top | item 46489478

(no title)

pheggs | 1 month ago

I tried to find something in the article that bothered me, but I don’t find it very convincing. Points like "someone can forward your email unencrypted after they decrypt it" are just... well, yeah - that can happen no matter what method you choose. It feels like GPG gets hate for reasons other than what’s actually mentioned, and I'm completely oblivious to what those reasons might be.

discuss

tptacek|1 month ago

It's not that someone can forward your mail unencrypted. It's that in the normal operation of the system, someone taking the natural next step in a conversation (replying) can --- and, in the experience of everyone I've talked to who has used PGP in anger for any extended period of time, inevitably does --- destroy the security of the entire conversation by accidentally replying in plaintext.

That can't happen in any modern encrypted messenger. It does happen routinely with encrypted email.

mjevans|1 month ago

Yes, it's a problem with _email_.

pgp as a tool could integrate with that, but in practice fails for... many reasons, the above included. All the other key exchange / etc issues as well.

pheggs|1 month ago

well that's fair, but sounds more like a email client issue than an actual issue with gpg/pgp. My client shows pretty clearly when it gets encrypted. But maybe I am oblivious.

bgwalter|1 month ago

Yes, it is odd that this criticism is only allowed for gpg while worse Signal issues are not publicized here:

https://cloud.google.com/blog/topics/threat-intelligence/rus...

Some Ukrainians may regret that the followed the Signal marketing. I have never heard of a real world exploit that has actually been used like that against gpg.

tptacek|1 month ago

Why would anyone care if you brought phishing attacks on Signal users up?