Hacker News new | past | comments | ask | show | jobs | submit login

I'm always frustrated when this article appears. There are a lot of things wrong with PGP but the reason it sticks around isn't some weird tech-lovelorn for it, it's because it works.

Some minor retorts:

1. PGP isn't that difficult to setup, especially since the web of trust model is deprecated. Just download a manager, generate a key, and you're good to go. Tools like Mailvelope make it even easier.

2. PGP isn't just for sending messages via email. Any way you can send long text, you can send a pgp message. I can mail you a usb stick and that data is as decryptable as an email. The article mentions the other uses of PGP but is hung up on PGP being used for email.

3. If you are being pursued by a major threat actor, signal ain't gonna save you. It is as covetable traffic as a PGP message is. If it's a big enough deal, signal can and will crack to a warrant. It's happened to Tutanota, it's happened to Proton Mail, it'll happen to Signal too. It's not the silver bullet people seem to think it is. I prefer a decentralized solution to a centralized one, any day of the week.

That being said, I'm still excited to see tools like minisign get adopted into wider toolchains, like git.




Rather than being frustrated you should consider that you're holding on to something that is an inelegant relic of another age. There are things PGP/GPG do that need replacements, but those replacements need to be very different to PGP.

1. I've fethed around with PGP since Zimmerman published the source code, and I attest that setting it up properly is not simple. Not as difficult as creating an x509 certificate in OpenSSL with SANs, but really not straight forward. But the real difficulty is actually using it. 1.1 Trusting in-browser crypto like mailvelope is bizarre. mailpile was a better approach, but they seem to have lost momentum.

2.1 The only significant use for PGP is signing linux packages and git code signing. But this is terrible as a breach means you could generate whole trees of fake checkins, and it desperately needs something like Signal's ratchet mechanism, or (heaven forbid) a blockchain. 2.2 If you want to send something on a USB stick then encrypting it with a sensible and usable tool (with modern AEAD encryption) like https://github.com/FiloSottile/age will be far more reliable.

3 You have no basis for this speculation. Signal are clear that they don't hold your data, and I really can't see 'compelled speech' like writing a backdoor being possible. Signal is as capable of resisting analysis as anything else that's around, far better than PGP, to the point that your security is essentially as good as you and your correspondents device security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: