undefined | Better HN

0 pointsdanShumway4y ago0 comments

> So there is real-world demand for a properly secured e-mail system.

There is real-world demand for a properly secured messaging system (either real-time or asynchronous) that is as ubiquitous, as accessible, and as technologically neutral/decentralized as email.

I think you hit the nail on the head that if we could go back in time and email was encrypted from the start, it would be great, and there is a demand for that. But people keep trying to do that time travel by adding encryption after the fact, and like you I just don't think PGP works for that, I think it's throwing duck tape on top of a technology that is just not designed to handle it.

I'm not saying we should drop all email and move to something like Matrix, I still use email today for a lot of stuff. And I'm definitely not saying everyone should use Signal as a full email replacement (the phone number requirement and centralization problems make it unsuitable). But in the long, long term it would very likely be easier to drop email and move everyone everywhere to Matrix (or something else, it doesn't have to be an instant messenger), than it would be to try and retroactively make email encryption work well.

0 comments

andi9994y ago

What seems to be the problem with pgp (apart from nobody using it)

md_4y ago

I think that’s the biggest problem, but there are others.

Off the top of my head:

- PGP key discovery is hard to do securely. Do you just trust what’s on the public keyserver? Do you use RFC 7929? S/MIME is relatively better in this respect, but obviously still quite behind the state of the art for e.g. Web PKI.

- PGP has so many different potential client configurations that it’s hard to reason about what security you are getting. Someone can (and for S/MIME, this is quite common!) have a PGP or S/MIME gateway that encrypts/decrypts mail to/from MUAs—meaning messages sit unencrypted in mailboxes and end user devices.

- PGP doesn’t encrypt metadata.

- PGP doesn’t give forward secrecy.

I’m sure there are other things I’m not thinking about, but for at least these reasons, PGP is in some ways less secure than SMTP TLS, hard to use correctly, and in general a lot of effort to leave you worse off than if you just chatted over WhatsApp/Signal/Wire/Threema/etc instead.

Transport layer security (and enforcing that) is definitely good for email, and we’ve moved the state of the art beyond where it was in the ‘70s, but I think the quest for true e2ee in SMTP-based email is probably not worth the effort.

Email should be thought of as having certain tradeoffs (like messages living unencrypted on servers, and relying fully on server to server trust), and for things that need e2ee, you should use something like Signal instead.

upofadown4y ago

>- PGP doesn’t give forward secrecy.

Generally, the value of forward secrecy in end to end encrypted messaging is proportional to the chance that the secret key material will be compromised. With an asynchronous, offline capable medium like encrypted email the secret key material can be protected very very well. A message archive accessible to the user for all practical purposes negates the value of forward secrecy. Most people like to keep their old emails around. Most people like to keep any form of messages around so that forward secrecy has little practical value in most forms of E2EE messaging.

There is no technical reason that you can't do forward secrecy for PGP. There is simply no real need for it. Encrypted email is more for the people that don't want their encrypted material compromised in the first place...

More discussion: https://articles.59.ca/doku.php?id=pgpfan:forward_secrecy

2 more replies

tzs4y ago

> PGP key discovery is hard to do securely. Do you just trust what’s on the public keyserver? Do you use RFC 7929?

In the case up above in this thread branch of the poster's bank not emailing statements because it is not secure, key discovery would be easy. The bank would have a form available only when logged in to their online banking site to enable statements by email with a way to upload your public key.

My guess is that for most people who could benefit from emailing encrypted documents it is similar. They have a good secure channel to give the other party their public key.

I'd rather that something better than PGP be used though.

1 more reply

encryptluks24y ago

> PGP key discovery is hard to do securely. Do you just trust what’s on the public keyserver? Do you use RFC 7929? S/MIME is relatively better in this respect, but obviously still quite behind the state of the art for e.g. Web PKI.

That is what WKD is for and is already implemented by multiple providers.

> PGP has so many different potential client configurations that it’s hard to reason about what security you are getting. Someone can (and for S/MIME, this is quite common!) have a PGP or S/MIME gateway that encrypts/decrypts mail to/from MUAs—meaning messages sit unencrypted in mailboxes and end user devices.

Sounds like poor security if their client isn't doing the encryption, not an issue with encryption itself. Regardless, the point of encrypting email isn't to worry about what happens on the receivers end. If the receiver messes up then that is on them.

> PGP doesn’t encrypt metadata.

What metadata are you concerned about here? Subject lines? GPG is quite versatile so I'm not sure what metadata you are worried about.

> PGP doesn’t give forward secrecy.

Change your subkey then. Forward secrecy is more for real-time communication though, but if you want to generate a subkey to exchange a message then I'm sure it can be automated.

> I’m sure there are other things I’m not thinking about, but for at least these reasons, PGP is in some ways less secure than SMTP TLS, hard to use correctly, and in general a lot of effort to leave you worse off than if you just chatted over WhatsApp/Signal/Wire/Threema/etc instead.

I hear that a lot but I think the real issue is that users don't want to change anything and just want someone to do it for them.

1 more reply

danShumwayOP4y ago

Not going to rehash what other people are writing about PGP, that could be a much longer conversation. But it's not just PGP that's the problem, PGP just happens to be what people are using to encrypt email.

If it was just PGP that was the problem, we'd use something else to encrypt our emails and it would be fine. But the problem is that any system that works like PGP where we're primarily encrypting message contents, where we're not thinking about stuff like forward secrecy -- that's not good for email. Email itself isn't good for that because email doesn't really lend itself to E2EE, regardless of what you use to do the encrypting and key validation.

So you could have a version of PGP that was amazing and brilliant, and it still wouldn't really be a good fit for encrypting email, because email is not a good fit for encrypting email. The entire structure of how email works makes it difficult to do encryption in a user-friendly, accessible way.

I am also pretty skeptical of PGP (see some of the other comments), but that's not specifically why I mentioned it in my original comment. I only brought it up because most email encryption schemes I see are using PGP, and I don't think that PGP miraculously solves the problem. It's not good enough to paper over the fundamental flaws in email itself.

michaelt4y ago

https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

upofadown4y ago

I have a canned response to this hoary old chestnut:

* https://articles.59.ca/doku.php?id=pgpfan:tpp

2 more replies

j / k navigate · click thread line to collapse

0 comments

andi9994y ago

What seems to be the problem with pgp (apart from nobody using it)

md_4y ago

I think that’s the biggest problem, but there are others.

Off the top of my head:

- PGP doesn’t encrypt metadata.

- PGP doesn’t give forward secrecy.

upofadown4y ago

>- PGP doesn’t give forward secrecy.

More discussion: https://articles.59.ca/doku.php?id=pgpfan:forward_secrecy

2 more replies

tzs4y ago

> PGP key discovery is hard to do securely. Do you just trust what’s on the public keyserver? Do you use RFC 7929?

My guess is that for most people who could benefit from emailing encrypted documents it is similar. They have a good secure channel to give the other party their public key.

I'd rather that something better than PGP be used though.

1 more reply

encryptluks24y ago

That is what WKD is for and is already implemented by multiple providers.

> PGP doesn’t encrypt metadata.

What metadata are you concerned about here? Subject lines? GPG is quite versatile so I'm not sure what metadata you are worried about.

> PGP doesn’t give forward secrecy.

Change your subkey then. Forward secrecy is more for real-time communication though, but if you want to generate a subkey to exchange a message then I'm sure it can be automated.

I hear that a lot but I think the real issue is that users don't want to change anything and just want someone to do it for them.

1 more reply

danShumwayOP4y ago

michaelt4y ago

https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

upofadown4y ago

I have a canned response to this hoary old chestnut:

* https://articles.59.ca/doku.php?id=pgpfan:tpp

2 more replies

j / k navigate · click thread line to collapse