actually matters to a lot of people.

- The Desktop messaging usecase is properly addressed even for a business setting. Signal feels like a crappy SMS client for desktop on desktop

I have no idea why these two people write the things the way they do, but unfortunately its looking less like a let's get people to use the best solutions and more like smear pieces for everything that is not signal. It's really too bad.

BTW signal as a messaging client when you frequently switch countries is such a horrible citizen on my phone and judging from peoples issues I'm not the only one who has that problem.

- If you have multiple sim cards god knows what you cannot just reply to messages since it will just send from the wrong one.

- If you're in an country with a sim that doesn't send the country code with system messages and it differs from your signal number the country will be detected wrong. Replying might cost you. Everytime I upgrade signal I kinda hope it's fixed, but they might as well just put a wontfix label on it.


You're right I never stated my requirements anywhere. Ideally I would want something that:

- works (with push notifs and instant delivery and file transfer)

- is secure (ideally E2EE that's established and maintained, if I control the server just TLS might suffice although it's probably still safer to push trust to the edge)

- is Free/Open Source all the way through

- is self-hostable in a managable way (I have some but not a lot of knowledge in running and administering services and I'd rather not shoot myself in the foot with something extremely complicated.) Bonus points if there's service offerings I can fall back to.

- isn't bound to phones or phone numbers

SMS doesn't fulfill these requirements, I simply use it because it's the "universe default" in terms of instant messaging. And I assume telcoms are so regulated that they technically could but legally aren't allowed to spy on me. For that I had a glance at my national telcom laws and while I'm not a lawyer it certainly sounded like they aren't allowed to spy on me unless I'm already in legal trouble.


I send an SMS every few months, the vast majority of my messaging happens through Signal or iMessage.

And yeah, Signal isn't exceptionally reliable, I've had messages go missing for hours and even days. I hope it gets better, I'm willing to put up with it for security's sake.

I'm not sure I understand what SMS can do that Signal can't, the difference can't possibly be that Signal requires a phone number, can it? And SMS does nothing to indicate delivery and used to lose my messages all the time back when I relied on it.


SMS works fine for me for some reason. You're right in that it's really bad though. I use it because it's the only thing that even really works at the moment but I wanna get off it as soon as possible.


Oh, right, Keybase. How did I forget Keybase?

Don't use it as much as the others because of network effects, but it works just fine. Requires a user account but no phone number.


Keybase might be worth a look. The only complaint I have is that there seems to be no way to self-host it (which is an option I'd like to have.) And the server source seems to be hidden from public which is not great for trust.

The network effect doesn't really concern me. For communication with strangers I'll have to fall back to email anyways since WhatsApp is virtually the only thing that has presence in my area.


It's true that as things stand you're pretty much stuck with Keybase the company.

But they're going to some lengths to make sure it doesn't stay that way:

https://keybase.io/docs/client/client_architecture

I'm bullish on Keybase, even after the obnoxious Stellar Lumen airdrop fiasco. It seems like they're doing most things right.


Telegram Wire

What about those?


Telegram is a joke. They roll their own encryption, screwed it up massively on Day 1 in exactly the ways that everyone who says "don't roll your own encryption" predicted they would [0], and make snake-oil claims about their security while responding to legitimate technical criticism with conspiracy theories about how their intelocutors are all agents of the U.S. government.

[0]: https://news.ycombinator.com/item?id=6948742


Telegram requires a phone number and the server code is completely hidden away from you which does not exactly evoke trust.

Wire might be a good contender. However, last time I looked at it I wanted to stick with options I could confidently self-host and Wire looks way too complicated on that end. (The recommended way to do it is over Kubernetes which is something I don't wanna touch in production.)


Y'know, you can have all the valid points in the world and still come on a _bit_ too strong.

I get the point the author is making re: LARPing, but this kind of attitude and tone is bordering (or, bluntly: is) condescending to anyone who doesn't know as much as you. It's a huge shame because the general discussions surrounding privacy/security are absolutely rampant with paranoid bullshit, and stuff like this just doesn't help. The people you consider to be LARPing might honestly just be new to the idea of security/privacy/encryption/(insert your label here) and would be better served by a tone where you're not talking down to them, especially if you're an established authority.

Personally speaking, I use encrypted email for my personal account - but I'm under no big illusions about it, and at this point it's partly out of laziness as I find moving email providers to be a useless exercise in wasting time. My original use case was my wife and I wanting to send documents back and forth easily, have it encrypted and retained somewhere that's (relatively) easily searchable, and isn't one of the bigger email services. Email is a workflow that goes back decades, and I'm not particularly interested in changing that mental mapping in my brain (a feeling I suspect many would echo).

It's email. It's not encrypted or 100% private if I email my buddy who's using Gmail/etc. It does jack all for my bills, newsletters, and so on. I'm not worried about the metadata not being encrypted because if I needed that level of security, I'd use Signal or some other tool.

You're probably right that it can't be "fixed", but there's also nothing wrong with attempting marginal improvements until an eventual replacement comes along. It remains a convenient "it just fucking works" and until something replaces that, and interoperates with the rest of the way the world actually works, it's probably not changing.

My 2c, at least.


We are condescending† somewhat deliberately. It's time to start shaking proponents of encrypted mail by the shoulders. We need analyses that spell out the concerns starkly and don't equivocate, because the issues themselves are stark, and a nuanced discussion (if one exists) cannot be effectively communicated to ordinary nonspecialist users.

In a world where encrypted email was popular and no reasonable alternatives existed, the equation would be different. But modern secure messengers have lapped PGP and S/MIME a practically uncountable number of times. I don't know what large power of ten the multiple is of messages protected by Signal Protocol compared to PGP, but I do know that it's large. The risk is not that people will naturally gravitate towards encrypted email (which is in practice a nightmare to use), but that well-meaning but poorly-informed technologists will try to talk them into doing that and adding encrypted email to the basket of tools ordinary people use. That can't be allowed to happen.

I also want the analysis to be somewhat bracing for technologists. I'm not making fun of PGP users when I say they're LARPing. I'm describing reality directly and meaningfully. I don't think proponents of encrypted email have really thought through why they're using PGP and S/MIME, and why they're not terrified of metadata collection and the occasional plaintext reply. Their risk profile is not the risk profile of the public at large; when you're LARPing, it doesn't matter if you get hit on the head with the sword.

Not the term I would choose, but let's stipulate.


No offense, but stuff like this pisses me off to no end. You just assert that all applications are your application and then conclude: and therefore anyone doing anything else is crazy. It's frustrating beyond belief.

The stupid thing is that I know this is not what you actually believe. You say it in the first sentence of the second paragraph of the comment I'm responding to. If this is the tool you have, then it's a tool you can use. If you use it properly and understand the limitations, then it is fine. It's more than fine. It does what it needs to do!

I get that it's extremely easy not to understand how to do things. I get that it's extremely easy not to understand the limitations. I get that it's extremely important to send the message that unless you actually, truly know what you are doing, then probably you should not be using email and OpenPGP to encrypt messages. And in fact, if you have the chance to use something better, you really, really shuold. I get all that stuff. But it is just wrong to imply that you can't send information securely using OpenPGP and email. I mean, it's infuriatingly insulting to be told by a security expert (which I readily and without reservation admit you are) that I'm just playing when I know said expert knows they are exaggerating to push their agenda.

I can even show considerable sympathy for this agenda. I think you do a wonderful job of explaining problems and showing where there are better ways of doing things. You are doing good work! But, stop with the insults, please. It's beneath you. It pisses off people like me that would love to support your cause but are so pissed off with your attitude that I can't bring myself to do so. You are hurting yourself and you are hurting your cause with this line of nonsense.


I fail to see the insult.

LARP is a popular free time activity with nerds here in Germany. And people will fawn over kit and/or spend money on extravagant but useless equipment to earn social status inside the community.

So I thought that calling people LARPing was actually quite clever, because the reason why I would roll out buggy encrypted email would be the same as for why I'd walk around in a cow leather robe in a forest shouting like a madman. I have done both, btw.

And just like nobody would complain about me accidentally breaking character during LARP, nobody would complain if I accidentally break the encryption by replying the wrong way.

So as someone enjoying LARP and dabbling with encrypted emails, I didn't feel offended by his comparison.


I like your interpretation. I'm going to choose it too. Thanks!


> ...as for why I'd walk around in a cow leather robe in a forest shouting like a madman. I have done both, btw.

You're great! Loved this.


Larp has different cultural baggage in US vs Europe. In US it is depicted as the most nerdy, most socially awkward activity. Very insulting.


I am saying the opposite: that nobody should be using this tool, and that the only "real" reason it gets used is for social signaling, and the everyone using it to protect secrets has been misled by the people doing it to signal. What I'm saying in the post is what I believe, for the reasons stated in the post.

People should stop using encrypted email.


And I should seriously implement the Signal protocol on decades old equipment in the middle of a company infrastructure that's on an intra-net, when I can hack something perfectly serviceable instead. Well... I mean... Yes, I should :-) But it's just not reasonable that I'm going to get that budget.

Not every application is your application. Not every fight is your fight. If you absolutely must insult someone, target it and be specific. But, better yet, get your message across without insulting people. It will be much, much better.


I reject the idea that people should seriously consider the shoddy security of encrypted emails so that your "decades old equipment in the middle of a company infrastructure that's on an intra-net" can participate on equal terms with commodity phones that are 2x as capable. That's the quintessential argument for ergonomics over security, and that's the offensive argument, not mine.


Voluntarily removing this message because I don't think it holds with the rules of HN. I wish I could have a productive conversation on this topic, but it seems like it's not in the cards. Hope you have a good day, otherwise.


I am having a GREAT day (hiccup!).

I didn't see your original message but I'm sure it was well-intentioned and wrong. I am wrong often too. Just not this time.

Taking back an HN post you think will be taken as uncivil is a strong move. Respect for taking the community seriously. There's nothing personal in my criticism of encrypted email; it's the technology I hate, not the people behind it.


Well, I would be remiss if I didn't say that I also take you seriously and respect you. I also don't think you are wrong... at least in the way you are looking at it. I think there are other ways to look at it, though. Still, no excuse for me being grumpy.


They've already done it for you, so you don't need to worry about implementing it:

https://github.com/signalapp/libsignal-protocol-c


This is disingenuous. My wife for example would be fired if she didn't encrypt medical records that she has no choice but to email as part of her job. There are thousands of people in just our US state that she might need to communicate protected health information with. Those thousands of people are not signaling. They would just prefer to keep their jobs.


I have no problem with anyone sending encrypted email because they are legally required to do so. I'm sure there are a bunch more corner cases like that, and I'll have the same response to all of them. I think it's pretty clear who the intended target of my critique is.


Corner case? I would have thought sending secrets via email was more than just a corner case of encrypted email. I don't actually use encrypted email though myself.


People required to use encrypted email may well be majority of users using encrypted email. In that context its for sure not corner case. But in context of all people using email and people looking for more privacy it is for sure corner case.

I think author is advocating for all of communications to be encrypted and it cant be email because its just bad. People should stop advocating for it.


I use Signal on my phone, and I like it for the common situation where I'm close enough with the person to share my personal phone number.

I'm still looking for a solution for the situation when I'm trying to communicate without revealing my identity to the person I'm talking with. Signal's reliance on phone numbers means I'd need to get a bunch of burner phones or something, which is beyond what I'm willing to do: I'm not talking about an ultra-high-risk situation, just I'd rather not announce who I am when I'm interacting with people I don't know that well.

What do you think is the most promising tool for this sort of communication? I've been hearing about Riot/Matrix; do you think that's a good option for people to use?


> What do you think is the most promising tool for this sort of communication? I've been hearing about Riot/Matrix; do you think that's a good option for people to use?

> I'm not talking about an ultra-high-risk situation, just I'd rather not announce who I am when I'm interacting with people I don't know that well.

In that case, yes, with some caveats.

Be mindful of your list of Matrix devices because that is something all participants can see. Otherwise, Matrix will allow you preserve basic anonymity with respect to the other participants (but not with respect to the server) with solid encryption.

Also bear in mind that Matrix is built on the premise of storing all messages server-side indefinitely by default (in end-to-end encrypted form and with regular key rotation so forward secrecy is preserved).

Of course, forward secrecy does not help if the participants retain all keys indefinitely and subsequently leak them. I think disappearing messages are in the works.


For a specific, common usecase, what should be used for submitting security bugs for software?

Another concern I have with the proposed replacments is many (Signal, Keybase, etc.) depend on a single centralized service.


The idea with Keybase (can't speak for signal) is that your client doesn't need to trust the server. You only need to trust that your client isn't compromised, which is easier to verify.


Sure (and that's true for signal as well), that's not my point. My point is you have to rely on that service being available. And you need to trust it to deliver and (at least with keybase) persist your encrypted data. And if that service becomes as prevalent as email, that gives the organization that controls it a lot of power.


"I'm still looking for a solution for the situation when I'm trying to communicate without revealing my identity to the person I'm talking with."

This exists. In the past, it took the form of an "anon.penet.fi" email address. This was a very simple, useful service[1] that many people used to great advantage.

In modern times, you can see this very same concept used at craigslist wherein CL maps your email address to a random craigslist email address, allowing you and another party to have painless email back-and-forth without leaking identity.

Now that I am thinking about it, you could set up a simple SMS remailer with codes that would allow the same thing to happen.

None of this addresses secure comms, but that's not the question you asked ...

[1] A "remailer".


> In modern times, you can see this very same concept used at craigslist wherein CL maps your email address to a random craigslist email address, allowing you and another party to have painless email back-and-forth without leaking identity

CL implementation is flawed and only gives perception of privacy. I forget the header/tech name for it, but if you hit reply and your email account is set to “First Last <email@domain.com>” it will pass along that entire string to the recipient in the body of the email. The obfuscation is only in the actual email address the message goes through


And in some countries getting burner phones is very hard. The phone number requirement removes Signal as a serious option for many.


One option is XMPP with OTP or OMEMO encryption. XMPP IDs are similar to email addresses, it's easy to set up a server, and there are lots of public servers you could get an account on as well.


Keybase is the best encryption tool around and you can tie it to a pseudonymous identity


While we talk about cool threat models, https://en.wikipedia.org/wiki/Signal_%28software%29#Blocking - how about DoS?

Oh wait, https://en.wikipedia.org/wiki/Signal_Protocol#Metadata metadata collection?


Signal: you can see who the recipient of a message is, but not the sender

Pgp: you can see the title, sender, and recipient of every message.


> ...but that well-meaning but poorly-informed technologists will try to talk them into doing it and added encrypted email to the basket of tools ordinary people use. That can't be allowed to happen.

This is already happening, which is why I disagree with your messaging: I don't think the way you attack it will fix it, because the people this post will resonate with already (generally) agree with you. But I digress...

I view encrypted email as services like PM/Posteo/whatever paranoia induced flavor of the week fits here. I don't know anybody who tries to use encrypted email straight up - I think the era of running your own mailbox is gone so I don't particularly count it for anything. If you do it yourself, it's a shitshow; if you're on one of those services it "just works".

You can shake the shoulders all you want, but people use email, and people look for the easy win. "Encrypted email" is easier for the average person to latch on to than the UI/UX most secure tooling has right now (a problem even you've noted: https://news.ycombinator.com/item?id=21897173). It's very telling that nothing has dethroned it yet.

Given that, I welcome these marginal improvements while something better is built. These things shouldn't be around in ten years, they're bridges. Email simply has an annoyingly odd usability bar to clear, and nothing is really close to that right now.

If I had to make a dumb analogy, it's like Objective-C and Swift: it's very, very clear that Swift is the future; inherent advantages abound, and much more difficult to shoot yourself in the foot with... but in lieu of Swift, I'd still sooner write Objective-C over straight C, warts and all.


I think a fairer comparison than LARP is martial arts training. As you say it mostly doesn't matter if you get on the head, but people think they are preparing for a situation where it will matter. And in most cases they are wrong.


If that's what encrypted email was, I'd agree, but it is not; it is more akin to taking a children's martial arts class for a month and then physically resisting an armed mugger.


You may be missing that most martial arts people practice are for exercise and social display, not for self-defense or killing.

If it has katas/forms, if certain moves are proscribed during sparring, or if your teachers have not told you the catch-22 about there being no morally acceptable way to practice genuine kill shots even though they're all that really matters, then you are not preparing for self-defense in a life-and-death struggle.

So, martial arts may be the appropriate metaphor.

Disclaimer: My knowledge here is limited to a few years of kung fu as a kid, a lot of armchair research in the past five years, and an old friend who used to place at multi-state competitions. I'm not an expert so I could be off here.


That analogy would work if:

1) the mugger was going to attack you anyway, and does so every day

2) the "martial arts" was a vicious form of Krav Maga taught to CIA operatives, that was a state secret until a few decades ago

Seems like an unqualified win to me.


> We are condescending† somewhat deliberately. It's time to start shaking proponents of encrypted mail by the shoulders.

And yet, you catch more flies with honey than vinegar. Or, in other words (although this is an exaggeration) pulling a Linus to get your point across is counterproductive. The hostility radiating from article will turn off a lot of people who otherwise might benefit from considering it.


Actually no. The title got my attention, and reading through rid me of any illusions I was harbouring about encrypted emails. (Granted, there weren't many left, but anyway.) A title like "Encrypted messaging apps like Signal preferred over PGP" what have been glossed over. At some point you have to tell technologists that their bad advice to people who really need the technology could get the latter killed/imprisoned/tortured.


Tell us your threat model. You talk about overthrowing evil regimes, organized crime, first world police and google as though they all do the same thing.

https://imgs.xkcd.com/comics/security.png

If your adversary is going to drop you, your family, neighbours and cat in an acid vat disappearing messages aren't going to save you.

If your threat model is organized crime, signal might be an ok solution, if you have messages set to disappearing faster than you would tell them your password after they start sanding your feet off.

If your model is first world law enforcement I hope you or anyone you care about have never committed any crimes ever because you will have the book thrown at everything you might have done: https://www.goodreads.com/book/show/6611240-three-felonies-a...

If your model is google, then encrypted email is perfectly valid and a wonderful way to use gmail.


Here's the problem with encrypted email: there is only a very, very narrow threat model that it (additionally) protects against.

In any sane setup, your (and your recipient's) email client will use encrypted connections to and from your respective email servers. Any competent email provider will use MTA-STS, ensuring that no one but the sender, receiver, and respective MTAs can read the message [1]. All this happens for regular unencrypted email, without any effort on the user's part.

So encrypted email purports to drop the ability to allow the MTAs to read the email. But... they don't really do that. Your email providers are required to MITM all of your email, and can trivially modify any plaintext attribute they want to. And anyone who has credentials to your email account can also trivially MITM all incoming email (and may be able to at least social engineer outgoing email, if not MITM as well). This means that pretty much any key discovery mechanism that allows an unencrypted email to initialize or update a public key is defeated [2].

So, encrypted email only provides extra security in those cases where: a) keys are negotiated completely external to email (in which case, why bother with email?), or b) you trust the email provider enough to not try to intercept your messages but not enough to not look at your messages without your permission. Given the BOFH principle (i.e., administrators have no inclination to look at your email because you're boring), that kind of means the second case doesn't really exist as a practical concern. You can improve your security in the second case simply be deleting emails from the server immediately, again not requiring encrypted email.

So... why bother with encrypted email? Unencrypted is secure enough unless you're paranoid, and if you're more than very slightly paranoid, encrypted email isn't secure enough.

[1] This is all happening via TLS, which has gone far, far further than PGP or S/MIME have in actually making "no one can read encrypted text" true. The latter protocols take the stance that "using the cipher.encrypt() is good enough," which has been known to be false for decades.

[2] And DANE-PGP is right out, because your email provider is of course the one publishing your public key.


DANE is only an option if your zone is DNSSEC signed and you have control of your DNS. Of course, there are other ways you can go: https://slxh.nl/blog/2016/pgp-and-dns/

You’re in control of publishing your public key, not the email provider.

I’d be remiss if I didn’t tell you how bad MTA-STS is:

* MTA-STS: compromise for the DNSSEC-challenged

    * Still can and should prefer DANE outbound

    * Authenticates domain control via CA leap of faith

    * Vulnerable to MiTM at cert bootstrap

    * Vulnerable to weakest root CA, and unauthorized certs

    * Open to downgrade on first (or irregular) contact

    * Complex mix of HTTPS, unsigned DNS and SMTP


> You’re in control of publishing your public key, not the email provider.

This is only true if you personally fully own the domain and have control of the DNS and other services, which is not the case for the utter majority (at least 99.9%, maybe a few more 9s) of the population. Of course, in that case, you are pretty much the email provider, so not trusting the email provider is a pretty questionable scenario at that point.

> MTA-STS: compromise for the DNSSEC-challenged

Yeah... DNSSEC is a classic example of a solution looking for a problem. Most of your criticism would apply equally well to not using DANE for TLS, and every browser vendor has looked at it and decided against it because it adds no security.


Having cryptographically signed DNS records that can’t be forged and can be validated is good thing, which is what DNSSEC provides.

Right now, DANE is the only way to mitigate downgrade attacks with SMTP and TLS connections. Apparently use of DANE for email is growing [1].

DANE hasn’t taken off with browser vendors because of their concern about additional DNS lookups when making TLS connections.

[1]: “Number of DANE-enabled mail domains growing exponentially”—https://www.sidn.nl/en/news-and-blogs/number-of-dane-enabled...


If that were the case, browser vendors would have helped push the DNSSEC chain-extensions forward, which were designed exactly to avoid doing DNS lookups to carry DANE records. Instead, the browser vendors laughed at the chain-extensions effort, and it died in committee.


Just pointing out that MTA-STS doesn’t mitigate downgrade attacks and that DNSSEC/DANE does: https://www.rfc-editor.org/rfc/rfc7672.html#section-1.3.1

And right from the MTA-STS RFC: https://www.rfc-editor.org/rfc/rfc8461.html#section-2

the mechanism described here instead relies on certification authorities (CAs) and does not require DNSSEC, at a cost of risking malicious downgrades.

So there’s that.


You forgot about signatures, which TLS does not provide. Nor does Signal. (In a meaningful manual way.)

PGP and S/MIME do. The latter is used for all sorts of official messages for exactly that reason.

Unauthenticated encryption is rather worthless. Repudiation is a separate matter and threat model.


Sure! Use minisign/signify, and see OpenBSD for an example of people who do this who care extremely deeply about non-repudiation.


fwiw keybase supports simple and easy signatures (and less verbose than PGP.) combined with an (imo) much more rational and discoverable attestation of identity, I think it's nearly ready to supplant PGP for this use case. email integration for signatures would indeed be nice.


> Unauthenticated encryption is rather worthless

How so?

Mind you, unauthenticated encryption in terms of signal does not mean that anyone can forge a message, rather that you can't prove to a 3rd party that this was a message sent by the sender rather than forged by you.


a) DH scheme was invented specifically to solve this problem. And, yes, I could pass my public key via other means, which is not as convenient as e-mail. Including paper card in anti-tampering envelope, is I'm paranoid enough.

b) I'm my own email provider, but I don't trust my server provider (they could read HDD of my server), for example. Or my recipient's provider.


I'd love to know what you thought I got wrong.


>keys are negotiated completely external to email (in which case, why bother with email?)

Because I've been using that method for close to 15 years now?


People used FTP for decades, too.


And they still do. I worked at a market maker that used ftp over ssh to move over 10b a year in trades between its various offices.


I hope there is no such thing because that would be insane. If you mean SFTP, that's actually a completely different protocol and is part of SSH.

If you mean FTPS (which I suspect you do as I actually had to set up something similar at one time), that's FTP over SSL and has nothing to do with SSH.

Your point still stands though: some of the background "FTP a CSV file with a cronjob" crap that goes on in the background would horrify anyone.


You forgot that SSH can be used to tunnel arbitrary TCP streams. FTP over ssh, http over ssh, etc.


Sadly, all three are used and none of them should be.


Nope, ssh tunnel.


Has anyone told them there might be a better way?


What is better than (S)FTP? Or do you mean MFT, AS2?


SFTP shares only those three letters with FTP but is otherwise a completely different protocol.

It's also a counterpoint to one of the OP's points which is that trying to secure email is a dead-end that we should give up on. It may be possible, though very difficult, to transition to secure email. But it would have to be a brand new protocol not tacked-on to the current system. The way that SFTP is the appropriate upgrade path for FTP and not FTPS.


The interface of sftp is largely the same as ftp. You can give someone an sftp client, username, and password and they wouldn't be able to tell the difference.

A new e2e protocol that works just like email does would be excellent, but we don't yet have that. Signal &co are chat apps with a different feel and purpose and other than matrix and xmpp not federated, which is a non starter for many entities.


Yes I hope it is SFTP and not FTPS.

There are some things we could easily give up to get encrypted mail. For example, setting a max delivery time to allow ephemeral keys.

But there are other problems with encrypted messaging, and I'm particularly thinking of spam. How does Signal/WhatsApp manage to keep a lid on it? Would that be possible in a federated system?


> Unencrypted is secure

It is not. Unencrypted is environmental pollution that need to be actively prevent until it reach zero use. A favorable future is one where the firewall blocks any unencrypted traffic by default.

Similar, giving third party clear text copies of private information is not secure. It is never going to be secure, and the only half working solution there is the kind of heavy legal regulations and systems that does not exist anywhere yet.

If people want to debate over which end-to-end encryption scheme is best then they can do so as much they want, but in the end the goal here is to stop plain text from continuing harming people.


You managed to cut out the key word in the quote: unencrypted is secure enough.

Email is protected with TLS on all every hop if your provider is competent. My point is that this protection is sufficient for most purposes. Where it is not sufficient, email encryption doesn't actually add the protection you probably wanted (this is the what the original article is detailing).


The optimal provider in those cases is oneself, running the email on an disk encrypted server, using dane, dnssec, and strict dmarc policy to match (should be noted that the author of this article are also against some of those technologies, and if I recall right, also against people running their own email server).

Project like freedom box could make email encryption obsolete, but thats not because unencryption would be secure enough. It would be because the encryption would be moved away from the individual email and onto the whole server.


Yes, because the security from using Gmail is higher than what you will get for running your own server.

Because Gmail does all of those things, and spends more money and effort making sure they do it correctly than you will over your lifetime.

If you have secrets where you believe that, say, a government will extrajudicially lean on Google to access them, theres am equally, or even higher likelihood that you misconfigured something somewhere and leaked your data.


I have a hard time to see any use case where no security is different from giving google a plain text copy of a private conversations where google has the right to determine who and how others might participate in accessing it.

Giving google a plain text copy of everything you say in private communication is not good enough security. Anyone working with information that is covered under privacy laws should be held legal responsible for disclosing it to a third party, regardless if that third party is google or a friend at a bar. If it is a doctor, lawyer or government employee the probability of this is close to 100%. If its a company talking to customers, communicating personal data as defined by the EU between employees, there is only a google breach away from being found out and sued.

The only choice is encryption, with the choice between a encrypted server under the control of the person responsible for keeping the information safe, or encryption per email. Which of those two choices one choose does not matter but giving google a plain text copy and calling it safe is just LARP security.

I should mention that here in Sweden there were recently a large political scandal involving the government using IBM as a third party service provider. Sensitive data got sent over the border and outside the control of the government, and it continued for years as those in charged really wanted to believe that "the cloud" could treated as just as secure as running your own servers. The law said otherwise, and when reality came crashing down things had to change. Convenience does not make it suddenly acceptable to give a third party sensitive information, even if that third party is a large international operator who can't do any wrongs.


Privacy is not security. Privacy laws do not improve your security. PGP does almost nothing to improve your privacy even when used correctly (metadata leaks). I have a hard time understanding what your point is. If Google, or whomever, is following the relevant privacy laws, why do you care if they have a plaintext copy of your private communications?


I am talking about the threat model that a person have if they work with information that by law they need to keep secret, which if you live in the EU is basically any personal identifiable information about a customers. There is also a long list of professions that deal with sensitive information and carry legal binding requirements to not divulge to third parties. Typical examples is anyone working in health care, education, government, legal system and so on. I am not talking about meta data but classified or data which if disclosed results in people getting fired and holds legal punishment such as jail time.

Using gmail without encryption in those cases is a security issue and also illegal. A lot of people still use gmail in those cases and google track record in regard to data leaks has meant that few people have been found out. That said it will only take one significant data leak and people will start to dig for all data being sent to google. That day a lot of peoples head will roll.

I would guess without exaggeration that a large enough data leak at gmail would cause a global market crash. There is just too much plain text data containing sensitive information that people would dig into. Not private, not meta, just information which people should not have given to a third party. Google privacy policy does not play a role in that.


> I am talking about the threat model that a person have if they work with information that by law they need to keep secret

Then PGP is irrelevant, you don't email that data around. And even if you are, then you aren't dealing with security, you're dealing with compliance, compliance with legal obligations has nothing to do with, and is often in direct action against, actual security.

> Using gmail without encryption in those cases is a security issue and illegal.

This, almost certainly, isn't true, given that Gmail is a GDPR compliant store. You might need to use enterprise gmail, for the legal requirements, but that's still entirely beside the point. "Use enterprise Gmail" is the solution here, not "fail to use PGP".


It is true that people should not email that kind of data but then we assume good op security. Failure of op security is one of the argument of the author here against encryption. On that note I agree with him. People op security is bad, thus they should not use a third party service provider where the line between legal and illegal is the wrong attachment.

Enterprise Gmail is able to operate as a data processor, but there is a lot of fine details in order to stay within the law. It assumes that the company has agreed to the gmail processing terms and gotten permission from their own customer to process the data in such ways. Again here we hope that op security match the fine line between legal and illegal. (If we want a practical example which I know people do, imagine a administrator of a CRM sending a copy of the database to a new hosting provider. Now a copy of the database exist in the sent folder and an other copy at the email provider that the hosting company use. It is very doubtful that GDPR allows that kind of sharing of the private information. If the file get leaked in a data breach there is high probability of a successful lawsuit for mishandling of the information).

Using your own email server or tools that automatically encrypt everything does however prevent those risks.


What email server do you use that automatically end to end encrypts everything using pgp?

It sounds like you're talking about encryption at rest, in which case Gmail does that already, more securely than whatever you're doing so the backwards approach to compliance is more effort and less secure in practice.


> What email server do you use that automatically end to end encrypts everything using pgp?

I wrote a program to do that, but there is also a package in Debian if I recall right that also do it. On the mail server it looks up keys in DNS and if it founds it, automatically encrypts outgoing email.

> talking about encryption at rest, in which case Gmail does that already

Emails at google is not encrypted. Good must have access to the plain text in order to do analytics and search. If google has a data breach it can include every single email gmail has in plain text, and that is a fundamental risk.

> more securely than whatever you're doing

That is kind of impolite to make assumption about my own setup. It is also wrong.


> On the mail server it looks up keys in DNS and if it founds it, automatically encrypts outgoing email.

So you're not talking about pgp/e2ee, you're talking about, like, SMIME or something.

> Emails at google is not encrypted.

They're at least as encrypted as they are on your server from what you've told me.

> That is kind of impolite to make assumption about my own setup.

Given that you don't seem to understand the difference between end to end encryption, in transit encryption, and encryption at rest, I'm going to say that no, I'm very confident that you haven't done this correctly.

> It is also wrong.

And that therefore no, gmail and Outlook are both more secure than your email server.


I wish more people would study IT security since a lot of this kind of silly discussions are cleared up during the first lecture.

Basic 101 security. In order to calculate risk you take the risk threats minus risk mitigation. The bigger the threat, or the fewer the risk mitigations are, the bigger the risk.

You might have forgotten that in 2010 there was this data leak called cablegate. NSA lost 251,287 diplomatic messages. NSA did store them on an encrypted server, and used transit encryption, and yet the data leaked. A major risk to data security is access, and in that case an administrator with access leaked it.

With my mail server, that administrator is me. One of the larger benefits of personal servers.

When you compare Gmail and my mails server then you include social risk just as much as technical risk. You compare the physical risk, that is servers located in multiple places on the earth. You compare the political risk of a single entity that control 80% of the world email with a private email address used by one person. you compare targeted attacks with passive and optimistic attacks.

Lets put money where out mouths are. Want to bet that google will have a new data leak before I do? Looks like a very lucrative bet to me.

In 2018 Google had a data breach. five million user's data was compromised. In 2018 I had zero data breaches in any of my servers. Zero users data was compromised. I have been running my own server for almost 20 years and not a single bit has been lost.

Have I Been Pwned? has billions of leaked accounts, not a single which belongs to me. What about you?

> So you're not talking about pgp/e2ee, you're talking about, like, SMIME or something.

No. There are RFC for email security written in this century. The adaption of putting pgp keys in dns is not great however which is why personal email servers is currently better, but both solution works fine either way as long both side of the conversation does it.


> With my mail server, that administrator is me. One of the larger benefits of personal servers.

Ah I see, so you aren't actually worried about security, you're worried about privacy. Which We've been over when I said:

> Privacy is not security.

You also are ignoring a whole host of other risks, like data loss (your one server breaks, oops there goes your all of your email, etc.)

> Lets put money where out mouths are. Want to bet that google will have a new data leak before I do? Looks like a very lucrative bet to me.

Sure, I'll bet you $10,000 that my email will not be leaked before yours. Here's what we'll do, I'll tell you my email address, and you tell me yours. Mine is @gmail. Yours is hosted on your server. I'll then turn around and spend $8000 on a pen-test of your server, they'll exfiltrate data, and I'll win the bet and be up an easy $2,000.

> In 2018 Google had a data breach

Pause, hold on. No. In 2018, Google announced that there was a vulnerability that could allow semi-public information to be shared more widely than intended (literally it was things like name and phone number that you put on your G+ profile being shared with a wider than intended audience).

There was no evidence that this vulnerability had been used, and Google's own employees detected it.

> In 2018 I had zero data breaches in any of my servers

that you detected. Here, Google has a better track record than you: they are actively monitoring and red-teaming their own servers and systems to detect vulnerabilities. Do you?

So I'll put it bluntly one more time: you are putting your clients data at more risk by administrating your own mailserver than you would be if you let Google or MS do it for you. You can try to come up with all the counterarguments you want, but they are, as this article puts, security LARPing, not actual security best practices.


You are a bit funny. Just as you can hire a hacker, I could buy a zero-day exploit, or someone could hire mercenary and take down googles servers. It would not prove or disprove anything.

In the end, if you have your email leaked while I do not then that is what matters. Results. I have had zero leaked accounts. Most people have stuff that been leaked, and since you refused to answer, I assume you are listed in Have I Been Pwned?. You trusted someone to be secure and they were not. That was your choice, and it was the wrong one.


So you're willing to take that bet then?


I have had the same setup been tested by two different pen testers, so yes, I would not mind that bet.

If you break the law however, which is what happens if a pen test a system without permission, then it doesn't really matter if you hack or use rubber hose tactics. Breaking the law is breaking the law. The police don't look kindly to bets under those situations.

I will also say the same thing I wrote to those two pen testers that tested our system. If you find any vulnerability I will happy help write the CVE report. What I did not tell them but will mention here is that I also happy take part in getting those bug hunting reward money that zero days exploits usually rewards. If you have for example a working exploit against current stable release of latest SSH then I am sure we can turn that in somewhere for a pretty good amount of money.


You seem to assume that the government will need to access all accounts at Google individually, and will have to work equally hard for the first one as for every subsequent one. Why is it not a likely risk that Google is thoroughly "compromised" by the government? We have seen this before, when another company was in a similar position regarding access to user's communication:

https://en.wikipedia.org/wiki/Room_641A


Can you explain how you ensure that neither you nor the recipient of your email leak your messages to an untrustworthy email provider?


You don't. The same way that you don't ensure your recipient doesn't leak screenshots of signal conversations to icloud.


So your threat model is "protect me from my email provider (and very little else) assuming every person I interact with has great opsec"?


My threat model is the one that I learned at a three letter agency when I was organizing their key signing party.


This appears to contradict your earlier comment, so I'm confused.


I think the point was that you can't protect yourself from your recipient disclosing the information, regardless of your chosen scheme,so it just doesn't matter.


There are schemes that make it difficult for a recipient to accidentally disclose your information. PGP isn't one of them. For example a common enough way of doing PGP is to use a chrome extension that PGP-ifies your webmail. Or to use an encrypted mail service like protonmail or tutanota. In all of those cases, assuming the mail provider is untrustworthy enough that you feel the need to use e2e encryption, they can also just inject JS to steal your plaintext from the client, so you aren't really secure unless you're using an imap client, which by definition you aren't doing.


>You don't. The same way that you don't ensure your recipient doesn't leak screenshots of signal conversations to icloud.

Again, if your counter party is an idiot nothing will save you.


Good protocols prevent people from shooting themselves in the foot. A good protocol will get in your way if you try to do something insecure. PGP doesn't do that, see "oops I accidentally forwarded the plaintext of my encrypted email" vs. Gmail and Outlook's "confidential" modes, which prevent accidental exfiltration via forwarding or copying. They're possible to circumvent, but you have to make an effort to do it.

PGP requires that you not only not be careless, but be near-perfect, and that every counterparty does the same. Good protocols prevent you from making mistakes that spew your plaintexts everywhere.

In other words, I want a protocol that doesn't necessarily protect me from idiots, but does protect me from humans who occasionally act imperfectly.


It is not problem of protocol. It is problem of user agent. And, yes, all webmails is incredibly crappy user agents. Stop using webmails!

On the other hand, UA (for any protocl) which will not allow copy'n'paste from is crappy by definition and nobody could stop your recipient to copy'n'paste plain text from your message. Ultimately, it is THEIR message as much as YOUR message!

On the side note, I think that GMail is worst thing that has happened both to the web and to e-mail.


Secure protocols ensure that user agents are secure, as part of the protocol.

A secure protocol would, for example, not mix plaintext and encyrpted text messages, but would ensure that all messages were always encrypted. This way a we'll designed user agent couldn't accidentally mix cypher and plaintext messages.

I'm not arguing that UAs should do user hostile things in the name of security, which is the straw man you're arguing against. Nor did I mention anything webmail specific.

I'm saying that a security protocol shouldn't have, in practice, fail open attributes that user agents have to put warnings up about. A good protocol should allow the UA to entirely hide those dangers.

This is abundantly clear if you try to use any pgp mail client vs any signal protocol client. The protocol makes it easier for UAs to be both more secure and more user friendly.


People don't share information in text anymore, they share screenshots and screen photos, it's infuriating.


>For example a common enough way of doing PGP is to use a chrome extension that PGP-ifies your webmail.

You mean mailvelope[1]? That's a straight up plugin/extension. It gets installed once and is as secure as whatever is used to secure extensions on a particular browser.

[1] https://www.mailvelope.com/


It's one of a number of options (gmail for example had an unofficial official one for a while, and there are other similar extensions). They still all have the same issue that the only threat they protect from is "my webmail provider is incompetent".


>There are schemes

Schemes like "everyone has great opsec".


A nitpick: Tutanota does not use PGP.


I don't have a problem with "LARP" as I understood the analogy and having a bit of flair in writing helps make it memorable. Editorially speaking it may be too niche a reference and be confusing. (Reading these comments it certainly has been.)

The condescension I see is in calling out "technologists." I've never heard that before. Just looking at the word it sounds like it means a person who works with modern technology. Wouldn't that encompass the majority of Hacker News readers? But by context you don't seem to have a favorable opinion of the group. What makes someone a technologist to you? Do you include yourself and if not why not? What justification is there for you to generalize people in such an unflattering way?


We likely need a better globally supported standard. I think Gmail is onto something with the "confidential" send setting, but I don't like that it's tied only to Google.

For my services that use automated emails, I only send plaintext emails and use shortlinks. No sense in wasting time trying to make an email look good on every provider and hope it's encrypted or worry about which ones it will be blocked from because they don't support encrypted.

It should be used as a notification mechanism nowadays. But we do need a better universal platform - maybe that's webpages...


Exactly this is the key point. This why email is still so important because it doesn't lock you into ecosystems. It comes from a time when decentralization was still valued in the internet.

I think only regulatory action could be a way out of the messenger mess (which potentially leak even more metadata). I don't want to be forced into closed telecom ecosystems by my (real life) social network. The problem with potential message routing regulation will be that governments mandate weak crypto for law enforcement.

So I guess email is a dinosaur worth preserving. Even with security after design. delta.chat comes close to an deal world IMHO if you ignore the problem with metadata. Maybe it could integrate sth like mixes to make email a bit harder to monitor.


If we go down the list of compromised protocols, hardware and firmwares/applications in use online (not including the people), how long before those in the know conclude that the Internet is an untrusted medium for secure communications?

I don't think we'll see homing pigeons make a comeback, but using autonomous vehicle couriers for analog/digital communications (drones, but more likely sdc's) and sacrificing the convenience of real-time communications for 100% integrity is not beyond the scope of reason or wants. If a message (or payload) is intercepted, it's physically impeded and much easier to track/detect. The number of layers of security to lockdown or destroy the contents is also at the sender/receivers discretion.

Depending on how cumbersome they choose to make 8k videos, VR worlds and/or new fangled AI/ML datasets for personal/business use, we're limited to 6720 GB transfers per day over 1GB lines, so data outgrowing the Internets transfer speeds is a plausible scenario that may facilitate a use case for local and long-haul direct autonomous data couriers that will blend in with the other autonomous delivery/pickup traffic.


Honest question: What is LARPing in this context? Live action role playing doesn't seem to fit the context...


It is live action role playing. The implication is that they are just pretending to care about privacy by going through motions that are only vaguely related to actual privacy.


As somebody who is friends with some LARPers, I find the usage here to be a little rude. No (sane) larper tries to convince anyone that their world is real, nor do they believe it is real, which is the parallel being drawn


1. LARPing is nomenculture in the infosec (netsec/"cybersecurity") world. It means someone is taking security a bit too seriously, like they're in a James Bond movie. They've fallen into delusions and paranoia that everyone has the capability of a state actor, and that all systems and all actions should be considered with this notion in-mind.

If someone is running TailsOS/Whonix/Qubes as their daily driver OS, and only browses from TOR, connected through a VPN/cellphone tether/coffee shop WiFi, with full hard-drive encryption using VeraCrypt+hidden partitions with a killswitch to zero out the harddrive if a certain password is entered, and runs their laptop with no battery, with a CoreBoot/LibreBoot flashed BIOS -- then they are taking this shit way too seriously and will be chided as a LARPer.

Yes yes, I understand security is important -- I used to be a vulnerability researcher who transitioned to "red teaming" for a government agency -- but the above is taking things too far, especially if you're just a layman that barely makes it on anybody's radar.

That's LARPing. It's like when a script kiddie buys a DDoS service, and calls themself a "hacker," for overloading a server (AnonSec/Anonymous I'm looking at you, morons). It's roleplaying, it's childish, and it will get ridiculed for its self-aggrandizing.

2. I don't know why, but everytime someone mentions that they're offended or miffed about something someone else said, especially on the internet, I have a very hard time taking them seriously.

I believe it's because I grew up on hearty banter, and anyone that couldn't hang was, in my eyes, a chode. No disrespect, but I wanted to share that insight with you. Maybe it'll come in-handy somewhere down the line.


A couple of observations:

1. To the outside world, a LARPer might be indistinguishable from someone that actually needs perfect opsec. Maybe that LARPer in the coffee shop is Ross Ulbricht.

2. If one day you actually need real encryption, it will help if you've LARPed in the past.


I agree it's a little rude.

For the meaning behind the choice from the author see this comment: https://news.ycombinator.com/item?id=22372065


Yes, I didn't get the usage of the term "LARP" in this context too. It comes off as rude and condescending to both LARPers and email users. I am not sure the term fits appropriately in this context. All LARPers are aware that they are role playing in a game, not the real world, and they do not pretend otherwise.


To larp as a verb applied to a discussion that is not about actual LARP activities (the primary sense of this word) carries a strong connotation of rudeness.

Etymologically it probably emerged in the infamous *chan-culture, and is in active use there in the sense of ‘pretend play’ or ‘on-line role-playing’. It can be used to signal, in a derogatory way, that you feel that the other is spinning a yarn or indulging in a fantasy, without declaring the fictive nature of their comments, in order to provoke responses and bait others into participating.

I wouldn't use this word in polite conversation, unless you are actually talking about live action role-playing.


I certainly don't intend any offense to LARPers in general, virtually none of whom use encrypted email. Nor, indeed, email users, among whom I count myself! No, I'm pretty specific about where my criticism is aimed.


One could also use the phrase "cargo culting", perhaps -- carrying out actions that seem associated with a good outcome in a context that provides none.


I think the implication is different - LARPers may or may not be using a useful technique, but they don't really care about the outcome. If they're sword-fighting, they may use actual sword-fighting skills, but they don't really care if they get it wrong and they get hit - it's just a wooden sword.

Cargo-culting implies you recally do care about the outcome, but you don't know how to get it, and the technique you have is copied poorly from someone else.

To extend things, it's true that if you are about to go in a duel to the death and you are preparing by studying how LARPers sword-fight, you may be Cargo-culting during the duel.


People like cypherpunks who like to use sophisticated security tools and encryption to protect their secrets, which generally are messages they post publicly and open source code they put on Github.


He's right and he's right about things people pride themselves about.

PGP considered harmful for being a clusterfuck.


Not all of PGP is bad though. PGP is really hard to use but it's still useful for signing, file encryption and authentication. Encrypted email has been outclassed in every way by modern messaging applications such as WhatsApp and Signal but currently PGP is the only good way to sign code.


The good parts are just enough to be bait, frankly.

Code signing is probably the only use case left for it.

Edit: nope a quick Google search finds specialized tools. They can't be harder to use or screw up than PGP, so automatically better.


Yep, see signify/minisign and OpenBSD as an example of it being used in practice.


It is good for literally none of those things. See the link in the post.


Yeah surely not by Whatsapp / Facebook. It's proprietary code afaik and the possibility of third key exists for that reason. It's not trustworthy at all, especially considering the company owning it, who also told users in the past, that the data of WA and FB would never be merged or used together. WA is laughable in the context.


Condescension is good in certain cases, especially during public health epidemics. Anti-vaxxers being mocked is good, pointing out that a certain group of people are selling the illusion of faux-privacy in a dangerous way is also good.

It's pointing out that the emperor is wearing no clothes: that they're ridiculous. It may not help someone already too deep to dig themselves out, but it will probably stop at least a few people from getting on the wagon at all; no one wants to look like a fool.


It's interesting that you bring up the emperor's clothes, because shaming people for showing their body is not something that people make convincing arguments for. Observe how countries with advanced civil rights such as Germany have more nudist beaches.

Privacy is a human right, but I think it is a step too far once you ridicule people just because they don't value it as much as you do. There is nothing wrong with being "ridiculous". Who are you to judge who counts as a fool?


Do you not know the story The Emperor's New Clothes? It's a classic where I'm from. From the Wikipedia page:

"The Emperor's New Clothes" (Danish: Kejserens nye klæder) is a short tale written by Danish author Hans Christian Andersen, about two weavers who promise an emperor a new suit of clothes that they say is invisible to those who are unfit for their positions, stupid, or incompetent – while in reality, they make no clothes at all, making everyone believe the clothes are invisible to them. When the emperor parades before his subjects in his new "clothes", no one dares to say that they do not see any suit of clothes on him for fear that they will be seen as stupid. Finally a child cries out, "But he isn't wearing anything at all!" The tale has been translated into over 100 languages.[1]

The point isn't...whatever you're talking about, it's that the people do value it a lot, they're just shooting themselves in the foot.


Everyone judges everyone, and to judge who is a fool is also something everyone does, a personal judgement that might be shared with the rest. "Who are you to judge" is the wrong phrase. "Who are you for your judgement to be taken into consideration by me" is the real meaning.


> Anti-vaxxers being mocked is good

You need to be strategic about it. I've met someone with anti-vax beliefs, and pointing out her errors without mocking her worked wonders. I believe she actually changed her mind.


That's not strategic, that's tactical.

Strategic is mocking them to prevent their stupid ideas from spreading. (Public shaming creates a resistance at scale.)

Tactical is breaking from the general strategy to help at an atomic unit (i.e. one person).


Indeed, I stand corrected.


What's with all these articles dissing the very idea of encrypting email? It used to be that hardly anyone cared. Now there seems to be some effort to discourage something that any reasonable person interested in privacy would enthusiastically support.

This is a pretty typical example from the article of the sort of important sounding but ultimately bogus argument presented in such articles:

>So, for example, it recently turned out to be possible for eavesdroppers to decrypt messages without a key, simply by tampering with encrypted messages.

By failing to actually specify the actual attack the writer hopes to prevent a rebuttal. I am pretty sure they are talking about EFAIL. EFAIL was itself a weird slander of the idea of encrypted email but ultimately did not show any weakness of either PGP or S/MIME. It was instead a cautionary tale about the use of HTML for email.

The article attempts to promote Signal as superior to PGP email. That is unlikely as Signal initially trusts the phone system for identity. It is also quite a lot more complex than PGP so the odds of an exploit are not in Signal's favour.


> By failing to actually specify the actual attack the writer hopes to prevent a rebuttal. I am pretty sure they are talking about EFAIL. EFAIL was itself a weird slander of the idea of encrypted email but ultimately did not show any weakness of either PGP or S/MIME. It was instead a cautionary tale about the use of HTML for email.

What you said there can't be stressed enough. Despite that almost no email client in the past decades defaults to allowing active or remote content. But because you could turn all that on with some clients... it somehow means PGP and S/MIME were impossibly insecure.

"Weird" is a good word to describe things.


Efail worked with the default settings on almost all clients except Mutt. Most email clients do not have a "plain text" mode. They all display emails as HTML and apply some formatting to make the "plain text" mode be monospaced.

Also, one of the Efail exploits (the CDC gadget) was a cryptographic vulnerability. The fact you could manipulate the ciphertext to inject HTML tags such that GPG wouldn't scream bloody murder (because the MDC wasn't required and had very odd semantics, where GPG would output data to the caller before it had been authenticated and clients showed it as a warning and still rendered the HTML exploit) was definitely at its core a cryptographic bug.

All of this was explained in significant detail in the CCC talk about Efail[1].

[1]: https://media.ccc.de/v/35c3-9463-attacking_end-to-end_email_...


> It was instead a cautionary tale about the use of HTML for email.

Indeed, which makes it ironic that ProtonMail (a webmail provider) was not affected by the vulnerability:

https://protonmail.com/blog/pgp-efail-statement/

If an issue with handling HTML is grounds for abandoning PGP, then it should also be grounds for abandoning Signal:

https://news.ycombinator.com/item?id=17050754


While the pgp cryptosystem wasn't broken, the openpgp email security protocol was.

Signal protocol doesn't have the same lack of integrity checking.


The OpenPGP protocol does in fact have a simple integrity check that detected EFAIL. That was not the issue and is beside the point.


and was optional. The protocol did not require validation and as a result some protocol compliant implementations were vulnerable.

If a protocol compliant impl is vulnerable, and the fix is to update the protocol, the protocol is broken.

Yes without html you couldn't build this gadget, but we don't blame machine code for making gadgets possible, we blame insecure c for having buffer overflows.


But in use for all the clients that the EFAIL people tested. That was not the problem. The problem was that there were email clients that were loading image URLs from HTML emails. There was nothing to fix in the case of GPG2. It was entirely a problem with the way that certain email clients handled HTML emails ... a problem, might I add, that still exists today. They just prevented the one type of attack. There will undoubtedly be others that may or may not involve encrypted emails.


Quoting efail.de:

> However, we found that several clients only gave a warning to the user for invalid MDCs, but still displayed the modified plaintext. This allowed the CFB gadget attack despite the MDC

No, the problem was that clients would render a plaintext known to have been tampered with. This was exacerbated by a zero click gadget, but would still have been an issue if images weren't loaded and a malicious link was clicked.

You're right that Gpg wasn't shown to be broken, but pgp was. (This is the CBC attack, not the direct attacks on clients which are just client bugs, which themselves aren't direct evidence that a protocol is broken)


>You're right that Gpg wasn't shown to be broken, but pgp was.

GPG2 is the ubiquitous implementation. You mean the OpenPGP standard was broken? I don't understand what you mean.


Sorry yes. The standard was broken. The underlying crypto isn't broken by some measures, but the protocol as a whole was.


I understand the points of the article and somehow agree with them.

But I still think that PGP can and should be used in certain scenarios: think of how Snowden interacted initially with Glenn Greenwald and Laura Poitras.

That particular scenario was about anonimity (I don't want to reveal the sender persona just yet) and temporary "validity" of the messages: if down the line, one or two years later, the message gets decrypted, no harm is done.

Potentially, Snowden could have used a burner phone, install signal and get hold of the journalists phone number - more difficult that email, but not impossible. In Europe it's not so simple to get a sim card in a complete anon way: not impossible, but if one need several sim cards it may get cumbersome and expensive.


Today, you would use SecureDrop[1] for that particular use case (talking to journalists with an established organization). But you're still right for the general case.

[1]: https://securedrop.org/


Agree with pretty much everything in the article. Encryption is not a property of email, and will never be. And if you manage to add a perfect encryption solution on top, it stops being email.

The most that can be done at this point is to build a new closed "email v2" which cannot interoperate with any existing client out there, but because of that it will inevitably be dead at launch.


I could imagine Signal Desktop adding a mail-like UI that still interops with Signal.


Something like that will eventually happen, because lots of people want a good desktop mail-like experience for secure messaging. And there's nothing wrong with that, as long as the backplane for such a system isn't SMTP email.

It's not the core email UX that's the problem; it's SMTP email that's the problem.


It's not the core email UX that's the problem; it's SMTP email that's the problem.

You're article seems to argue the opposite to me. For example, the following quotes are all related to the email UX:

1. In any group of people exchanging encrypted emails, someone will eventually manage to reply in plaintext, usually with a quoted copy of the entire chain of email attached.

2. Every archived message will eventually leak.

My understanding is that it would be possible to create an alternative app that is compatible with the Signal protocol that would provide a different UX. This alternative UX could, for example, offer the ability to save all messages onto google docs, eliminating the benefits of secure messaging.


There is nothing about the core UX of email that requires plaintext as an option; you can straightforwardly imagine, and probably even readily implement, a secure messenger with the same UX as Outlook in which it's not possible to plaintext-reply a message, or send plaintext at all.

Archival is a problem. But you can also imagine something with the UX of Outlook that implements the same advisory-level disappearing messenger feature that modern secure messengers have; in fact, I wouldn't be surprised if you told me Outlook already has that feature (but that it only works for Outlook users).

The problem is the legacy of SMTP. It's not what the UI looks like.


I don't think you've addressed my point. My point is that an alternative client (and hence UX) for the Signal protocol could still have all the flaws that you point out about email. Therefore, the security of Signal is fundamentally dependent on the client/UX. A bad client (that is 100% interoperable with existing the existing Signal client) would break Signal in the same way that email is broken.

Of course such a client for Signal doesn't exist and is unlikely to become widespread even if it were created. Therefore Signal is more secure. I agree with your conclusion and everything in the article; I disagree only with the claim that it is not a UX problem, and the disagreement is likely that we are drawing the boundaries around what constitutes UX in different places.


No, it could not have all the flaws that I've pointed out. It seems pretty obvious to me why an alternate Signal client wouldn't have those flaws. Be specific about which one you're thinking of.


An alternative signal client could forward all messages to a gmail account (pt 1 from my original post) and store the messages in plain text on the local computer (point 2).

Of course these would be very poor design choices for the alternative client, but none-the-less technically possible.


These are not interesting points. Respectfully: do you have interesting points about what an alternate Signal client might actually do?


This is not the point of the commenter you're going back and forth with on the thread, but as I read this it occurs to me that some version of the plaintext reply problem exists in real life regardless of protocol.

That is, once the recipient has plaintext, we don't know what they're going to do with it. They could read it aloud in a crowded place. They could blab about it to all their friends. They could pass it verbatim to somebody else. Or more innocuously, they could store it in an insecure database as in this commenter's scenario.

Now, if you're using something better than email, the protocol itself won't be the problem and it's less likely (or impossible through the protocol itself) to be an unintentional plaintext transmission, so this fact is pretty moot and not at all a justification of how email clients might behave. Nobody building these systems has to necessarily be concerned about protecting against "social" types of plaintext leaks.


This is what people are talking about when they talk about the "Print Screen" button or screenshots or securing the clipboard. But I'm not kidding about the "inevitable plaintext reply" problem. Everyone I know who has used PGP at scale has seen it. These aren't people deliberately doing dumb things; they're doing things a bad tool begs them to do, because the underlying system is designed for, expects, begs for plaintext.

Nobody can do anything about people deliberately subverting the security of their privacy tools. There's nothing deliberate about plaintext replies. The people who do that don't want their messages sent in plaintext.


I know. I am not claiming otherwise.


I agree they are not interesting points. But they are exactly the problem you are complaining about for email.

Also respectfully: If the point of your writeup is to suggest that the signal protocol is better than the SMTP protocol, then I suggest you delete those points from your writeup. If the point of the writeup is that the signal experience is better than the email experience, then I suggest you stop claiming that the signal protocol is better than the SMTP protocol.


I don't follow this at all. Obviously, the Signal Protocol is better than the SMTP Protocol.


Pretty hard to block PrintScreen though.


Sure! But a screenshot is trivial to forge anyway, and even if you block PrScrn, people can always taddle. The goal is to get the message safely to the recipient, not prevent the recipient from disclosing anything afterwards. (Non-repudiation is a common goal, but screenshots being easy to forge solves that.)


That feature isn't trying to prevent people from deliberately archiving or forwarding messages in a way that the sender didn't intend, expect, or prefer.


Would such a desktop client have to disable copy-to-the-clipboard, because otherwise you won't be able to stop bozos from copy-and-pasting from this new system into an MS Outlook all-company email?


No. The problem this article is talking about isn't "bozos".


What I mean is, doesn't the ubiquitous presence of ordinary email on the desktop create an unacceptable risk of the "inevitable unencrypted reply" for any secure messenger on the desktop?


Top practitioners like Zimmerman himself famously replied unencryptedly to encrypted messages. Copy pasting something in a different program seems hard to do by accident. But sure, let’s stipulate we break copy paste :)


I'm surprised no one has mentioned Delta Chat yet. It solves some of the problems, as it's based on email but adds automatic encryption. See https://delta.chat/ and https://autocrypt.org/

For me this is a good compromise and a great alternative to messengers like Whatsapp and Telegram. This is a first step towards decentralization while relying on the existing email infrastructure.


And Delta Chat encrypts not only messages but also metadata, right?

Although only when used properly - again, there's no point in relying on Delta Chat if your correspondent is going to forward your messages to people on gmail.


https://github.com/deltachat/deltachat-core-rust/issues/1032 implies that the most important metadata (who sent and who received the message) is not encrypted.


well, at least the issue says, they can be removed from the easily visible header, so they could also be encrypted.

but smtp will know anyway.

i think, this is a general issue with "who is messaging whom" - also signal, whatsapp, whatever have to deliver the message and cannot know this afaik when these delivery data are end-to-end-encrypted. so this is not only an email problem.

but with email, at least, there is no "global" server that sees everyhing (no, also not gmail outside us :) and can draw a huge social graph.


Email+PGP may have some usability flaws, but it far surpasses the security of Signal against powerful adversaries, especially concerning metadata. Signal leaks your phone number which can easily be traced back to your physical location and identity, while email+PGP can be used over Tor or a similar anonymization network.


Can you describe how Signal leaks your phone number and what capabilities and adversary needs to get it? (I know the answer, I am asking rhetorically, because I don’t think that someone who knows the answer would make that case.)


An adversary could compromise the signal server and observe how messages are routed. Applying pressure or coercion to achieve this is well within the capabilities and willingness of state-level adversaries. An adversary could also compromise the person you are communicating with, not to mention cases where you don't want to leak your physical identity to a someone you are messaging.


I actually use PGP. Your comment complexly glosses over the “email” part. It’s “easy” to send an smtp email over tor without giving up too much info via side channels. (It’s impossible to get the message you sent to reach the inbox, though.)

But to reliably anonymously receive emails is a different story. It’s really hard for the average person to get a persistent online email address without a phone number, without going through google, without paying with a credit card, without being tracked back by your provider, etc etc.

It’s not very different from Signal in that regard.


As a test, I just created a new email via Tor Browser: hn22373017@cock.li

It took a few minutes, though admittedly I had to disable noscript. Now, I agree that the average person is going to have a hard time with this, and that's unfortunate. And indeed, I will admit that something like Signal is the better overall trade-off for the average person--largely because the average person doesn't have anything like the NSA in his threat model. But for people who do, and who are sufficiently technically capable, Signal isn't enough.


Exactly, not to mention that mobile smart phones are inherently insecure, having enormous attack surfaces.


Somebody has had a really bad weekend in a muddy field apparently. Also real LARPers don't want sharp swords, the whole point is that it's not actually dangerous - no edges, no points, nobody is supposed to get actually hurt.

I'm more optimistic than this blog post allows for. I see email's trajectory over my lifetime and it looks like incremental improvements really do work, they just aren't fast. And I think just as Signal lacks an "Encrypt" button because that's the wrong UX (everything is always encrypted, no need for a button) that's email's future too. You aren't going to install "Really good privacy" and have encrypted email. Just one day perhaps many years from now you'll be debugging a weird problem and you'll discover that without ever noticing it your email is actually encrypted end-to-end and you're not actually sure when then started happening or how.


Candidly: I've never LARPed or even watched anyone LARP. I just assume they're swinging foam swords at each other's tin-foil armor. That's as sophisticated as the analysis behind my choice of words is.


Surely you've seen the lighting bolt, lightning bolt meme video. It's implied in making dumb LARP jokes!


I have not! Whose sentences are you calling "jokes" and whose jokes are you calling "dumb"?


Strictly in the Pickwickian sense, of course.

Anyway, this is it. Its stratigraphy is in the layer above All Your Base but below Leeroy Jenkins. An important, if transitional fossil.

https://www.youtube.com/watch?v=j_ekugPKqFw


Well, that's definitely the image I was trying to evoke.


> your email is actually encrypted end-to-end and you're not actually sure when then started happening or how

That seems to be the vision for Autocrypt [0], although it seems that the current "Level 1" of the technology is "single-click" encryption rather than the ideal of zero clicks.

https://autocrypt.org/


Good points, but the adversary for my encrypted email is corporations casually collecting data, not nation-states targeting me. Plus, most of these are one-way notifications coming to me, not threads. For my case, ProtonMail works fine.


Okay, so what would a secure email alternative look like?

Can we design a system such that sending a message from alice@foo.com to bob@bar.com is reasonably secure and private? How does Signal/NOISE solve this? Why can those not be applied to non-messaging systems (or, at least more traditionally structured messaging systems - which is itself a questionable definition since email threads are a hack, its mostly just independent blobs)?

I guess I'm off to read the whitepapers for NOISE and Signal tonight to see how the models differs.


> Okay, so what would a secure email alternative look like?

Matrix is basically an email alternative. Though I think the address format is needlessly complicated. Email is perfectly good at addresses!


This is an instance where I'm perfectly happy to talk up Matrix! People would be a lot better off using Matrix than they would be trying to encrypt emails.


This is potentially the most interesting subthread on this otherwise well trod discussion. Some large entities (German Govt., Mozilla) have announced moves to Matrix. I'm curious as to whether there is anything inherent in the protocol that makes it more efficient for longer-form conversations than Signal (Matrix is also supposed to be for IM after all).


In that case why not something simpler like XMPP + OMEMO?


I would love to see a protocol added, so that when alice composes an email a request is sent to bob@bar.com with a special header to retrieve bob's private key. This in turn would be signed with a cert from bar.com, which in turn is signed by one of the same trusted CA's used for HTTPS traffic.

Is there anything like this currently implemented / standardized?


ActivityPub will bootstrap public keys from WebFinger (over TLS/HTTPS).

Keybase has an even more complicated key escrow-based system (that works for any of their "Proof" types, not just domain ownership) if you trust their clients, where your client generates an ad hoc key for the recipient and essentially a "for bob's ears only" claim and on verifiable Proof from Bob securely exchanges the ad hoc key to Bob's new public key. Which is interesting because it allows for people that haven't yet setup keys to eventually receive them so long as you trust Keybase's clients and their Proof infrastructure.


There's something crappy-ish and similar for email with DKIM. That doesn't sound the same, because it's the server signing, not the sender -- but in this protocol you're kinda already trusting the server anyway. The critical difference is that DKIM is not protected with WebPKI.


I think you want Alice to retrieve Bob's public key, but it also sounds like you want Autocrypt [0] and/or RFC-7929 [1].

[0] https://autocrypt.org/

[1] https://tools.ietf.org/html/rfc7929


it looks like a modern e2e encrypted instant messaging application.


I really want to use Signal but having a centralized server and requiring my phone number turn me off. I'd love to be able to self-build the iOS [0] and desktop [1] apps, and self-host the server [2]. Has anyone tried any of that, are any of them even possible?

[0]: https://github.com/signalapp/Signal-iOS

[1]: https://github.com/signalapp/Signal-Desktop

[2]: https://github.com/signalapp/Signal-Server


On iOS you'd have to constantly redo it via TestFlight or Jailbreak. You could build and install on Android. But "your" binaries won't connect to Signal servers.

Yes, you can host your own _Signal server and have your own singed apps but it will have to be your own _Signal network, not Moxie/Signal Foundation's Signal. Search around. Here's one - https://gist.github.com/aqnouch/9a371af0614f4fe706a951c2b976....

Some context:

https://github.com/signalapp/Signal-Android/issues/282#issue...

https://github.com/signalapp/Signal-Android/issues/127#issue...

https://github.com/LibreSignal/LibreSignal/issues/37#issueco...


> Yes, you can host your own _Signal server and have your own singed apps but it will have to be your own _Signal network, not Moxie/Signal Foundation's Signal.

I don't think that's quite true. You might[0] be discouraged from running your own self-built binaries, but given that Signal Android has reproducible builds[1], I don't think that there's any actual technical barrier. The context of your links is about having (unofficial) third-party packages for Signal, not about somebody building the binary for their own use, and since these are obviously two different things, from a social perspective, I don't think that the Signal foundation would complain much about the latter (given reproducible builds and the fact that you wouldn't be distributing the binaries, they probably wouldn't even know about it).

For Signal-iOS, it seems that you won't get push-notifications if you build by yourself.[2]

[0] I'm not 100 % convinced that "We would not recommend that anyone use an unofficial binary build" was meant to refer to building for yourself, by yourself.

[1] https://github.com/signalapp/Signal-Android/blob/master/Repr...

[2] https://github.com/signalapp/Signal-iOS/blob/master/BUILDING...


As a side note any messenger relining on the phone number is to some degree fundamental flawed, too.

No idea why many recent secure messenger thing using the phone number for anything is a good idea. You don't need the phone number to have locally stored contacts.

Also how trustable your local Google/Samsung/... provided address book is is another question (I'm not saying Google/... is hacking you but they probably would love to collect statistics about your contact book and sell them, at least if you, maybe accidentally, allow syncing of your contacts with your Google account. Does anyone here know if their terms of service would allow that?)


> encrypted email is LARP security

LARP here is a link to Google and from the results I can only assume that it expands to "Live Action Role-Playing (Game)". I don't get how that's related. What is "Live Action Role-Playing Security"?

> most people who encrypt emails are LARPing

They're role-playing what?


Just replace it with 'pretending'.

LARP Security = Pretend Security

LARPing has a connotation of nerds ineffectually playing pretend warrors. Going through an immense amount of effort in the process.


Role-playing someone who needs to and does send encrypted messages, was how I read it. As in, make-believe security for fun, to feel more like a spy or something.


I think the author intended it to mean security theatre.


They're pretending to have security.


The post would be better if it clarified what threat model they have in mind.

For tampering, PGP-signed email is helpful.

For protecting secret communication contents, PGP-encrypted email can be helpful to some degree.

For preventing a surveillance from knowing who you talk to, when, from where and what type of content you likely exchange, email cannot become secure.

I suspect it is the combination of the three the author has in mind.


Want to send a truly secure message? Write it out by hand in a concrete enclosed room and then set it on fire. Boom. No interception. I mean, of course, that's not a very useful message - but it's extremely secure!

It's kind of like the ideal way of securing a computer - encase it in concrete and drop it in the marianas trench. A volcano would probably work too in a pinch.

The issue that some security folk, such as the author, don't comprehend is that people want to actually _use_ their tools and maybe, just possibly, have a decent experience in doing so.

Sure, encrypted email isn't perfect. It's probably a step better than letting Google scan _every_ email and instead only let them scan the ones that hit a gmail account. Likewise, two people are capable of having a reasonably secure conversation over encrypted email.

Calling people who move towards being more secure, even imperfectly, as LARPers is rather insulting. If anything, the author is LARPing as a security professional.


Fine, I'll bite.

A phone number is far more identifying than 10+ years' worth of email metadata. Anonymous email is still possible (if difficult); anonymous phone numbers largely are not. And if your adversaries are state-level then your phone number gives them not only your name and address, but also a direct and easy way to track your location in realtime.

OpenPGP's key rotation remains the closest thing to a practical approach that actually exists. No supposedly "secure" messenger has managed to do better: either your contacts' keys sometimes change for reasons that you don't understand and you occasionally get told to "press OK to continue", or they don't change at all. That is not a sustainable approach for real security.

As the article points out, snake-oil encryption products are everywhere. How can you be sure you're not using one? Because tptacek posted saying this one is secure? At a minimum the product needs to be an open-source implementation of a published, established, reviewed standard with multiple independent implementations. Especially any random number generator it uses needs to be open-source, as that is the easiest way to backdoor an encryption product. And the way its cryptosystem provides security - the algorithms that it uses, the assumptions they rely on, the model and reasoning that turns those into guarantees - need to be simple enough that you can understand them, not rely on vague handwaves like "the proprietary intermediary server can't do anything except during the initial handshake, or if the client ends up redoing the initial handshake, but don't worry about what circumstances might cause that to happen".

Signal is unsafe and cannot be made safe. Stop using Signal.

(If you want something more constructive, work on better UI to make OpenPGP key rotation easier (using subkeys, they're right there in the protocol), better implementations of OpenPGP (i.e. more usable libraries), or non-email OpenPGP messengers to avoid the metadata issues)


Maybe you didn't get the memo, but you're not allowed to criticize Signal anymore. And any time it's mentioned you have to draw phony comparisons between it and something that is on the naughty list (PGP as of late).


The article does not demand that you use Signal.


You want signal to replace email?

1. Federate it.

2. Don't tie it to phones/phone numbers.


Oh, so you mean like XMPP?


Why did we ditch XMPP again?


I often wonder. I still run my own server for a small group of friends.


And 3. make it IETF standard.


Sounds like security absolutism again. Encrypted email, even using a weak algorithm, is more secure than unencrypted email and will deter some percentage of attackers.

Yes, PGP is weak, metadata is exposed, email wasn't designed for any of this, and people will fuck it up.

It tickles me that plaintext replies are submitted as an argument against encrypted email. The reply being in plaintext is an example of UNencrypted email. If you oppose a thing, let it be because of what it is, not its opposite. You don't sell your failed useless car because of that one time it broke down and you had to take the bus. Hopefully in my view, you sell it because of what it does when it works - it burns money, stinks, is loud, and kills people. (Car hater here, so I personally know the difference with this particular analogy.)

Actually to me "encrypted email" isn't even a thing. There's encryption and then there's email. If you have a secret, you encrypt it, and if you're OK with sending it publicly (i.e. via email) then you attach this encrypted secret thing to the email. And get the key to the person somehow privately. I dunno what the big deal is. No matter how earnestly and ferociously you declare yourself the mom and dad of the world, they all still keep messing up, murdering each other etc. and nobody cares, so take a vacation.


As someone who has very crude high level understanding of encryption, I think this post has opened my eyes, I always used to think that End-to-end Secure email is possible, just not widely available right now due to lack of support, and they will get picked up as with wide company support like when Gmail will adopt them. Now I know that it is futile to build them, May be some email alternative from Signal or Matrix will be better. All points made by OP makes total sense.


The article comes on so strong that many will be inclined not to believe it.

One point. The encrypted systems are many and not inter-operable. That's a problem for me and many others.


I don't see a single argument in the article why, conditional on:

1. Me deciding to send a given message

2. Me deciding to use email for that message

... I should send it over an unencrypted email rather than encrypted one.

I see arguments for using other systems like Signal. I see arguments for a false sense of security — i.e. if I didn't assume the email was secure, I'd write a different message.

But, again, for a given message being sent over an email, I just don't see any reason not to encrypt it if it provides at least some protection (and saying it doesn't would probably be too much hyperbole even for latacora). The authors sort of just declare out of nowhere:

> But email cannot promise security, and so shouldn’t pretend to offer it.

And if "pretending" meant rot13, I would agree. But even despite all its flaws, there's a sea of difference between rot13 and PGP. If I can publish the encrypted contents of my email publicly, and not even tptacek can decrypt it, then it's not pretending.

So, what is the downside of encrypting an email compared to not encrypting it? I can't think of any, and apparently the authors can't either, despite trying very hard.


Am I missing something? I thought the PGP vulnerability wasn't in the Cryptography but the mail client rendering the HTML like a browser and allowing it to be outgoing. Still a dumb move but fixable via going plain text everything.

Granted the metadata and backlog issuss are themselves serious issues for the format.

It is more a "stop using email even if encrypted" than "stop encrypting email".


This claim about Efail is essentially false. Efail was possible because PGP uses an archaic message authentication scheme, one designed more or less before the dawn of authenticated encryption, which can be stripped off messages, and which is in a real sense an "add-on" as far as the core of PGP is concerned. PGP will release unauthenticated plaintext to its callers and count on them to check out-of-band errors to see that the plaintext isn't safe; mailers failed to reliably perform this check.

There is a technical sense in which mailers are responsible for mitigating this vulnerability, but it's a vulnerability that can't exist in the first place in a well-designed cryptosystem.

In the context of this post, this is basically a nit; the point the post makes is that even if you replace PGP with something like Age, encrypted email is still too risky to use, and is intrinsically inferior to modern secure messengers. (Encrypted email is not a use case Age is pursuing, and I do like Age).


My only annotation here is that I think MDC was added in the early 2000s, after HMAC. My understanding is it's not so much that we hadn't figured out real authenticators, it's that the people designing PGP didn't believe in them or believed them unnecessary for some reason. You can see the echoes of this silliness in the description of MDCs in the RFC today, because of course RFCs are for pontification and not for spec description. (Grep RFC4880 for "NON-NORMATIVE EXPLANATION" if you're interested.)


Claiming that EFAIL somehow showed a weakness on the part of PGP and S/MIME is like saying that a caretaker that lets burglars into their tenant's apartment is an example of bad lock design. Sure the lock maker could of removed the ability to use a master key but that is simply not a reasonable thing to suggest.


I can't follow this analogy. Claiming that Efail showed weakness on the part of PGP is like claiming that cryptosystems should be designed not to release unauthenticated plaintext to callers, and that the "authenticated/unauthenticated" status of a message shouldn't be communicated out of band. You know, like how all modern AEAD cryptography works.


>PGP will release unauthenticated plaintext to its callers and count on them to check out-of-band errors to see that the plaintext isn't safe

Is that problem the same as this one? https://github.com/FiloSottile/age/issues/59


It is not, no. The problem we're talking about allows you to exfiltrate plaintext from messages you don't have the keys for, which you can do because PGP makes the ciphertext of messages malleable. This Age discussion pertains to entire messages that attackers construct from scratch under their own keys.


There's not "one" PGP vuln: one of the things that makes PGP so pernicious is that it's a spec, a de facto implementation (GPG), an ecosystem used in different contexts (e.g. enterprise file transfer, but also e-mail) by completely different user archetypes. But yes, this post focuses on problems with email in general and why the problems are deeper than something solved with a "better PGP".


> one of the things that makes PGP so pernicious is that it's a spec, a de facto implementation, an ecosystem used in different contexts (e.g. enterprise file transfer, but also e-mail)

Just like SSL/TLS and SSH? They're both specs via RFCs, they both have de facto implementations (openssl and openssh), and they're both used in different contexts (ssh can be used for file transfers, besides remote shells; TLS's applications are very broad like PGP's).


Great point! Sorry, I should have been clearer: the pernicious part is in _explaining how PGP and encrypted is bad_, which is a Herculean task because there's always another little use case broken in its own subtle way. TLS and SSH have that problem far less, because where they have issues (e.g. SSLv3, let's say), the issues are singular (e.g. the problem is that the obvious way to implement this introduces a padding oracle), not like GPG, where the issues are fractal (e.g. this isn't a real authenticator and consumers can be tricked in unauthenticated data -- a problem that requires a constellation of both GPG's broken crypto but also the specific context of e-mail and also a vulnerable client).


I think the overall advice is "stop using email for stuff you expect to be E2E encrypted". There are still valid use cases for "regular" email, and I'm okay with most of it hosted on Gmail and searchable etc.


A point you can make here that really upsets technologists is that organizations with real practical security concerns (for instance: most technology startups) can and do use the email infrastructure to have conversations that involve secrets --- but (1) almost none of them use encrypted email and (2) they rely heavily on GSuite for their security. And, for business-level secrets, this is usually fine! Better (more secure!) in fact, than the outcomes they'd get from trying to make the same workflow work with encrypted email! I feel like there is a kind of technologist whose head explodes when you tell them that links to GSuite documents are a safer workflow than PGP, but that is sometimes the case!

This, of course, goes out the window when your threat model is extrajudicial.


Agreed, although change GSuite to Outlook. E2E encrypted email would be considered a security risk at every company I know, and in fact would be illegal in a lot of sectors. They want to use IRM etc. for encryption and access management but also want complete control of the keys.


Relying on GSuite is only "fine" for businesses located in the USA and that don't compete with Google. Otherwise it's an obvious security risk.


>If messages can be sent in plaintext, they will be sent in plaintext.

I don't buy that argument. There's definitely ways to fix this, and the best example right now is Signal.

I use Signal as my SMS app as well. This gives me a single interface for all my messages: For contacts without Signal, messages get exchanged as SMS. But for contacts with Signal, the conversations become end-to-end encrypted automatically. There are UI hints (Signal conversations have padlocks beside messages and a blue send button, vs a grey one) but overall it's seamless and transparent.

This is totally possible with email too: look up if the receiving end has a PGP key published (PKA[1], SKS[2]) and auto-encrypt if they do. It'd be nice if we had an email client that did this.

[1] https://keyserver.mattrude.com/guides/public-key-association...

[2] https://sks-keyservers.net/


> Ordinary people don’t exchange email messages that any powerful adversary would bother to read, and for those people, encrypted email is LARP security.

Point of order: Can we go back to using adult words like "performative" or "artificial" or "mimicry" etc, instead of accusing everyone of being a LARPer? It really just smacks of an immature 4chan insult.


> There are, of course, web email services that purport to encrypt messages. But they store encryption keys (or code and data sufficient to derive them).

While I assume they are talking about things like Protonmail here, there is a case where PGP is better than nothing here. Mailbox.org allows you to provide a PGP public key which they will encrypt all incoming messages to. I have Mutt configured to auto-encrypt emails saved in my sent folder.

Now, obviously this doesn't help if Mailbox.org becomes malicious or gets attacked. But it does protect my personal email archive. If someone managed to access my email account, they couldn't read any old emails (but they could disable it for new emails).

Maybe I'm LARPing and I don't know it, but I think it's a neat feature which is worth more than nothing. But I do agree with the rest of the points the article makes -- though I think Matrix is a better secure messaging replacement than Signal because it's federated -- especially now that it has E2EE by default.


I read this more as a condemnation of email itself, and less about PGP.

PGP aligning with how email actually works and the author not liking the effects is a pity, but by comparison it's a whole other dichotomy from something like a mediated end-to-end crypto scheme. Those kind of systems have the exact oppose set of problems from PGP conceptually, and note this ignores the geriatric architecture of PGP to some extent.

Assuming PGP were re-invented right now, I'd still like it to mostly stay the same. That is to say, I'd like to be able to have private/public keys stored in something conceptually similar. I'd like to see slight ease-of-use improvement in signing objects, encrypting objects, etc... but the basic functionally be the same. Finally I'd like to see integration with other transports made more modular and around an API versioning system that moves forward. That is to say, If I sign my emails, I'd like to be able to communicate that the other end should be on an API above some level, or similar setup.

Finally, there would bee some more thought put into people who want to advertise their keys on public directories. The aforementioned API versioning and modular remarks head into this direction. People want to communicate their keys, and it should be easy for social networks, or whatever directory lookup providers that would be created can be accommodated. This is key

People like things like the signal protocol, but they want to manage all the stuff in the middle themselves, or whatever that entails. Some people may want to fly bellow the radar, and not have anything to do with an automated system, or run sneaker-nets like some old school cloak-and-dagger stuff from KGB or CIA.

Anyways, email is terrible. But to conflate the problems of email over to PGP is a bit weird, but it's nice to recognize the real issue of using both.


We’ve written both versions of that argument: PGP and email. This one focuses on problems that a better GPG could not fix. (Discounting my own “pathological examples” from a different thread.)


There's a lot of evidence of careless skimming in the comments here. The article didn't say "don't use email." It said "don't use email for encrypted communication." Because it can not and will never meet the minimum standards for such. Keep using email! Just not for sensitive/secret/confidential communication


Here's my counter example:

https://github.com/zachaysan/toolies/blob/master/wallet.dat....

That's my original wallet from 2011 that I uploaded to GitHub a couple years later when the amount of money it had in it became non-trivial. GPG works great[0]. I emptied the wallet near the top of the last Bitcoin run up, but honestly even if I still had money in there I wouldn't worry about commenting about how it's public.

As for the rest of it, he's right about metadata and right about human failures like following up with plaintext responses. But on the other hand if your email box leaks then at least most actors are not going to be able to break encrypted messages, which are arguably the most important.

[0] And yes I know the difference between symmetric / asymmetric encryption, but I'd trust it if I'd done it with keys too.


404? GitHub link seems broken...


Sorry for the late reply, apparently I made the repo private after putting in some aliases in my bashrc file that would have leaked information I didn't want to leak.

But it had nothing to do with the wallet file. That thing was public for years.


While we are at suggesting encrypted IM, I'm wondering something: I'm not using Whatsapp or Signal, but I have the feeling that for UX reason the users never have to validate a fingerprint (or QR code or anything similar). How is this working? They are using TOFU right (there will be a notice if the fingerprint change)? What happens if a user gets a new device? Can anybody with experience with those apps explains how it works?

Because e2ee doesn't really makes sense without proper authentication (we're talking about protecting against malicious server, right? So what happens if a server add a fake device or change fingerprint).

Conversations use Blind Trust Before Verification, that means that until a first fingerprint is checked, everything is accepted, so e2ee only protect against server archive/passive attacks, but not again an actually malicious server.

note: I'm a XMPP dev and I'm wondering how it's done in other apps as a point of comparison.


Signal basically trusts on first connection where you trust the Signal company to do something with an SMS to link your identity with your phone number. After that you have a fingerprint (they call it a "safety number") if you want to check to see if you are still talking to the same entity. It will warn you if the number changes.

So how different that is from Conversations depends on how much you trust the Signal company and the phone company. In either case you really have to check the fingerprint, just like with everything. The issue is inherent to secure communications and can not be avoided with any sort of improved user interface.


I see, so you can verify but it's not by default. What happens if you add a new device (e.g. a tablet so a new fingerprint, which is different from changing main device where the original fingerprint changes)? Is the new fingerprint accepted without user validation?

My point is that e2ee makes sense when you don't trust the server (here Signal company, or FB for whatsapp), so if most people don't check the fingerprints (and I assume it's the case), what's the real value of it?


This is a core difference between Signal and eg WhatsApp. The Signal UX clearly shows who’s verified, and the UX clearly earns you when the safety number changes. Additionally, the secondary device model (eg Signal Desktop) goes to great lengths not to break that. With WhatsApp, you’re trusting WhatsApp.


The author is presenting a binary view of email security.

It's true that email as a protocol has inherent insecurities ; and it's also true that dedicated, rich spies are probably able to exploit many of them even with encrypted message bodies.

But most of us are facing the problem of MASS SURVEILLANCE, which statistically is more serious.

So:

1. Stop using spied-upon email servers:

1.1 Drop your Gmail, Yahoo mail, Microsoft etc. mail accounts, in favor of non-US and/or non-huge-corporation mail service providers.

1.2 Try to get your friends and family to drop theirs. Yes, I know this is extremely hard...

1.3 Try to get your workplace / NGOs you volunteer in to drop use of those servers (and also of Google Apps, Office 365, Skype etc. which have strong tie-ins with the email services).

2. Use mail clients which auto-encrypt messages to recipients with known keys - like EnigMail for Thunderbird.

The more of that is normalized, the harder


If you're going to do 1.2 and 1.3 and get everyone to make massive changes to how they operate, why not just use a secure messenger instead of trying to shoehorn privacy onto a protocol designed for when the Internet had like five computers on it and all the people knew each other?


A secure messenger that is standardized. While Signal has actively resisted that.


Because email and secure messaging are not the same thing, and the latter does not replace the former. Now, there could be a distributed infrastructure for "email" that's not SMTP-and-IMAP/POP3-based, theoretically, based on what is now used for secure instant messaging - but I can't just recommend this to individuals.

Also, my suggestions do not make email private, they reduce the exposure to large-scale surveillance and make it more difficult to target individuals. Also, they do not involve "shoehorning" as far as user experience is concerned.


> But most of us are facing the problem of MASS SURVEILLANCE

All that you're accomplishing by switching to decentralized servers is publishing the metadata that you claim to be concerned about for free. Before, someone had to serve Google a valid subpoena to find out who you've been talking to. After, you're just broadcasting it publicly across the net in network header logs.


You're misinforming people. Nobody has to hand Google anything. The NSA has direct access to their systems and can take in as much as they want.

This is not a conspiracy theory - it is public knowledge thanks to the Edward Snowden leaks.


Can you cite that this is true today?


Seriously? :-(


Yes, as far as I can tell you're claiming one of three things

1. Google actively assisted the NSA with data collection, beyond legal obligations (subpoenas etc.)

2. The NSA had a way of legally compelling companies to provide direct access to systems and can do arbitrary processing on company internal data

3. The NSA was snooping in Google's systems without Google's knowledge in 2013, and this hasn't been fixed 7 years later.

As far as I know, the Snowden leaks don't provide any real evidence for (1) or (2), and so are an extraordinary claim without evidence. (3) also seems rather unlikely. Hence the question.



I'm aware. My statement still stands.


But the outline of PRISM described there seems to confirm (1) and (2), no? They didn't need a subpoena for each user, had access to a search term firehose, and the legal method for (2) was the secret FISA court.

The access isn't as complete as full arbitrary data, but it's also a long way from only responding to known legal warrants and subpoenas.


I'm usually confused why nobody ever mentions S/MIME. Its super easy to use with Apple Mail.


I use ProtonMail as my primary email and when I exchange email with another ProtonMail user, I feel that it is secure.

Great can be the enemy of good. Another example is Signal which gets some criticism for being centralized. Signal is good. ProtonMail to ProtonMail mail exchange is good.


What about civil disobedience as a motiv?

Maybe I'm aware that some entity, probably tied to a powerful player like a nation state, can read my encrypted mails somehow.

But the more people are using encrypted mail the more difficult and expensive this will be for this entity.


I fail to see an argument here. So the author thinks that PGP is not good. Then the author argues against encrypted email?

I'm not sure whether to tag this under 'non sequitur' or ' throwing the baby out with the bathwater'.


This reminds me of how Pavel Durov every once in a while posts a story of some recent WhatsApp/Signal/whatever fuck up, which ends up with a Cato-style reminder of the fact we should switch to Telegram. Except, he is comparing apples to apples, does this in kinda tongue-in-cheek manner and is understandably endorsing his own product. None of which can be said about the OP. So, unless you can name a better PGP+email replacement, all of it has quite little value, and, no, Signal is not an email replacement, and, yes, we still need email, so, sorry, cannot switch.

P.S. Does Signal still require a phone number?


> P.S. Does Signal still require a phone number?

Yes, as the article mentions and (weakly, IMHO) justifies.


Setting aside the points in the article which are well taken and, for the most part, things I agree with ...

If you run your own mailserver and also if you send email to people on that same mailserver, your email never traverses a network.

This use-case is not mentioned in the article, but should be. It is uncommon, currently, but much less cumbersome and rife with pitfalls then trying (and failing) to implement some kind of GPG regime, etc.

We do this at rsync.net - everyone uses the same mailserver, which we connect to over either SSH or HTTPS, and when we send mail to each other it is simply a local copy operation.


Why do you think it's uncommon? The zillions of people who communicate gmail-to-gmail, in Gsuite, etc never have their mail traverse some external SMTP network.


I guess I am speaking specifically of privacy-minded solutions that don't involve a third party provider.

You are correct, of course, but when your email is handled by one of the FANGs there is a wholly new, and different, kind of exposure happening.


This article came in a right time for me.

My team is assigned to think how to send "secure emails" to customers. The thing is that those emails contain documents as attachments which can contain names and social security numbers. Use case is that customer buy these documents from our website and they can be delivered to email.

We already told that email is insecure by design to do things like that, but now I am thinking about other possibilities. Best I can come up with is encrypted attachment, but that's way too difficult for average customer to open it with public key.

How have you handled situations like this?


Deliver the documents via your HTTPS website, secured with a username, password, + 2FA if possible.

Send email just to notify the user that a document is available, providing a link to your website.


I think he is missing the point on archives.

Disappering/Nonstored is only a good thing in some contexts. There are several type of communication that I want to be secure but also archived for later reference or documentation.


Let's ignore for the moment the paternalistic and I-know-it-all tone permeating the whole post...

> Most email encryption on the Internet is performative, done as a status signal or show of solidarity.

Where is the data supporting this statement?

Where can I read an quantitative analysis on how many emails on the Internet are encrypted, and - out of those - the motivation for having them encrypted, all by percentage? Really, I am willing to pay for it.

Or is the author basing it on personal anectodes, by looking at the few mails in his personal mailbox?

Because at that point also my experience in the corporate world is as good as theirs, and it actually proves the opposite on most points.

Over multiple years, I have seen PGP being used to secure all email exchanges about product security with customers, suppliers, partners, security researchers, and even competitors.

Not a single day passes without a PGP email being sent or received.

As far as I can tell, 100% of the emails contain information for objectively sensitive topics (like security flaws, trade secrets, material under NDA, etc).

Even though emails are exchanged with professionals that are skilled and trained in IT security more than your average Joe, new contacts consistently have PGP keys already and they know how to correctly use PGP.

Any suggestion to use Signal or wormholes won't make you look very good(for good reasons), even though it is clear they are great security products.

Security is good enough: we know that because we do objective risk assessments, where sensationalist articles on the Internet don't play a big role.

I can't recall the last time people replied in the clear - though yes, it happened in the past some times. It also happened that people copy & paste & share paragraphs from sensitive emails though, which is as bad.

The main problem I see is not email encryption per se, but the first key exchange. PGP keyservers are bad and avoided.

The second problem is usability, and it is appalling that nobody is able to tackle this for PGP. It is not really rocket science and certainly people are willing to pay for it.

>> Email is end-to-end unencrypted [1] by default.

>> Serious secure messengers foreclose on this possibility. Secure messengers are encrypted by default

TCP is unencrypted by default too; actually and, you know what, it doesn't even support encryption! You use TLS on top of it (in a hop-by-hop way unfortunately).

Same thing for email. The fact that the underlying message is unsecured, does not mean you need to throw it away.

>> Metadata is as important as content, and email leaks it.

This depends on your threat model. In ours, metadata largely doesn't matter.

>> Secure messaging systems make arrangements for “disappearing messages”.

You do understand that this is a big no-no for corporate right?

You must be able to set retention and escrow policies.

You must use data formats that are very likely to be around or re-implementable in the years to come, not hipster apps that will disappear from circulation next year. We love public standards or industry standards.

Sometimes retention rate is "never delete": that's necessary and it is OK.


The real bottom line criticism of encrypted email is that people will screw up, and leak metadata or plaintext.

But arguably that also applies to any encrypted messaging system. Not just email. So I'm not sure exactly what the point is.

About metadata: You can just anonymize it away. Maybe most people can't do that. But then maybe most people will screw up in some other way.

Or rather, one could just build in anonymity.

Fundamentally, encryption isn't all that useful without ~anonymity. Because if adversaries can find you, they can do whatever it takes to get what they want. Or at least, to make your life Hell until you give it up.

And with adequate anonymity, those aren't issues.

> Messages can be material to a civil case and subject to discovery. They can be subpoenaed in a law enforcement action. They safeguard life-altering financial transactions. They protect confidential sources. They coordinate resistance to oppressive regimes.

Anonymity fixes most of those problems.

About Signal, until it gives up the phone number requirement, it's hopelessly not anonymous. And encryption without anonymity is pointless.

Edit: Maybe I'm still ranting, but less personally.


Damn, that good to see that $50 million Signal recently received is already being spent on marketing.


Some of the arguments make perfect sense, some do not:

> If messages can be sent in plaintext, they will be sent in plaintext.

This is not an inherent problem with e-mail and can be solved with client software. You can still have unencrypted communication while giving a big red warning if a user sends an unencrypted reply to an encrypted conversation and strip away quotes by default.

> Metadata is as important as content, and email leaks it.

This is true, but can I do think that this can theoretically be solved be a new generation of server architecture while keeping the federated nature.

> Every archived message will eventually leak.

The problems here are a matter of implementation and what software is used.

> Every long term secret will eventually leak.

This is the one inherent problem with PGP e-mail in the entire post as I see it. It is an issue.

All the issues the author bring up certainly hold true today but most of them are not inherent to e-mail and I think with enough coordinated effort they can be fixed while keeping decent compatibility.

I do think that apart from the metadata issue (not saying that this is to be disocunted!), we could keep using the exact same servers as today in a perfectly secure and private way if we have a new generation of e-mail clients and e-mail cryptography.

As for the metadata part: I've been toying with the idea of a messaging system using e-mail for transport but having an encrypted protocol on top of that which solves these issues.

It would also require some way of distributing encrypted messages around (maybe in a gossip-like protocol akin to SSB) and broadcasting gateway servers that relay these messages on behalf of large amount of users.

Finally, there's something to be said with that PGP was ever only meant to solve the secrecy, non-reputability and integrity of messages, which is only part of a security and privacy story. It doesn't mean that PGP is broken, only that it is incomplete depending on your threat model.


>> Metadata is as important as content, and email leaks it.

> This is true

No, it can be true. There are classes of communication where the metadata is really not important. Like when my boss sends me an encrypted email with some secure passwords we don't store in plaintext anywhere.

The metadata that shows it's from my boss and might have some identifying is much less important than the fact I don't keep it in plaintext anywhere and it wasn't sent in plaintext, yet I can get to it if needed.


I might have been unclear, I mean what OP is positing under that headline in the article is true. So, the e-mail leaking it part.

If you read my whole comment I finish with that it depends on your threat model, which is basically what you're saying.


Sure, I just think it's worth noting again and calling out explicitly, given that there's a lot of assertions that are being made, but some are only accurate in some use cases. It's either a lack of understanding on the author's side, or a rhetoric tactic that I have little respect for. In either case I think it deserves attention.

To some degree, it's not even the threat model which is different, but people's entire use, which of course might change the threat model. The article is treating email as if it's the same as messaging, which it emphatically is not. Email is also the de-facto method of exchanging file for certain types of people (even if it's always been somewhat poor at it), or providing explicit information that should stay around to individuals that isn't desired to be on a website.

Email has always been somewhat poor at the use case of instant messaging, but that's okay, it does other things much better than instant messaging (try finding an instant message from ten years ago and migrating it from the service it was on to a new one). Saying that it's not as good as the security models of instant messaging when being used like an instant messager is not a good reason to stop using it entirely. There are other reasons given that are more compelling, but this one seemed to so fundamentally misunderstand what some people use email for that I though it was important to note.


> So, for example, it recently turned out to be possible for eavesdroppers to decrypt messages without a key, simply by tampering with encrypted messages

Does anyone know the background behind this?


I believe they are referring to https://efail.de/


Ah, so they’re not referring to pgp per se, but the fact that email clients will just execute any decrypted content embedded in the email.


"Per se" is doing a lot of work there.

When 'tptacek first heard of efail, we were both in the office, he called me over and said "if there was a disastrous GPG bug that fails in way $X, what would it look like" and my first answer was "of course it's that MDCs don't actually work and the packet stream is malleable and something is going to consume unauthenticated plaintext". That's not because I'm some sort of genius: it's because to anyone who has studied the protocol and has a cryptographic background, those flaws are glaring.

That matters because I think it's reasonable to blame a protocol when it is indisputably flawed (there is no debate about MDCs not being a MAC, there is no debate that authenticated encryption is important) and it turns out those flaws all but imply vulns.


It's just the old HTML email tracking image bug used to get out entire messages. Nothing really new or interesting past that. This is routinely exploited and is why those that are interested in privacy should avoid HTML mail.


I have matrix - synapse with riot running at home for a year now, based on yunohost.org in a virtual machine. Private chat and (video)calling for my family andere friends.


I have matrix - synapse with riot running at home for a year now, based on yunohost in a virtual machine. Private chat and (video)calling for my family andere friends.


I have matrix - synapse with riot running at home for a year now, based on yunohost in a virtual machine. Private chat and (video)calling for my family andere friends


Not LARP. I think the canonical term is cargo cult.

Although pretty offensive, at least the term clearly signals that the intent is valid, as much as the methods aren't.


The point of the comparison is that people are carelessly doing things that would ordinarily be hazardous, but aren't, because the stakes aren't real for them. They're then actively recommending those same reckless things to people for whom the stakes are very real.

How you know the stakes aren't the same is that technologists by all outward appearances care more about ergonomics than security (and, indeed, their own idiosyncratic ergonomics, like "federation" and "works with email clients nobody else uses"). If the stakes for nerds were real, nobody would be fucking around with broken crypto. But they're LARPing.


He really doesn't like LARPers.


I have no problem with LARPers at all.


That's too bad.


I generally can agree with this. Encryption is a distraction from the real issue: the weakest chain in the link.

We've recently seen recordings of meeting with Trump and associates. No one is safe.

You must assume your every tap on a smartphone, you every keystroke and interaction with a computer is being logged in some way. You interact with computers by proxy - people entering information on your behalf, perhaps other devices are listening to you, or logging your movements/interactions within the world, perhaps taking videos and pictures of yourself. Profiling who you are, who you talk to, what your financial situation is like, who you care most about, who you align with, your network; colleagues, close and distant friends, those you once interacted with but not so much. A brain capable of recording every minute detail that you may want to forget. Details can be recalled within seconds and just a few keystrokes, a second by second recording in ultra high quality and the density of information being stored is unmatched to any other time in history.

If somebody wants to get your information, they will get it, one way or another. This much has been proven true again and again.

So sure, use your fancy tools and gadgets, but be clear, one day, it's highly likely what you wanted to keep private may become public.

When, not if.


Well, certain countries block traffic to Signal and other encrypted apps.

As far as I know, in pretty much any country where you can send e-mail, you can also send an PGP encrypted e-mail.

So, Signal is not a universal solution.


If I ran a state-level intelligence service I too would try to get everyone in my country to use PGP encrypted email instead of Signal.


Sure, but "stop using encrypted email" implies everyone would have to use plaintext instead of Signal.


Or not send dangerous messages electronically at all.

Fortunately, there's no place in the world where encrypted email is your only option.


I can agree with all the PGP bashing in the world, but it seems to me that PGP provides one thing that apparently nobody else cares about, and I don't understand why: the thing is identity verification. When I encrypt or sign I don't just do it for the sake of itself: I want to be sure to whom I am encrypting and from whom I am verifying a signature. If I am not sure of what is the link between the used key and an actual person, organization or service, crypto is not very useful for me. PGP has a way to do that. We can speak for hours of its pitfalls, but it's there, and with same care it can be used.

Do the alternatives have anything similar? I don't think so. Signal and WhatsApp basically rely on a GSM identity (a telephone number), which is verified by checking a six-digits code by SMS. There are hundreds of ways to screw this up. Any random street pickpocket would be able to get your phone, read the code and put it back in your pocket without you even noticing, not mentioning attack on the actual GSM protocol of which I do not know much (but have heard of its insecurity more than once). It's true that there is Perfect Forward Secrecy and your peers will get a little notice saying that your security code has changed (and will most probably ignore it), but if it is so easy to take over one's identity, I don't think I can put much trust if the system as a whole. (also, OP complains that GPG is a complex and obscure implementation; what are they going to say about GSM stacks?)

Ironically, the thing that would make this system secure would be that people actually checked security codes, which would basically amount to what PGP users do when they exchange fingerprints (and I am sure OP would consider that the LARPmost possible thing in the universe). Not even with the advantage of having a proper Web of Trust, though.

Even TLS, although it is not mentioned by OP, has quite a few problems. Most TLS certificates are Domain Validating, and the validation procedure essentially consists in recovering a secret file by mean of an HTTP request to that domain (surely that's true for Let's Encrypt, but I believe that most commercial DV operators work in the same way, except that you have to pay for it). So as soon as you're able to MITM the domain validation (and there are a lot of actors who are able to) you can grab the certificate, which would in theory protect from those who are able to MITM your server. This mechanism still protects your from MITMs positioned close to the client, that's true and it's better than nothing. But you still have all the holes you want. And bad examples of TLS CAs are nothing near missing.

So, bottom line: I am very happy if you give me modern and advanced tools for encrypting stuff, but please do not ignore the problem of giving names to keys, a problem that as far as I know only PGP is currently able to tackle.


> So, bottom line: I am very happy if you give me modern and advanced tools for encrypting stuff, but please do not ignore the problem of giving names to keys, a problem that as far as I know only PGP is currently able to tackle.

I think that SQRL (grc.com) gives us hope here. Focusing on making is easy for people in general to keep a secret signing device would be a big leap forward, since you can base other identity service on that. Add Matrix to that and you get identity as well.


The reasons of presumed eventuallity is a horrible reason not to do something.


Nice try NSA


ad


>Ordinary people don’t exchange email messages that any powerful adversary would bother to read, and for those people, encrypted email is LARP security.

We are literally living in an age where the NSA is spoofing cell towers to intercept and save unencrypted (and probably encrypted) traffic to a database that will probably be around as long as the NSA exists. This is naive and everyone should be taking precautions against the kind of power that a true authoritarian government would literally kill for.

I'm also personally insulted to be accused of LARPing for taking steps to preserve my privacy. Even if something like protonmail isn't perfect, assuming it isn't compromised it's orders of magnitude better than outlook, Google, et al who are literally scanning your messages.

Edit: let me clarify my point, because people seem to be misinterpreting what I'm saying. The fact that encrypted email is partially broken does not mean that it doesn't currently reduce the leak surface. If I send 5 emails from a service like protonmail to @outlook.com and 5 emails to @gmail.com, that's two fractured datasets vs sending 10 from a Gmail account where they're all scanned into one database. Locks are trivially picked but that doesn't mean I'm LARPing to everytime I leave my house and lock my doors.


If your adversary is NSA, and your defense is Protonmail, you are literally LARPing. You don't believe Protonmail protects you from NSA; the reason you're using it is because you know what you're sending and receiving isn't interesting enough to target. If you had real secrets, you would not send them through a Protonmail-encrypted email; you would make other arrangements.


You're ok with Google and Microsoft building a profile of intimate details on everyone who uses their services?

This isn't about having an adversary now, this is about minimizing future risk. A database of personal data is one index or scan away from being used to Target someone. Imagine what the Soviet government could do with information about your purchasing habits, organization membership, political leanings, religious participation. It's happening right now in China.

The fact that you don't have anything nefarious to hide doesn't mean you shouldn't be worried about the existence of such databases. I'm not hiding drug and weapons deals from the NSA, I'm trying to minimize how much information about myself leaks to people who have no business collecting it. All people should be similarly cautious. Unfortunately this isn't the kind of thing that matters to most until it's too late.

How many laws or executive orders or judge rulings do you think it would take before even the U.S. government could trivially abuse such information to target someone? What if you're a whistleblower like Assange? What if you piss off the wrong police officer? You haven't heard of corrupt cops harassing citizens and who stuck their neck out a little too far?

Bad actors exist all over society. It is only rational to minimize the amount of ammunition they may have against you, even if you aren't planning anything nefarious. The problem with this kind of digital surveillance, regardless of whether it is by government or corporation, is that the stored data is permanent and easily harnessed. Let's not even get into the power that such bits and pieces confer to actors with access to even simple ML technology.

I don't understand the reaction that people seem to have toward the desire for maximizing privacy.


I honestly don't care what superficial steps you take towards minimizing dragnet surveillance. Go right ahead. My problem is with communicating to ordinary people that encrypted email is reasonably safe to use to protect secrets. It is not.


It's substantially better than nothing, is it not? Do you disagree that it requires more effort on the part of a malicious actor when emails are sent from on ostensibly encrypted email service?

Do your house doors not have locks because locks are easy to pick?

Further, wouldn't encrypted email, even in current implementation, be much more effective in keeping secrets if everyone used it? You can do much less with metadata than with email contents, and the fact that leaks of plaintext archives may happen eventually doesn't mean that all archives will be leaked.

The article has a valid point but shaming people by accusing them of larping is IMO irresponsible.


Encrypted email is not substantially better than nothing in the cases where security actually matters. If the metadata of your message can get you arrested, or if an accidental plaintext reply to a message can get your bank account zeroed out, then using a system that carries those risks is worse than nothing. When we talk about secure messaging, those are the use cases we must consider.


It’s worse than nothing. People who know their message isn’t secure can adjust what they say accordingly.


"encryption on the Internet is performative"

Security on computers is performative. Intel, Cisco, Broadcom, Apple, Google, deep state, and God only knows who else can crack these pieces of garbage like an egg.

Whoever wrote this is also a LARPer.


tptacek is right as usual, but everyone should still check out the excellent mailpile: https://www.mailpile.is/

It integrates GPG really nicely.


Author advocates "wormhole" as the alternative to pgp for sending files. It is written in Python. "Python" and "security" (or "good software engineering") do not belong in the same sentence.


So the general advice seems to be, stop using federated protocol and start using... signal?

I find it hard to believe that an app that runs in electron and falls for basic web security 101 XSS exploits[1] is a more secure solution than using an encryption layer on top of a federated protocol.

[1] https://news.ycombinator.com/item?id=17050754


What on earth does a "federated protocol" have to do whether an app runs in Electron?


If I encrypt a message and put the secret on an sd-card I hand to my friend at the park, I can mail him encrypted messages over plaintext e-mail and we are safe.

Most people don't use it this way, but to say it's impossible to secure e-mail is arrogant and not true


One of the concerns with email that article raised was: the recipient can click on "reply" -- without encrypting the reply message -- which would send the response together with the original message "quoted" - all of that unencrypted. This is apparently common operational mistake.

Note that this has nothing to do with key exchange, ie putting it on sd card or whatever, would not change anything about the issue raised above.

There is also about a dozen other issues that the article lists, worth reading for sure.


Oh yeah that's a huge flaw in implementation (that probably every main e-mail vendor is guilty of). If it's prevalent enough, then the article is warranted, but the title and the conclusion are still gross simplifications -- it's not like the piping is inherently flawed, it's just that we prefer clear viewing windows to interact with messages, and where these two trains cross is where privacy meets your eyeball and also meets oxygen. Really, all decryption should happen on-device; but we cannot afford to abandon indecipherable messages on a daily or hourly basis in favor of universal privacy. It's somewhat reminiscent of the LOSE_POINTS_TO_LAG flag in quake and setting it to false. Maybe a better title would be Encrypted Email quickly becomes Unencrypted


Is the article wrong in saying that the metadata isn't encrypted?


The metadata would indeed not be encrypted, how else would the message ever arrive? if the post-man could not make out the address or the sender or if the postage was valid -- it's the same issue.


This is a genuinely interesting problem which Signal put a bunch of work into solving!

Sealed Sender lets them arrange that your recipient knows you sent the message, but they (Signal and its servers) don't - https://signal.org/blog/sealed-sender/ is their blog post about this work.

Somebody connects to Signal, and hands over a message with a recipient. Signal has an ID for the recipient (you correctly observe there's no way around that) but has no idea who sent it, only that whoever it was can prove they're allowed to send this message. They also don't know in a useful sense who the recipient actually is - you can attach a real name, a photo and so on to a profile but only your trusted contacts can decrypt that profile anyway.

It also arranges that by default Sealed Sender only works for sending messages to contacts. If you're a spammer - sending unsolicited messages to people who don't know you - your only way to send messages involves disclosing who you are to Signal, who can choose to rate limit you or block you.

Like the rest of Signal's design the sender's identity is deniable - the recipient knows everything needed to produce a fake message from anyone they communicate with and so they can't use real messages as proof to anybody else.

Because I'm a nerd I actually have the status indicators described in that blog post switched on, so I know that a few weeks later, in the middle of chatting about RDR2 one of my friends suddenly began using Sealed Sender, and other participants in that group joined in over the next few days. To a normal user nothing changed, their privacy improved significantly without them noticing at all.

Anyway, solutions like PGP leak a lot more metadata than just the sender and recipient's identities to every node along the store-and-forward route.

And the very existence of the route also leaks data.


So do you have a point to make that is responsive to the actual article, then?


The title is off because e-mail is as secure as a letter with a stamp. As secure as you and your recipient are.


I hope you're not suggesting that postal mail is a model of security.


I understand that sending email in plaintext is a design issue for email. And that PGP is outdated.

However, I think it’s possible to have a system completely in the open and still be secure. Bitcoin comes to mind. I don’t think the problem is with email, but with the lax encryption models and the lack of support by email clients and servers alike. Wouldn’t you agree?


"Completely open" is not the only useful property to discuss about a system. Email itself is still fundamentally terrible for secure messaging.

Your argument seems to boil down to: "bitcoin is open", "bitcoin can $X", "email is like bitcoin", therefore "email can $X". There are a few flaws in that argument. Firstly, Bitcoin is pseudonymous, it makes no attempt to hide transaction details, which obviously message security would need. Secondly, even if the properties of bitcoin were relevant to messaging, at best you've made the argument that "a system with public transaction records can still do what you need for safe messaging", but not "email specifically can do what you need".

There are two ways I could see your argument working out and both are pathological examples. We can do secure comms over TCP, so just design a secure comms system and then all the way at the end choose a blockchain or email as your transport. That sounds true, but also doesn't seem like a useful thought tool that results in improving anyone's communication security tomorrow.


I'm not sure why you feel like calling my arguments pathological, or a false equivalence. I'll disregard this.

I did not introduce any equivalence about valuation in my argument. I used Bitcoin as an example of a well known open database, where everyone can see the data (arguably an analog to plaintext exchanges) and yet it's secure.

Additionally, your point about Bitcoin being pseudonymous also applies to email. You may create your own address, on any number of servers. At a high level, it feels like the pseudonimity is essentially the same.

Are you proposing people stop using email and switch to a more secure messaging system, like Signal? Or maybe to make an email app on top of tech similar to Signal (kind of like Protomail?), or to improve email by baking in modern security standards?


I did not call your arguments pathological, I called my own examples pathological to clarify that I am not trying to strawman you: I appreciate that my own examples are almost certainly not what people have in mind when they talk about email security.

The pseudonymity is precisely one of the reasons e-mail does not work well. One of the features of secure messaging as it is commonly understood is participant privacy: hiding who participates and ideally when. This is the metadata leakage problem described in the post.

You're restating your argument of "bitcoin is public and yet it is secure and so it is possible to have secure systems that are public". I understand that, but you don't appear to have engaged with my counterargument: "secure" is not a universal term, and things that are fine bitcoin transactions are not necessarily fine for secure messaging.

Protonmail does not seem like "tech similar to Signal" to me at all. I'm all for implementing stuff like MTA-STS, and I appreciate e-mail isn't going to die any time soon. I think that trying to add E2E-style encryption to e-mail is fundamentally doomed, signing for e-mail is mostly doomed, and yes, private conversations belong on something like Signal.


I appreciate the clarification, thanks.

It’s interesting that you feel email has a lot of traction and is broken, but you see that as an argument for moving away from it. I would think it’s an opportunity to fix that system, since users are unlikely to switch. I’ve thought quite a bit about what making email like Signal would look like, but I’m curious what’s your take on the overall problem.


I do not think it is meaningfully possible to fix that system (I say meaningfully, because I'm excepting the pathological senses I mentioned above). If you want it to look, feel like email and be compatible, you can't secure it.

MTA-STS works because it does not require end users to do anything. If you need end users to change their workflow, you could try to do that with e-mail (which fundamentally can't do all the things you need it, per the post and the PGP post), or you can just make them use a non-broken protocol.


I guess I don’t understand why you would think that the following wouldn’t work: - use random email addresses - encrypt the content with something more secure than PGP (on the client) - receive the email and decrypt it (on the client)

Sure, it’s plaintext, but I don’t see the downside?


How do I securely communicate what the new email address is? How do I hide IP-level metadata? How do I hide time-level metadata? How do I do PFS?

At some point you're going to keep adding lipstick to the pig until eventually you have something morally equivalent to the pathological example I gave.


That's interesting. Thanks for taking the time to expand on it.


The security flaws with email are completely fundamental. It is not possible to "fix" email without disrupting the existing users. If you're forced to disrupt existing users, then you might as well switch to a more securely designed protocol.


If I'm using GPG, I want to ensure:

1. The message I received is from person possessing private key (signing).

2. The message I received is not available to Google or any other 3-rd party.

GPG is good old dumb tool that deals with crypto. I can save e-mail into text file and use it with GPG. I can even copy that text file to an offline computer if I don't want to risk exposing key.

Signal is just yet another whatsapp competitor? I don't want to publish my phone number. I don't want to trust some random application from AppStore. I don't want my correspondence to go through some untrusted servers (and I trust Google servers much more than Signal servers). Especially servers controlled by the same person who wrote an application. I have no idea how to be sure that message I got corresponds to a public key that person gave me when we met last time. How do I extract message source from Signal? What's are console tools to deal with it? How do I deal with new key issuance if person reinstalled his application?

GPG have answers for those questions. Signal does not. Basically GPG is encryption for nerds, Signal is encryption for ordinary people. It's important, but not particularly interesting for me and it's not a replacement. Especially given the fact that Whatsapp and Telegram provide E2E and they are much more widely used.

Basically GPG is good enough and we don't need nothing more than that. And that GPG critique is just manipulation of facts. When my Debian distribution will use Signal to verify packages, I'll consider using it.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: