[tptacek]

Where by "email encryption" we mean "mail people a link to a service they can register with and then upload messages and file to, so that SMTP is used only to relay links to messages, not the messages themselves, and email is encrypted by dint of TLS connections".

That's what most F-500 companies do to solve this problem. It's a more viable approach than direct encryption of PGP.

Normal people --- and eventually the F-500's, too --- just use WhatsApp.

[Akkuma]

This is a bit of a stretch of what the service does. You don't need to "register" to read messages. It OAuths you if you don't use the extension. People using the extension register through OAuth as well.

The email is encrypted before it is sent anywhere using AES 256 (GCM when available moving forward).

WhatsApp doesn't deal with email or file attachments as far as I knew to the same degree as something like gmail where we can handle ~150MB files and they handle ~30MB. I doubt most of these big companies want to migrate emails away from Outlook/Gmail and force all their external correspondence to be done via WhatsApp.

There's also rollout starting for support of customer managed keys and a bunch of things WhatsApp will probably take a long time to do, if ever, due to their consumer focus.

Disclosure: Work at Virtru

[pdog]

> Normal people --- and eventually the F-500's, too --- just use WhatsApp.

Sure, but WhatsApp is a totally closed protocol owned by a company (Facebook) known for rampant issues with privacy.

Security professionals have a responsibility to recommend open protocols like Signal that are dedicated to privacy.

[tptacek]

This is the "have you stopped beating your wife yet" of security arguments.

[reitanqild]

You usually seem like a very smart and reasonable man but here I feel you are missing major parts of the picture and I don't understand why you would.

Given what we have seen from Facebook so far I am not convinced they wouldn't sell data to anyone including Hitler as long as they paid for it somehow.

More realistically though I fully expect them to sell (misleading) data to insurance companies, Indian (and other) support scammers etc without asking many questions.

For that reason I prefer almost anything including email and Telegram.

(My opinions might be somewhat coloured by the fact that I was an enthusiastic Whatsapp user before Facebook bought them and even stayed and gave Facebook another chance with Whatsapp. )

[wolf550e]

Facebook see your whatsapp contacts (social graph) and can sell that, but they really can't see the content of conversations.

If being known to be in contact with certain people (e.g. human rights activists) can be damaging to you, you need to use something other than whatsapp or to somehow make sure the phone number whatsapp knows cannot be connected to your identity.

[reitanqild]

Facebook see your whatsapp contacts (social graph) and can sell that, but they really can't see the content of conversations.

Exactly the problem. My conversations should be utterly unexiting for anyone capable of getting hold if them.

I am personally more worried about FB selling (misleading) data to insurance companies. If their ad targeting is at the same level as everyone else they could get whatever conclusions they want from whatever data.

And then there is the issue about actual human rights activists and while I am not very active (monthly payment to amnesty) I don't want to support a system that scoops everyones data into the hands of "they trusted me" Zuckerberg.

Even worse I was with Whatsapp and gave Facebook another chance until it was clear that datamining everyone was the only reason they bought the company.

[nickpsecurity]

More like the "you're telling your wife to trust a guy that repeatedly beat her and a bunch of other women?" of security arguments. Expecting abuse from a known abuser or situation known to lead to it. Very reasonable expectation. Best to avoid the abusive party and warn others to do the same.

[jgilpin]

"and email is encrypted by dint of TLS connections"

Not exactly. Virtru customer-hosted keys are PGP wrapped before they go over the wire via TLS.