"So, PGP is broken. We recommend to just send unencryptede-mails from now on. Thanks for your attention."
.@cwcopa oh boy, here we go again.
First of all, it's "use something else for sensitive stuff, like Signal".
Secondly, the crux of the issue is that *past encrypted communications are at risk*.
Third, PGP is not broken. Client implementations are broken.
Finally, do you really think that muddying the waters even further with a toot like this is helping anyone? Honest question. Please respond. Thanks.
/cc @jerry since you boosted
My question is: how is the comment you boosted helping? It's making a straw man out of what EFF said. Twisting their comment into an absurd version that doesn't even resemble the original and then pointing a finger and laughing at it.
So, how *is* this helping? How is this moving the discussion forward in any way?
@jerry @cwcopa there is a legitimate argument to be made that PGP/GPG should eventually be retired -- too many moving parts, too much unencrypted metadata, too many implementation details that are underspecified.
I do not personally agree that this means we need to drop PGP/GPG immediately.
But that doesn't mean I don't recognize this argument as a valid point of view that needs consideration.
Fair point. The EFF recommended "pausing" OpenPGP emails in the short term, not stopping forever, as @cwcopa hyperbolically joked:
"EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now." (https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0)
But I think @cwcopa's main point was that that recommendation is a very blunt instrument. And I agree with that.
@Aaron @jerry @cwcopa thing is, the #efail issue is not just about future e-mail that is going to be written and sent. It's about all past encrypted e-mails. And that's why it's so problematic, and that's why I can see how EFF's recommendation made a lot of sense.
It was about protecting past communication.
Plus, everyone should really have 2 secure channels. Just in case. Use Signal.
@xrevan86 please give me a better solution for journalists from across the world, without a way of physically meeting, and with a need for good crypto, a mobile and desktop client, and a way to share files securely.
A lot are still using Telegram or Viber. We tried pushing Tox but it was nigh-unusable to regular people. Briar is interesting, but still barely out the gate. Wire is tempting, but we barely moved people to Signal from Telegram, Viber, WhatsApp.
@xrevan86 I used to run 2 XMPP servers. Tried setting up audio communication, and MUC, and send files, and it was always a major pain in the arse, and barely worked if worked at all.
XMPP is not a solution in any way, shape, or form, until they fix the "random XEPs implemented by random clients/servers" bullshit.
As to Wire, if I had to make this decision today, Wire would probably be it. But I am not going to move hundreds of people to Wire right now; Signal is good enough.