šŸ’¾ Archived View for idiomdrottning.org ā€ŗ pgp captured on 2024-05-12 at 15:43:10. Gemini links have been rewritten to link to archived content

View Raw

More Information

ā¬…ļø Previous capture (2023-12-28)

-=-=-=-=-=-=-

(If youā€™re looking for my own PGP key, itā€™s here.)

Why itā€™s OK that PGP sucks

Donā€™t get me wrong; if youā€™re in a position to make email encryption work even better, please keep up the good work.

Itā€™s just that if youā€™ve heard the cool kids say ā€œI have such-and-such super supreme secure cipher app, thatā€™s what people should use for communication, and email shall be insecureā€, Iā€™m like... what I hear is someone saying ā€œIā€™ve got locks on my house so I donā€™t need to wear pants in publicā€. Of course we want secure email.

A couple of really good things have happened since the era of PGP. Remember, PGP preceded SSL and TLS (and with them HTTPS). It was released in 1991 when an email was less secure than a postcard. Everyone could read everything, and spoof as anyone.

These days, we have DKIM to fight against tampering and spoofing (this also helps against "efail" type attacks, and against mitm), and we have TSL encryption between client and server and between server and server.

PGPā€™s only remaining purpose, then, aside from being a redundancy in case the other encryption gets wrecked, is to protect you from your own email providers. And thatā€™s not nothing. This might sound tinfoil, but itā€™s a fact that Gmail has used bots that read your email and used that to target ads, which they say they stopped doing in 2017. And on the smaller more indie operators, itā€™s even more likely that an op will get a chance to sneak a liā€™l peak.

Again, knowing that email security sucks (for example, there's no forward security, and there's too much on-by-default backward compatibility with old crusty cyphers and keysizes), itā€™s still a good idea. There is important stuff going over email still. Signup info being the most common one. Password restores.

One of the reasons why itā€™s so bad, by the way, is that people love to hoard old mail so they can search it, reference it, think about it, wax nostalgic. Systems that are set up to not do that, to have everything be fleeting, messages autodeleting, ephemeral, can be a liā€™l better. (For people who have better memory than miss Forgetful over here, of course.) But thatā€™s not what email is. Email is like paper mail. It should be something that arrives to you safely and unpeeped at, but then if someone breaks into your house youā€™re understandably toast. You donā€™t send nuclear secrets over paper mail. But you donā€™t advertise your own grocery list, either.

The decreasing social costs of PGP

It used to be suuuper awkward to ask someone to use a PGP implementation (like GnuPG) and try to walk them through it. As in, ā€œnot worth itā€ levels of awkward.

Thatā€™s hopefully gonna get better; if they use WKD or Autocrypt you donā€™t even have to bring it up. If they use K-9 you can tell them to set Autocrypt to mutual, K-9ā€˜s Autocrypt implementation is easy to use once itā€™s on.

GPG WKD

And, if they donā€™t wanna and you donā€™t wanna ask them, you donā€™t need to lose sleep since thereā€™s still gonna be TLS and DKIM on there. You can dig their server to see if theyā€™ve got TLS on.

The right to repair our beloved protocol

Mail is fantastic for what it really is: a world writable folder, and one that almost everyone has. Itā€™s a miracle that itā€™s gotten as good as it has, and that changes are getting widely adopted in spite of the federated nature.

Mail works so much better than irc, Matrix, Fedi, XMPP, and my number one foe, Signal.

Itā€™s wasteful to throw everything out and try to start over when the new thing is gonna amass at least as much cruft over time if it even gets off the ground.

Itā€™s good stewardship to care for a protocol the way mail has been cared for and repaired and improved over the years. Like an old watch lovingly repaired. Itā€™s not disposable, itā€™s built to last. The install base email has is a thing of wonder.

Iā€™ve had it to here

beinā€™ where specs are a small word.

Part-time thing, paper ring.

I know itā€™s been done

havinā€™ one protocol thatā€™ll last me.

Right or wrong, weak or strong.

AGE?

I donā€™t think AGE is it.