[mikorym]

I think a perhaps unclear part of the recent post "The PGP Problem" is that PGP is bad for email.

If you don't use it for email, I don't see it as really a problem. Unless, maybe, you are a reporter or otherwise not clear on the principles behind using something like GPG. I think personally that the point about all the discussion is that for laypeople PGP and email is just too complicated (even for myself as a programmer and evidently for others it is complicated).

In that same vein, I can see how PGP has fundamental limitations with email, e.g.: Having someone's email address does not imply that you have their public key. Is it possible to state in simple terms whether OP's program does to improve this?

[masklinn]

> I think a perhaps unclear part of the recent post "The PGP Problem" is that PGP is bad for email. If you don't use it for email, I don't see it as really a problem.

You're apparently asserting that Latacora's "The PGP Problem" states PGP is only bad for email. I can only assume you didn't even bother the article? Because it states that PGP is bad:

* period and in its entirety, in fact most of the article (section 1 "The Problems") is the various ways PGP and GnuPG are broken at the core, specific scenarios are only mentioned (in section 2 "The Answers") to provide alternatives, because Latacora's assertion is that in cryptography one size does not fit all, and each scenario needs its own toolset

* for securing messenging

* for securing email messages

* for signing files and packages

* for encrypting files, whether to send, backups, application data, …

What it does state with respect to email is that encrypting emails is a fool's errand not just that using PGP to do so is a mistake. It does note that GnuPG is also specifically bad at it, but very clearly state the issue is not limited to PGP:

> This isn’t going to get fixed. To make actually-secure email, you’d have to tunnel another protocol over email (you’d still be conceding traffic analysis attacks). At that point, why bother pretending?

> Encrypting email is asking for a calamity. Recommending email encryption to at-risk users is malpractice.

[bscphil]

So what's the alternative, for asymmetrically encrypting arbitrary binary data?

For sending such data to others, the Latacora article suggest a tool that I've never heard of or heard recommended by other experts called "Magic Wormhole". It's a new tool that (from what I call tell) has a whole crapload of limitations and assumptions that PGP does not have: https://magic-wormhole.readthedocs.io/en/latest/welcome.html...

One of the most severe is that it apparently requires both ends to have active internet connections to transfer the data over the wire between them. As I type this, I'm visiting my parents who have 5 Mbps internet. Let's hope that file isn't big or my contact has the time and patience to wait if it is! The other is that it apparently relies on a shared password, which just takes us back to encryption before the very problem PGP was designed to solve...

For simply "encrypting files", even Latacora gives up and says "use PGP"!!

As a side note, though I agree with them that PGP is not good for secure messaging, I don't find their alternatives convincing there either. Signal and Wire don't have solid group chat capabilities that don't rely on a single central server run by a third party and don't require private information like a phone number to use. I consider that absolutely basic for a good messenger. At least PGP, though very faulty in this area, is designed to be used over existing protocols like email to make them secure, so it doesn't have the last two limitations.

[tptacek]

Wormhole isn't new, and if you haven't heard another "expert" recommend it, you don't hang out with a lot of cryptography engineers.

The point about "simply encrypting files" is that nobody is implementing something with PGP's "encrypt-a-file" interface because it's not that useful; rather, people purposefully design modern systems with cryptography tailored to tasks, like messaging or file transfer or backup.

Your last point about PGP vs. Signal is pretty funny, as it implies that PGP has "solid group chat capabilities".

[bscphil]

> Wormhole isn't new, and if you haven't heard another "expert" recommend it, you don't hang out with a lot of cryptography engineers.

You're right, I don't. But the earliest thing I found about Wormhole after a quick look was from 2015, which I think is pretty recent in the crypto world. Maybe I missed something.

> Your last point about PGP vs. Signal is pretty funny, as it implies that PGP has "solid group chat capabilities".

I tried to be clear about the fact that I wasn't saying that. Its benefits over Signal and Wire (but not Matrix) are that it doesn't require a central server and doesn't require any PII to sign up. I consider those crucial for anyone who has extreme security / privacy needs. PGP completely sucks for group messaging, I agree. But the alternatives suggested are simply non-starters for many use cases.

[tptacek]

Tell me more about what your book says about the crypto world? Is Noise ok now?

[bscphil]

Maybe? It depends on your requirements. Don't most experts recommend extreme caution with cryptography approaches and software that's less than a decade old? Has that changed? Do we move fast and break things now too?

Would also like to hear your thoughts on why / whether Signal and Wire are actually good recommendations.

[hiq]

Is there a similar consensus about Syncthing and whether it is secure enough (or not) for file-sharing among cryptography engineers?

[mikorym]

Look, my point is this: If I open my text editor and type some text, save the file and sign it with GPG with my private key to prove authorship, then I don't see how you are going to break this. In that specific sense GPG is not broken.

There are countless online puzzles or cryptography use cases based on this. I am asserting that since GPG is not broken in this specific sense, you can't just say GPG is broken "in its entirety".

[lifeisstillgood]

My understanding is quite different. Email is inherently insecure and there is nothing you can do about it.

PGP is insecure for everything else as well

The Latacora article was eye-opening for me on the email problem - quite simply if I send an encrypted mail to a friend / collegue - which I intend them to read, and they read it and quote it to someone else in plain text then that's it - my plaintext and my cipher are available in the wild and my key (my long term key) is effectively broken.

I simply never thought it through that way. But that's how email is supposed to be used - it will be used that way.

Mind Blown.

[tptacek]

Wait, what? No. Leaking plaintext doesn't reveal your long term key. I definitely didn't write that.

[lifeisstillgood]

I finally got that when someone pointed out that the long term key is not used to encrypt the mail content - i made that leap incorrectly and went from there.

I made the change down thread - was too late to edit the original - and i hope clearly pointed out that your article did not say that

It takes me several run ups to understand most security issues and I got all excited before having my coffee that day.

[mkesper]

Messages are encrypted with a session key in openpgp so this doesn't work.

[lifeisstillgood]

How do I negotiate a session key with the email recipient? it's a single transmission? otherwise it's a one time pad perhaps - but then that defeats the point of the public key ?

would you mind expanding on this as it is an interesting area

[blattimwind]

A random key is used to encrypt the email, then that random key is asymmetrically encrypted using the recipient's public RSA key. You do not use your own key to encrypt mails to someone else. Indeed, you can send encrypted emails without even having a key of your own.

[lifeisstillgood]

So I actually re-read and followed links (I mean whats wrong with lazy assumptions anymore)

tptacek's "why email is insecure" post is here: https://news.ycombinator.com/item?id=16088386

And yes thats what he says in the original latacora post.

I read the article '''invariably CC the quoted plaintext of your encrypted message to someone else (we don’t know a PGP email user who hasn’t seen this happen)'''

So I made the (incorrect) leap to pgp using the long term key to encrypt files. My bad.

But this does not fix the original point it seems - email is not going to be "secure" any time soon. But you can send encrypted files over email to people.

[blattimwind]

> So I made the (incorrect) leap to pgp using the long term key to encrypt files. My bad.

It does. Which is why PGP has no forward secrecy and if I steal your key I can decrypt all your past and future mails.

[mikekchar]

> my plaintext and my cipher are available in the wild and my key (my long term key) is effectively broken.

Wait a minute. I may have to read the Latacora article again but if we are dealing with ciphers where having a plaintext attack reveals the key, I think we're in a lot bigger trouble than I ever imagined. To be blunt I don't really believe it and it would take some explanation to convince me it's true.

Edit: OK, I think I see the problem. I believe the quote in the article is discussing the fact that the user happily quotes a message and doesn't re-encrypt it, meaning that you have accidentally leaked the plain text -- not that they key is known. So I think they are arguing that we should write apps so that it is impossible to copy the plaintext.

[bscphil]

Since (as detailed in the reply chain) this is completely incorrect (PGP simply doesn't have this vulnerability), can you edit the comment to that effect? Otherwise this claim is a bit dangerous.

[_pmf_]

Exactly. The "PGP is bad because public key infrastructure management is hard" meme should please die already.

The idea of a dedicated package signing and encrypting tool detached from this problem is maybe not a bad idea in that regard, because it removes this stigma.