rysiek ✅ is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

"So, PGP is broken. We recommend to just send unencryptede-mails from now on. Thanks for your attention."

Great solution.

.@cwcopa oh boy, here we go again.

First of all, it's "use something else for sensitive stuff, like Signal".

Secondly, the crux of the issue is that *past encrypted communications are at risk*.

Third, PGP is not broken. Client implementations are broken.

Finally, do you really think that muddying the waters even further with a toot like this is helping anyone? Honest question. Please respond. Thanks.

/cc @jerry since you boosted

@rysiek i @cwcopa’s comment as a criticism of the EFF’s comments

@jerry @cwcopa that part is clear.

My question is: how is the comment you boosted helping? It's making a straw man out of what EFF said. Twisting their comment into an absurd version that doesn't even resemble the original and then pointing a finger and laughing at it.

So, how *is* this helping? How is this moving the discussion forward in any way?

@jerry @cwcopa there is a legitimate argument to be made that PGP/GPG should eventually be retired -- too many moving parts, too much unencrypted metadata, too many implementation details that are underspecified.

I do not personally agree that this means we need to drop PGP/GPG immediately.

But that doesn't mean I don't recognize this argument as a valid point of view that needs consideration.

@rysiek @jerry @cwcopa

Fair point. The EFF recommended "pausing" OpenPGP emails in the short term, not stopping forever, as @cwcopa hyperbolically joked:

"EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now." (eff.org/deeplinks/2018/05/not-)

But I think @cwcopa's main point was that that recommendation is a very blunt instrument. And I agree with that.

@rysiek @jerry @cwcopa In the short term, many organizations are simply stuck with email for some communications -- due to law, policy, the cost of changing protocols, or some other reason. If they're going to keep emailing, they should continue using OpenPGP encryption.

@Aaron @jerry @cwcopa thing is, the issue is not just about future e-mail that is going to be written and sent. It's about all past encrypted e-mails. And that's why it's so problematic, and that's why I can see how EFF's recommendation made a lot of sense.

It was about protecting past communication.

Plus, everyone should really have 2 secure channels. Just in case. Use Signal.

@rysiek Let's not use Signal though. They require a phone number, actively discourage alternative clients and it is plainly centralised.

@xrevan86 please give me a better solution for journalists from across the world, without a way of physically meeting, and with a need for good crypto, a mobile and desktop client, and a way to share files securely.

A lot are still using Telegram or Viber. We tried pushing Tox but it was nigh-unusable to regular people. Briar is interesting, but still barely out the gate. Wire is tempting, but we barely moved people to Signal from Telegram, Viber, WhatsApp.

@rysiek Wire is more acceptable as it doesn't require a phone number, yes.
I personally think !xmpp does meet those requirements.

@xrevan86 I used to run 2 XMPP servers. Tried setting up audio communication, and MUC, and send files, and it was always a major pain in the arse, and barely worked if worked at all.

XMPP is not a solution in any way, shape, or form, until they fix the "random XEPs implemented by random clients/servers" bullshit.

As to Wire, if I had to make this decision today, Wire would probably be it. But I am not going to move hundreds of people to Wire right now; Signal is good enough.

@xrevan86 XMPPs security (i.e. OTR) is an add-on, just like PGP/GPG for e-mail. There is friction, there is additional attack surface, and it fails every now and then. End to end encryption cannot be an afterthought.

@rysiek @xrevan86
What about OMEMO?
Even though it is unfortunately does not fix XEP problem

@Skoll3 @xrevan86 let me know when most main XMPP clients (Pidgin, Gajim, Adium, Coccinella, Miranda IM, Psi, anything else?) and main servers (if implementation is needed there; prosody, ejabberd, others?) implement it.

rysiek ✅ @rysiek@mastodon.social
Follow

@Skoll3 @xrevan86 and what does it tell you about a piece of software or a secure communication tool if even the privacy-minded techies are not inclined to use it?..

· Web · 0 · 1
@rysiek If the alternatives to it that privacy-minded techies do use are Signal and Telegram (yes, there are those too), then I don't know. It only inclines me to be even more stubborn.
@rysiek Especially because some other people try to get me from XMPP to these "better" networks (privacy-aware techie people). "Just register with your phone number on a central server, install an Electron client and you're all set."
It simply doesn't cut it for me, so !xmpp stays as the only good solution.

@xrevan86 I am not trying to convince you to drop XMPP.

I am explaining why XMPP is not a solution in my case.

There is an important difference between the two.

@rysiek @xrevan86 the difference is very important, yet it's hard to tell whether someone is trying to convince your or not even in real life.