rysiek ✅ is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

"So, PGP is broken. We recommend to just send unencryptede-mails from now on. Thanks for your attention."

Great solution.

.@cwcopa oh boy, here we go again.

First of all, it's "use something else for sensitive stuff, like Signal".

Secondly, the crux of the issue is that *past encrypted communications are at risk*.

Third, PGP is not broken. Client implementations are broken.

Finally, do you really think that muddying the waters even further with a toot like this is helping anyone? Honest question. Please respond. Thanks.

/cc @jerry since you boosted

@rysiek i @cwcopa’s comment as a criticism of the EFF’s comments

@jerry @cwcopa that part is clear.

My question is: how is the comment you boosted helping? It's making a straw man out of what EFF said. Twisting their comment into an absurd version that doesn't even resemble the original and then pointing a finger and laughing at it.

So, how *is* this helping? How is this moving the discussion forward in any way?

@jerry @cwcopa there is a legitimate argument to be made that PGP/GPG should eventually be retired -- too many moving parts, too much unencrypted metadata, too many implementation details that are underspecified.

I do not personally agree that this means we need to drop PGP/GPG immediately.

But that doesn't mean I don't recognize this argument as a valid point of view that needs consideration.

@rysiek @jerry @cwcopa

Fair point. The EFF recommended "pausing" OpenPGP emails in the short term, not stopping forever, as @cwcopa hyperbolically joked:

"EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now." (eff.org/deeplinks/2018/05/not-)

But I think @cwcopa's main point was that that recommendation is a very blunt instrument. And I agree with that.

@rysiek @jerry @cwcopa In the short term, many organizations are simply stuck with email for some communications -- due to law, policy, the cost of changing protocols, or some other reason. If they're going to keep emailing, they should continue using OpenPGP encryption.

@Aaron @jerry @cwcopa thing is, the issue is not just about future e-mail that is going to be written and sent. It's about all past encrypted e-mails. And that's why it's so problematic, and that's why I can see how EFF's recommendation made a lot of sense.

It was about protecting past communication.

Plus, everyone should really have 2 secure channels. Just in case. Use Signal.

@rysiek Let's not use Signal though. They require a phone number, actively discourage alternative clients and it is plainly centralised.

@xrevan86 please give me a better solution for journalists from across the world, without a way of physically meeting, and with a need for good crypto, a mobile and desktop client, and a way to share files securely.

A lot are still using Telegram or Viber. We tried pushing Tox but it was nigh-unusable to regular people. Briar is interesting, but still barely out the gate. Wire is tempting, but we barely moved people to Signal from Telegram, Viber, WhatsApp.

@rysiek Wire is more acceptable as it doesn't require a phone number, yes.
I personally think !xmpp does meet those requirements.

@xrevan86 I used to run 2 XMPP servers. Tried setting up audio communication, and MUC, and send files, and it was always a major pain in the arse, and barely worked if worked at all.

XMPP is not a solution in any way, shape, or form, until they fix the "random XEPs implemented by random clients/servers" bullshit.

As to Wire, if I had to make this decision today, Wire would probably be it. But I am not going to move hundreds of people to Wire right now; Signal is good enough.

@rysiek @xrevan86 Setting up the XEPs is an annoyance and I think Conversations is the only viable XMPP client. But so long as everything is set up on the server side it just works.

Anything non-federated isn't going to scale. That includes Signal, and Signal has a lot of other problems besides. I can't run Signal without trusting Moxie's server.

@bob @xrevan86 well it works on *your* server. What about other servers?

We need a clear standard, implemented by and testable against the majority of servers and clients.

Otherwise it's a clusterfsck.

@rysiek The XEPs that are expected from a modern XMPP client are pretty clear, so if you see a client that doesn't work it out then either it has slow development, dead or doesn't care.
It's like with email: there are lots of dead clients, and people don't expect them to comply with modern standards, they either move on or grow a beard %).
Otherwise I can only think of one solution to the "problem", the one Signal chose – forbid alternatives.

@xrevan86 well then, we're back on Signal. :)

@rysiek So you think vendor lock-in is not a bad thing?
rysiek ✅ @rysiek

@xrevan86 on the contrary, do a little google search for my name and let's talk after you do. Such keywords as "technomonopolies" might be useful, too.

But I have to secure communications of non-techies, today, and in a way that works. XMPP is nowhere near being able to do this.

I am looking at Briar though, with a lot of hope.

· Web · 0 · 1
@rysiek That's what I expect of one from fediverse by default :-).
Yet my pseudo-arguement that Signal will do for you because it hates diversity worked oddly well.

@rysiek @xrevan86
I think you misunderstood Xrevan's point:

Can we have an open standard with multiple client implementations without it becoming unusable for a group of non-tech journalists supported by a single infosec expert?

@Wolf480pl @xrevan86 yes.

Surprisingly, e-mail is exactly that.

Signal could be that, if it opened the server and enabled federation.

Wire could be that if more people pick it up, but I have to choose my battles and that's not the hill I am willing to die on.

Briar hopefully, one day, in an ideal world.