Essay on PGP as it is used today

Ryan McGinnis ryan at digicana.com
Wed Jul 17 21:24:15 CEST 2019



> -   And finally: “don’t encrypt email”? Yes, well. Email is not going away. Just like passwords, its death has been long anticipated, yet never arrives. So what do we do in the meantime?

I think what the author is saying is stop trying to ever think of email as a secure form of communications, no matter what you layer on top of it, full stop.  Which given how email encrpytion options have performed over the past couple decades, makes sense to me.  


You might say that PGP over email is better than nothing over email, but is it?  If you expect a non-secure channel and don't disclose secure information, that's one thing -- but if you expect a secure channel and send private information and through user error or clunky software implementation you end up sending cleartext, you're worse off than if you'd just assumed a non-secure channel.  Email has a habit of having this happen.  It's actually quite easy to mess up and send cleartext. 


IF there were no other options, then maybe it'd be worth rolling the dice.  But there are quite a few extremely capable free solutions out there that will establish a secure channel of communications with relative ease.  


Frankly, the only way you'll ever get secure comms over email is if the big boys (Microsoft, the Goog, and to a lesser extent Yahoo and grandpa^H^H^H^H^H^H^H AOL decice to shake hands and come up with a standard and force it down all other provider's throat.  Either that or roll their own secure (though not E2E since it relies on TLS) modes like Outlook 365 and Google/GSuite do and give users an option to send messages that force TLS by making the recepient go to a https email viewing page if you access the message from any outside provider.  


-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, July 17, 2019 1:52 AM, Andrew Gallagher <andrewg at andrewg.com> wrote:

> On 17 Jul 2019, at 05:05, Robert J. Hansen rjh at sixdemonbag.org wrote:
> 

> > But all in all? It's a good criticism.
> 

> Indeed. Backwards compatibility with the 1990s is an albatross. Anyone still using obsolete ciphers is screwed anyway, so why encourage it?
> 

> Some nitpicking:
> 

> -   Modern PGP does encrypt subjects (although not other metadata).
> -   Magic wormhole is an excellent toy, but it’s written in python, so literally the first person I tested it with got his dependency stack shredded. I think he’s forgiven me but he hasn’t used it since. The line about rewriting wormhole in a decent language may look throwaway but it’s not.
> -   Similarly, the alternative archiving software suggested is still a work in progress. It’s all very well criticising PGP for being a clumsy jack of all trades, but “modern crypto” has had twenty years to replace it and still hasn’t fully succeeded. This isn’t just on PGP.
> -   And finally: “don’t encrypt email”? Yes, well. Email is not going away. Just like passwords, its death has been long anticipated, yet never arrives. So what do we do in the meantime?
>     

>     But yes.
>     

>     A
>     

> 

> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - ryan at digicana.com - 0x5C738727.asc
Type: application/pgp-keys
Size: 3215 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190717/ec356f2a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 855 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190717/ec356f2a/attachment.sig>


More information about the Gnupg-users mailing list