OP has an extravagant threat model. Yeah if I were trying to hide communications from some dictator where even the metadata of recipient and timestamp is damning then of course email is out.
PGP is a good way to communicate under the right circumstances. Say I'm writing to someone I trust and have verified their key fingerprint via a secure channel (in person, over the phone, etc). If I were sending them login credentials for a shared site, or bank info for setting up a payment, or even just wanted to block general corporate snooping then what's wrong with PGP? It's "pretty good privacy."
It's nice that I can apply the cryptography on a local machine and then send the result over email. I don't need to sign up for the paranoid chat app du jour.
What you describe sounds more like using PGP independently of email. I mean you could just as well put your secret data into a password-protected zip file and send that using a variety of methods.
But I do think op has a point that there are two groups of people using encrypted emails:
1. Nerds using it for fun where accidental de-encryption doesn't matter too much.
2. Non-technical people where decryption might be a life or death situation and so they imitate what the nerds do, because they don't know that the nerds willingly tolerate the decryption risk.
Op is now arguing that group 1 should stop so that group 2 doesn't get misled.
That’s true, but they’re not widely supported, so you can’t count on them to communicate. It’s also really hard to know for laypeople if the result is safe or not, so it’s dangerous to train them to accept encrypted ZIPs. Plus, as long as you don’t care about compatibility, you’re probably better off with encrypted disk images (DMGs or LUKS), because they don’t have completely dominant unsafe implementations.
The filesystem drivers in most linux distro's (and I'd argue Mac and Windows too) have never been under scrutiny for security bugs. I wouldn't trust an ext4 image I got from the internet unless it was signed and from a trusted source, that's worse than ZIP files.
Specifically ZipCrypto is bad, which is the only supported crypto if you're password-protecting in Windows Explorer and the like. If you use 7zip or similar software you can use AES instead, which is fine.
There are multiple ways to password protect zip files. A user usually won't be able to tell whether the way used by their software is secure or not. The old way is insecure.
The problem isn't just the metadata leak, far from it. Some problems mentioned:
1. PGP is old and broken and messages can potentially be decrypted without access to private key
2. Because email's default is plain-text, in real world conversations you end up with people replying in plain text with your whole message being quoted
3. Archived messages will leak. An e2e channel needs to have a way to inform receivers that messages should be deleted after some time
4. Private keys eventually leak, therefore it is important that when it happens, the system makes it hard to decrypt old messages (by combining it with ephemeral keys).
So if you have login credentials to send to someone, if you value that info and I assume you do, otherwise you wouldn't use PGP, then this is precisely the use case that encrypted email is terrible for.
PGP usage is also very user unfriendly so you’re not losing anything really,.
> 1. PGP is old and broken and messages can potentially be decrypted without access to private key
GPG works.
> 2. Because email's default is plain-text, in real world conversations you end up with people replying in plain text with your whole message being quoted
Don't quote
> 3. Archived messages will leak. An e2e channel needs to have a way to inform receivers that messages should be deleted after some time
Don't archive
> 4. Private keys eventually leak, therefore it is important that when it happens, the system makes it hard to decrypt old messages (by combining it with ephemeral keys).
Delete them before they do.
The "new wave" of encryption like on from the guy calling himself Moxi Marlinspike is the prime definition of an unproven technology.
The screaming headline is because he wants to make noise, and get cred for his crowd.
His argument: GnuPG — a proven, and well reviewed technology is broken because some minor bugs were found, despite the fundamental crypto behind it still being more sound than anything else.
He then follows to say that a fundamentally less sound, complex unproven system, is a better alternative. And that even when the novel crypto messengers themselves are dogged with daily minor security bugs being found.
If I met the man in person, I would've said some warm words to him.
> His argument: GnuPG — a proven, and well reviewed technology is broken because some minor bugs were found, despite the fundamental crypto behind it still being more sound than anything else.
I don't think we've read the same article. Nowhere in the article does he mention a "minor bug" that can be avoided by using the latest versions of GPG. He explains in length why encrypted emails, and also GPG in particular, is broken by design. That's really two different things.
I'd also hesitate to call something that hasn't reached the masses a "proven system." It's only a tiny fraction of *nix users that actually use the software.
We read the same article, and you did not understand it beyond the screaming claims, and shallow statements.
No, him saying it's "broken by design" is really not substantiated. SigSpoof is certainly not a design specific bug, but an implementation flaw.
On other hand, the "new agey" crypto messengers mess up the protocol and the app internal mechanism hard, and that's compsci101 mistake no matter how much they gaslight that.
It's them benefiting from their stuff not being subject to serious security review because of lack of adoption, not the other way around.
But that's true no matter what methods you use. When you send a message, you don't enjoy any security at all from the recipient. If they decide to leak your messages, your messages will leak. If the way they decide to do it is by being incompetent, your messages will still leak.
Among many less notable findings that aren't considered security issues, you can see that "screenshot detection avoidance" is a non-qualifying "bug". It's not really a bug. It doesn't qualify for a reward because your messages cannot be secured against people who are supposed to read them. Security against the recipient is (or was; I don't know the current marketing) a major marketing point for Snapchat, but it's never been something they actually offer.
How is "your messages are only as secure as the least careful person you correspond with" more of an argument against PGP than it is against Signal?
The parent is focusing on carefulness, and not malicious intent. If being careful requires you to be knowledgeable in computer security or cryptography, we're never going to have a secure communication system because people aren't going to spend years learning those things to simply talk to people. Secure defaults matter, and not being able to configure and use GPG correctly is hardly "incompetence."
Exactly this. tptacek's article talks about issues like someone replying (with the messages quoted) in cleartext by mistake, or leaking their keys. In a messenger like Signal, there's no easy way to accidentally reply in cleartext, and key management is handled for you so it's not possible to accidentally send the private key instead of the public key. It's not enough for _you_ to never do those things, you have to trust your correspondent to be capable to do those things without error (which is different than trusting them to not intentionally disclose).
Exactly, and therefore i think the whole 'stop using encrypted email' is a rant that could apply to anything. Basically comes down to, you don't want people to know something, do not write it down.... not in email, not in pgp encrypted email, not in whatsapp, not even native American smoke signals....
ha ha ha, seriously? Even if I don't quote, go and explain 99% of my recipients they should not quote when replying ...
> Don't archive
Maybe I miss to read the irony in your message, otherwise it is useless, or we don't live in the same world. But in mine, everybody archive emails in separate folders. period Fear of discarding information, especially in the business, is a great thread.
Practically speaking using PGP (or any other design of the same type) doesn't work to preserve privacy due to the architeture of email.
Pervasive use of TLS for clients (IMAPS, web clients) and SMTP (STARTTLS) has had a far greater practical impact on securing email. Let's Encrypt has helped in enabling that.
I haven't seen a report on whether GMail warning when domains were not using TLS has had an impact, but it did for me, because I told my accountant he had to get it done or I would change accountants. GSuite actually lets you prevent sending cleartext, i.e. making MitM downgrade attacks cause fail secure, rather than fail open. https://support.google.com/a/answer/2520500?hl=en
> and messages can potentially be decrypted without access to private key
This is about e-fail, right? As far as I know this has been migrated and it worked in the first place only because of html messages. In addition to that it was not really the fault of gpg but rather the fault of badly implemented programs (because they did not check the mdc tag).
> Archived messages will leak
This is a bold assumption
> An e2e channel needs to have a way to inform receivers that messages should be deleted after some time
Surely the sender could mention this in the message.
> 4. Private keys eventually leak, therefore it is important that when it happens, the system makes it hard to decrypt old messages (by combining it with ephemeral keys).
This is a big usability trade-off. I avoid using wire because it takes ages (as in hours) to decrypt messages if I have not used it for a while.
If a bug happens in more than a handful of implementations, there’s a good chance the protocol is to blame. Perfect examples of where this emphatically is the case is MDC (PGP and Telegram are the only two common protocols in use I can think of where you don’t get a real MAC) and JWT’s alg debacle. Both were obviously ridiculous, and both led to serious vulnerabilities in almost every implementation under the sun.
Mind you: with efail, some tools were using GPG directly. GPG produced unauthenticated ciphertext. GPG is also the dominant implementation. If GPG itself does this obviously broken thing, how do you expect third party implementations to get it right?
> PGP is old and broken and messages can potentially be decrypted without access to private key
This would be a lot more effective / helpful / convincing with a reference.
> Because email's default is plain-text, in real world conversations you end up with people replying in plain text with your whole message being quoted
This is more about the UI of mixing "normal" email with encrypted email. If you can insist that everyone install Signal, you can insist that everyone install Enigmail or some other piece of software which refuses to reply to encrypted mail without also encrypting.
> Archived messages will leak.
The specific argument from OP was "Searchable archives are too useful to sacrifice".
I have a hard time expressing how obviously self-contradictory this line of argument is. Insofar as people are unwilling to give up archives, they will be unwilling to give up email. Insofar as people are willing to have email deletion policies, this isn't an argument to get rid of email.
He's advanced the premise that people will never give up archivable messaging. So who exactly is he expecting to influence with this diatribe? Anyone who is unwilling to give up archiveable messages is going to be unwilling to give up email, period. At which point it's just pointless ranting.
If you believe that people want encrypted, archivable messaging, then you need to give them the best solution possible, not just tell them not to want it.
> Private keys eventually leak, therefore it is important that when it happens, the system makes it hard to decrypt old messages (by combining it with ephemeral keys).
So one of the arguments against using PGP is that it gives people a false sense of security; and that having "experts" using it will encourage people to send messages which "should not be sent at all."
In the case of ephemeral keys, you're still trusting the other party to delete both the keys and the messages after the stipulated time. But what reason do you have to believe that the other party is actually doing that? It would be dead easy for someone to write a client which didn't delete the message or the ephemeral keys -- either on purpose (because having an archive is convenient) or by accident.
Wouldn't it be better to just tell people, "You can never guarantee that anything you send won't one day be decrypted, no matter what method you use. Take that risk factor into account when sending any message"?
You can make people install engimail, but there are problems with email enigmail does not solve (this article), problems with with PGP it does not solve (our other PGP article), that have directly resulted in serious vulnerabilities for Enigmail.
If the login credentials are used within 24 hours by the intended recipient to log in and then change the password then perhaps it doesn't matter if the message is decrypted by an attacker six months later. So I can think of worse use cases.
well PGP still has a very useful role in bootstrapping private communication in an OpSec sense.
practical scenario to safely pivot would be to create a plain text file with this content:
"please do not reply to this email - if reply or don't stick to the following steps I must assume you're compromised and have to ignore all other attempts at contact for both of our safety. Please send instead a message on <ricocet/signal/wire/session> with this exact content <proof/hash> so I know it's you, my userid is <userid>. I expect a reply until <time in the very near future>"
Then encrypt that (using cli not the mail user agent) and send without subject.
If they deviate from the agreement, or if there is a long delay in comms immediately cease all contact. Should give you reasonable confidence about the authenticity of the message after the pivot. Certainly beats using whatsapp or gmail to pivot to secure comms.
But as you said, I wouldn't use it for anything else, not because I don't trust myself but the moment you share a secret it is no longer a secret and you have to take its halflife into account.
PGP is a good way to communicate under the right circumstances. Say I'm writing to someone I trust and have verified their key fingerprint via a secure channel (in person, over the phone, etc). If I were sending them login credentials for a shared site, or bank info for setting up a payment, or even just wanted to block general corporate snooping then what's wrong with PGP? It's "pretty good privacy."
It's nice that I can apply the cryptography on a local machine and then send the result over email. I don't need to sign up for the paranoid chat app du jour.
( In fact PGP is useful for more than signing/encrypting mail, see https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.h... )