WingNews logo WingNews
top | item 16061083

(no title)

throwaway7767 | 8 years ago

> When I receive a GPG encrypted email from a stranger, though, I immediately get the feeling that I don’t want to read it. Sometimes I actually contemplate creating a filter for them so that they bypass my inbox entirely, but for now I sigh, unlock my key, start reading, and with a faint glimmer of hope am typically disappointed.

I wonder what proportion of his plaintext email from strangers is interesting. For me it's close to 0%, mostly spam or people demanding I do free work to fix issues in open source code. I really doubt this has much to do with GPG mails specifically.

discuss

order

lrvick|8 years ago

To contrast this, in the last bug bounty page I set up I strongly suggested researchers gpg encrypt email to submit their findings. I really didn't want sensitive issues directly exposed to our entire support team.

As it turns out, the gpg encrypted emails which were only a small fraction of the ones we received, and made up the substantial majority of actionable issues we rewarded on.

If a security researcher is not capable of encrypting email to a public key, they probably are not bringing me anything worth my time to read.

jandrese|8 years ago

I wonder if he has an especially onerous password? It doesn't seem like it should be that big of a burden to pop in the password for an email. I guess he has it set for ultra-paranoid mode where you have to enter the password every time you even think about touching the mail.

I do agree that GPG has been largely a failure. A tool too general and too vaguely defined for the average user. A powerful tool but only really usable by crypto nerds. What's worse, the key distribution problem was never really solved and that's the most critical component of the entire system. Even today there are scant few email clients that will query the keyservers for you.

lrvick|8 years ago

Since my GPG subkeys are in my yubikey I literally just tap it to decrypt, ssh, or sign commits. I also plug my key into my phone and tap it to decrypt/sign email or decrypt passwords too.

I have sucessfuly migrated dozens of friends and engineering teams at 3 companies to daily use of gpg via this same non-intrusive setup.

GPG is fairly pain free (and far more secure) if you put in the one time effort to set up a security token.

im3w1l|8 years ago

The cryptographical ideas behind GPG are not flawed in principle, but the usability is absolutely atrocious and it's easy to get things wrong. I imagine that a good ux-designer or two could do wonders for it.