š¾ Archived View for idiomdrottning.org āŗ pgp captured on 2024-05-12 at 15:43:10. Gemini links have been rewritten to link to archived content
ā¬ ļø Previous capture (2023-12-28)
-=-=-=-=-=-=-
(If youāre looking for my own PGP key, itās here.)
Donāt get me wrong; if youāre in a position to make email encryption work even better, please keep up the good work.
Itās just that if youāve heard the cool kids say āI have such-and-such super supreme secure cipher app, thatās what people should use for communication, and email shall be insecureā, Iām like... what I hear is someone saying āIāve got locks on my house so I donāt need to wear pants in publicā. Of course we want secure email.
A couple of really good things have happened since the era of PGP. Remember, PGP preceded SSL and TLS (and with them HTTPS). It was released in 1991 when an email was less secure than a postcard. Everyone could read everything, and spoof as anyone.
These days, we have DKIM to fight against tampering and spoofing (this also helps against "efail" type attacks, and against mitm), and we have TSL encryption between client and server and between server and server.
PGPās only remaining purpose, then, aside from being a redundancy in case the other encryption gets wrecked, is to protect you from your own email providers. And thatās not nothing. This might sound tinfoil, but itās a fact that Gmail has used bots that read your email and used that to target ads, which they say they stopped doing in 2017. And on the smaller more indie operators, itās even more likely that an op will get a chance to sneak a liāl peak.
Again, knowing that email security sucks (for example, there's no forward security, and there's too much on-by-default backward compatibility with old crusty cyphers and keysizes), itās still a good idea. There is important stuff going over email still. Signup info being the most common one. Password restores.
One of the reasons why itās so bad, by the way, is that people love to hoard old mail so they can search it, reference it, think about it, wax nostalgic. Systems that are set up to not do that, to have everything be fleeting, messages autodeleting, ephemeral, can be a liāl better. (For people who have better memory than miss Forgetful over here, of course.) But thatās not what email is. Email is like paper mail. It should be something that arrives to you safely and unpeeped at, but then if someone breaks into your house youāre understandably toast. You donāt send nuclear secrets over paper mail. But you donāt advertise your own grocery list, either.
It used to be suuuper awkward to ask someone to use a PGP implementation (like GnuPG) and try to walk them through it. As in, ānot worth itā levels of awkward.
Thatās hopefully gonna get better; if they use WKD or Autocrypt you donāt even have to bring it up. If they use K-9 you can tell them to set Autocrypt to mutual, K-9ās Autocrypt implementation is easy to use once itās on.
And, if they donāt wanna and you donāt wanna ask them, you donāt need to lose sleep since thereās still gonna be TLS and DKIM on there. You can dig their server to see if theyāve got TLS on.
Mail is fantastic for what it really is: a world writable folder, and one that almost everyone has. Itās a miracle that itās gotten as good as it has, and that changes are getting widely adopted in spite of the federated nature.
Mail works so much better than irc, Matrix, Fedi, XMPP, and my number one foe, Signal.
Itās wasteful to throw everything out and try to start over when the new thing is gonna amass at least as much cruft over time if it even gets off the ground.
Itās good stewardship to care for a protocol the way mail has been cared for and repaired and improved over the years. Like an old watch lovingly repaired. Itās not disposable, itās built to last. The install base email has is a thing of wonder.
Iāve had it to here
beinā where specs are a small word.
Part-time thing, paper ring.
I know itās been done
havinā one protocol thatāll last me.
Right or wrong, weak or strong.