> Now, there exists a minority of extremely technical computer user for which Signal is a nonstarter (because you need a smartphone and valid phone number to enroll in the first place).
> there presently isn’t really a good recommendation for private messaging that meets their constraints.
If nothing is recommended, fine, but it's simplistic to not recommend or even consider the 3-4 apps that don't have those limitations. If you didn't have time to investigate or couldn't find anything else, say so.
Every time someone brings up PGP issues, it's always something to do with the usability rather than blaming the protocol itself. If people are too reckless, no matter what protocol you use, it will always be insecure in that sense
Security experts don’t consider this a valid excuse anymore. The first task was making encryption primitives that are secure when used perfectly— it took a while, but we’ve pretty much done that: nobody expects a serious break in e.g. AES any time soon. But the next task after that is making crypto systems that are free of footguns and as hard as possible to misuse, especially when wrapped in layers of libraries, which in practice they always are.
This is what’s phasing out RSA, for example— it is possible to use RSA in a completely secure way, but it’s very easy to get it wrong and it can fail catastrophically when you do. PGP has the same problem: yes, it can be used securely, but that’s not sufficient in 2024.
> Note: I’m deliberately being blunt in this post because literally more than a decade of softspokenness from cryptography experts has done nothing to talk users off the PGP cliff. Being direct seems more effective than being tactful.
I hate PGP, too. However, I’ve spent money on five YubiKeys and several months of tinkering to make them somewhat work on Linux and WSL. I use them to sign my commits and Debian packages I build.
If your goal is to convince me to throw *all of this* away and sink another shitload of money into an alternative and re-do months of tinkering to make it actually work, then being deliberately blunt and condescending is not going to help your case.
> Now, there exists a minority of extremely technical computer user for which Signal is a nonstarter (because you need a smartphone and valid phone number to enroll in the first place). > there presently isn’t really a good recommendation for private messaging that meets their constraints.
You don't need a phone number or a phone for https://haven.xx.network and there are others.
If nothing is recommended, fine, but it's simplistic to not recommend or even consider the 3-4 apps that don't have those limitations. If you didn't have time to investigate or couldn't find anything else, say so.
> If nothing is recommended, fine
You could've ended your sentence there.
Just because other apps don't have those limitations doesn't mean they also offer comparable cryptographic security.
Haven appears to be a blockchain project, built with Next.js, and doesn't appear to implement any cryptography.
If it isn't end-to-end encrypted, it's not in the same league.
Every time someone brings up PGP issues, it's always something to do with the usability rather than blaming the protocol itself. If people are too reckless, no matter what protocol you use, it will always be insecure in that sense
Security experts don’t consider this a valid excuse anymore. The first task was making encryption primitives that are secure when used perfectly— it took a while, but we’ve pretty much done that: nobody expects a serious break in e.g. AES any time soon. But the next task after that is making crypto systems that are free of footguns and as hard as possible to misuse, especially when wrapped in layers of libraries, which in practice they always are.
This is what’s phasing out RSA, for example— it is possible to use RSA in a completely secure way, but it’s very easy to get it wrong and it can fail catastrophically when you do. PGP has the same problem: yes, it can be used securely, but that’s not sufficient in 2024.
For emails, there's autocrypt which works great. You don't have to deal with managing keys anymore
> Note: I’m deliberately being blunt in this post because literally more than a decade of softspokenness from cryptography experts has done nothing to talk users off the PGP cliff. Being direct seems more effective than being tactful.
I hate PGP, too. However, I’ve spent money on five YubiKeys and several months of tinkering to make them somewhat work on Linux and WSL. I use them to sign my commits and Debian packages I build.
If your goal is to convince me to throw *all of this* away and sink another shitload of money into an alternative and re-do months of tinkering to make it actually work, then being deliberately blunt and condescending is not going to help your case.
Isn't this sunk cost fallacy?
[dead]
I don't understand the issue with encrypted emails. Is Proton Mail not secure?
"Is _____ not secure?"
What. is. your. threat. model?
Assuming full security, on Signal someone can also copy and paste my message, just as on Proton Mail they can forward it. I don't see any difference.
From the article:
> Finally, miss me with the “but someone can screenshot Signal” genre of objections.
> As Latacora noted, people accidentally fuck up PGP all the time! It’s very easy to do.
> Conversely, you have to deliberately leak something from Signal.
Ok. I read it without paying attention. Sorry. I got lost in the translation.
[dead]