[bscphil]

So what's the alternative, for asymmetrically encrypting arbitrary binary data?

For sending such data to others, the Latacora article suggest a tool that I've never heard of or heard recommended by other experts called "Magic Wormhole". It's a new tool that (from what I call tell) has a whole crapload of limitations and assumptions that PGP does not have: https://magic-wormhole.readthedocs.io/en/latest/welcome.html...

One of the most severe is that it apparently requires both ends to have active internet connections to transfer the data over the wire between them. As I type this, I'm visiting my parents who have 5 Mbps internet. Let's hope that file isn't big or my contact has the time and patience to wait if it is! The other is that it apparently relies on a shared password, which just takes us back to encryption before the very problem PGP was designed to solve...

For simply "encrypting files", even Latacora gives up and says "use PGP"!!

As a side note, though I agree with them that PGP is not good for secure messaging, I don't find their alternatives convincing there either. Signal and Wire don't have solid group chat capabilities that don't rely on a single central server run by a third party and don't require private information like a phone number to use. I consider that absolutely basic for a good messenger. At least PGP, though very faulty in this area, is designed to be used over existing protocols like email to make them secure, so it doesn't have the last two limitations.

[tptacek]

Wormhole isn't new, and if you haven't heard another "expert" recommend it, you don't hang out with a lot of cryptography engineers.

The point about "simply encrypting files" is that nobody is implementing something with PGP's "encrypt-a-file" interface because it's not that useful; rather, people purposefully design modern systems with cryptography tailored to tasks, like messaging or file transfer or backup.

Your last point about PGP vs. Signal is pretty funny, as it implies that PGP has "solid group chat capabilities".

[bscphil]

> Wormhole isn't new, and if you haven't heard another "expert" recommend it, you don't hang out with a lot of cryptography engineers.

You're right, I don't. But the earliest thing I found about Wormhole after a quick look was from 2015, which I think is pretty recent in the crypto world. Maybe I missed something.

> Your last point about PGP vs. Signal is pretty funny, as it implies that PGP has "solid group chat capabilities".

I tried to be clear about the fact that I wasn't saying that. Its benefits over Signal and Wire (but not Matrix) are that it doesn't require a central server and doesn't require any PII to sign up. I consider those crucial for anyone who has extreme security / privacy needs. PGP completely sucks for group messaging, I agree. But the alternatives suggested are simply non-starters for many use cases.

[tptacek]

Tell me more about what your book says about the crypto world? Is Noise ok now?

[bscphil]

Maybe? It depends on your requirements. Don't most experts recommend extreme caution with cryptography approaches and software that's less than a decade old? Has that changed? Do we move fast and break things now too?

Would also like to hear your thoughts on why / whether Signal and Wire are actually good recommendations.

[tptacek]

I'll tell you what I don't understand. I don't expect random engineers on HN to be especially crypto-literate, nor should they be: it's a super-specialized field that demands a lot of spare storage capacity in your brain, and a lot of us had enough algebra after Algebra II in 10th grade. Engineers who specialize have a whole huge variety of things to pick: machine learning, distributed systems, optimization, network algorithmics, graphics, systems security, you name it. There's no reason a significant number of people here should have to know what Noise or SPAKE2 is.

What's weird is: if you don't know what any of this stuff is, why would you feel the need to express strong opinions about it? Is it really your belief that intuition and a drive-by reading of some slides on Github page can bring you up to speed with the field? I read every "Call Me Maybe" post and I absolutely do not think I'd have a chance in hell at getting a distributed commit protocol right. Hell: I "specialize" in cryptography and feel the same way about crypto protocols!

My thoughts about Signal and Wire are that I did a good job of relating in the post you're talking about what I think about Signal and Wire.

[bscphil]

I'm not sure what this is in response to, actually. I'm not expressing any particular opinion about cryptography. I have no opinions and I defer to experts. One thing that I have heard experts say is that we should be very hesitant to use new protocols and software in areas in which a maximum of security is needed.

So I have no opinion of Wormhole, other than to say that (1) it is new, and experts I have listened to in the past say to be wary of new approaches, and (2) it (according to its own documentation) has some rather extreme limitations that make it arguably not a good fit as a general purpose solution to encrypted file transfer.

> My thoughts about Signal and Wire are that I did a good job of relating in the post you're talking about what I think about Signal and Wire.

As I don't think I have referred to any post by you, I don't know what you think about those solutions. If you are referring to the Latacora article (I think you wrote it, but I'm not sure because it doesn't specify its authors), it says (IMO) very little about the merits of Signal and Wire compared to other systems, and nothing at all about the specific criticisms I made in my comment you originally replied to.

[hiq]

Is there a similar consensus about Syncthing and whether it is secure enough (or not) for file-sharing among cryptography engineers?