rysiek ✅ is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

"So, PGP is broken. We recommend to just send unencryptede-mails from now on. Thanks for your attention."

Great solution.

.@cwcopa oh boy, here we go again.

First of all, it's "use something else for sensitive stuff, like Signal".

Secondly, the crux of the issue is that *past encrypted communications are at risk*.

Third, PGP is not broken. Client implementations are broken.

Finally, do you really think that muddying the waters even further with a toot like this is helping anyone? Honest question. Please respond. Thanks.

/cc @jerry since you boosted

@rysiek i @cwcopa’s comment as a criticism of the EFF’s comments

@jerry @cwcopa that part is clear.

My question is: how is the comment you boosted helping? It's making a straw man out of what EFF said. Twisting their comment into an absurd version that doesn't even resemble the original and then pointing a finger and laughing at it.

So, how *is* this helping? How is this moving the discussion forward in any way?

@jerry @cwcopa there is a legitimate argument to be made that PGP/GPG should eventually be retired -- too many moving parts, too much unencrypted metadata, too many implementation details that are underspecified.

I do not personally agree that this means we need to drop PGP/GPG immediately.

But that doesn't mean I don't recognize this argument as a valid point of view that needs consideration.

@rysiek @jerry @cwcopa

Fair point. The EFF recommended "pausing" OpenPGP emails in the short term, not stopping forever, as @cwcopa hyperbolically joked:

"EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now." (eff.org/deeplinks/2018/05/not-)

But I think @cwcopa's main point was that that recommendation is a very blunt instrument. And I agree with that.

@rysiek @jerry @cwcopa In the short term, many organizations are simply stuck with email for some communications -- due to law, policy, the cost of changing protocols, or some other reason. If they're going to keep emailing, they should continue using OpenPGP encryption.

@Aaron @jerry @cwcopa thing is, the issue is not just about future e-mail that is going to be written and sent. It's about all past encrypted e-mails. And that's why it's so problematic, and that's why I can see how EFF's recommendation made a lot of sense.

It was about protecting past communication.

Plus, everyone should really have 2 secure channels. Just in case. Use Signal.

@rysiek Let's not use Signal though. They require a phone number, actively discourage alternative clients and it is plainly centralised.
rysiek ✅ @rysiek

@xrevan86 please give me a better solution for journalists from across the world, without a way of physically meeting, and with a need for good crypto, a mobile and desktop client, and a way to share files securely.

A lot are still using Telegram or Viber. We tried pushing Tox but it was nigh-unusable to regular people. Briar is interesting, but still barely out the gate. Wire is tempting, but we barely moved people to Signal from Telegram, Viber, WhatsApp.

· Web · 0 · 0

@xrevan86 we had to make a decision 3 years ago and Wire was not ready yet. Signal was the only viable option. And it took 3 years to move most of people in our network to Signal. Not doing this again, Signal provides great security, and while I personally hate the fact that it's centralized (or even server based at all), I have to live with that.

@rysiek Wire is more acceptable as it doesn't require a phone number, yes.
I personally think !xmpp does meet those requirements.

@xrevan86 I used to run 2 XMPP servers. Tried setting up audio communication, and MUC, and send files, and it was always a major pain in the arse, and barely worked if worked at all.

XMPP is not a solution in any way, shape, or form, until they fix the "random XEPs implemented by random clients/servers" bullshit.

As to Wire, if I had to make this decision today, Wire would probably be it. But I am not going to move hundreds of people to Wire right now; Signal is good enough.

@xrevan86 XMPPs security (i.e. OTR) is an add-on, just like PGP/GPG for e-mail. There is friction, there is additional attack surface, and it fails every now and then. End to end encryption cannot be an afterthought.

@rysiek @xrevan86
What about OMEMO?
Even though it is unfortunately does not fix XEP problem

@Skoll3 @xrevan86 let me know when most main XMPP clients (Pidgin, Gajim, Adium, Coccinella, Miranda IM, Psi, anything else?) and main servers (if implementation is needed there; prosody, ejabberd, others?) implement it.

@rysiek Nice to see dead-ish clients in the list. I guess there mere existence turns the answer to a literal never :-/.

@Skoll3 @xrevan86 and what does it tell you about a piece of software or a secure communication tool if even the privacy-minded techies are not inclined to use it?..

@rysiek If the alternatives to it that privacy-minded techies do use are Signal and Telegram (yes, there are those too), then I don't know. It only inclines me to be even more stubborn.
@rysiek Especially because some other people try to get me from XMPP to these "better" networks (privacy-aware techie people). "Just register with your phone number on a central server, install an Electron client and you're all set."
It simply doesn't cut it for me, so !xmpp stays as the only good solution.

@xrevan86 I am not trying to convince you to drop XMPP.

I am explaining why XMPP is not a solution in my case.

There is an important difference between the two.

@rysiek @xrevan86 the difference is very important, yet it's hard to tell whether someone is trying to convince your or not even in real life.

@rysiek @xrevan86 Setting up the XEPs is an annoyance and I think Conversations is the only viable XMPP client. But so long as everything is set up on the server side it just works.

Anything non-federated isn't going to scale. That includes Signal, and Signal has a lot of other problems besides. I can't run Signal without trusting Moxie's server.

@bob @xrevan86 well it works on *your* server. What about other servers?

We need a clear standard, implemented by and testable against the majority of servers and clients.

Otherwise it's a clusterfsck.

@rysiek @xrevan86 This is what #freedombone is about, but also ejabberd and prosody need to ship with a default set of xeps which pass all the Conversations tests. If that happened life would be easier.

@bob @xrevan86 if that happened, XMPP would perhaps become a contender again.

Right now it simply is not.

And I say this as a person who was promoting XMPP back when it was called Jabber.

@bob ejabberd pretty much does. And Prosody… not so much.
Is Prosody the evil in this equation :-)?
@rysiek The XEPs that are expected from a modern XMPP client are pretty clear, so if you see a client that doesn't work it out then either it has slow development, dead or doesn't care.
It's like with email: there are lots of dead clients, and people don't expect them to comply with modern standards, they either move on or grow a beard %).
Otherwise I can only think of one solution to the "problem", the one Signal chose – forbid alternatives.

@xrevan86 well then, we're back on Signal. :)

@rysiek So you think vendor lock-in is not a bad thing?

@xrevan86 on the contrary, do a little google search for my name and let's talk after you do. Such keywords as "technomonopolies" might be useful, too.

But I have to secure communications of non-techies, today, and in a way that works. XMPP is nowhere near being able to do this.

I am looking at Briar though, with a lot of hope.

@rysiek That's what I expect of one from fediverse by default :-).
Yet my pseudo-arguement that Signal will do for you because it hates diversity worked oddly well.

@rysiek @xrevan86
I think you misunderstood Xrevan's point:

Can we have an open standard with multiple client implementations without it becoming unusable for a group of non-tech journalists supported by a single infosec expert?

@Wolf480pl @xrevan86 yes.

Surprisingly, e-mail is exactly that.

Signal could be that, if it opened the server and enabled federation.

Wire could be that if more people pick it up, but I have to choose my battles and that's not the hill I am willing to die on.

Briar hopefully, one day, in an ideal world.

@xrevan86 @rysiek servers support of that are more of as problem
plus
>conversations does not have OTR
>pidgin and xabber does not have OMEMO (yet)
@skoll3 Pidgin has support for OMEMO the same way as OTR: via a third-party plugin called lurch. Pidgin is barely an XMPP client so don't expect more.
And Xabber apparently doesn't implement OMEMO in fears of FSB %).
@bob Conversations is the flagship !xmpp client, no doubt.
But I wouldn't call the only viable one, Gajim and Psi on desktop are doing a good job.
There's also ChatSecure on iOS but I don't know how good it is, it is actively developed though.