A postmortem on Efail
andrewg at andrewg.com
Sun May 20 11:22:29 CEST 2018
> On 20 May 2018, at 07:26, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
> Writing just for myself -- not for GnuPG and not for Enigmail and
> definitely not for my employer -- I put together a postmortem on Efail.
> You may find it worth reading. You may also not. Your mileage will
> probably vary. :)
I wouldn’t call myself a cryptography expert, although I do try my best to keep up. I speak as a tinkerer who wants to humanise cryptography, because it’s still too hard for ordinary people to understand, and you shouldn’t need to understand everything about a technology to be able to use it properly, because that defeats the purpose of technology.
I find a lot of things about the whole PGP ecosystem interminably frustrating. But the worst thing is the inertia. We know there are things that need done, but getting them done often seems politically impossible. Not to mention the small number of people who are actually getting paid a salary to fix these things. TLS at least gets attention because the Googles, Apples and Facebooks of the internet are beating people over the head saying “we need to push forward”. TLS breaks backwards compatibility regularly. That’s the price of improved security.
I said earlier that deprecation has to happen, but I’ll reiterate here. If doing the things that we know need to be done requires breaking backwards compatibility, then so be it.
More information about the Gnupg-users