[skybrian]

So is it saying that big email providers like GMail shouldn't opportunistically encrypt email in transit or at rest? Or that we should avoid email services that do?

Clearly not as there is no harm in it, the UI is unchanged, and it prevents certain attacks. You have to know that by "encrypted email" means "end-to-end encrypted email" to make any sense of the essay, otherwise the claim is too broad. It states the claim being defended poorly.

[Misdicorl]

The article is clearly discussing E2E encryption between consumers of email and quite clearly uses PGP as a relevant example.

It even mentions hop-to-hop TLS of email as an obviously good idea (and presumably would likewise say at rest encryption is a good idea). None of this matters to the author's fundamental point. End to end encryption in email is silly and can't work because it isn't enforced at the protocol level.

You either haven't read the article or haven't understood it.

Edit: or disagree with its fundamental claim, but are talking about irrelevant issues instead for some reason.

[lliamander]

It makes the following claims:

* encryption of email in transit is good because it does provide some security against things like dragnets.

* attempts to bolt end-to-end encryption on email, regardless of what tools you use, are insufficient to provide any real security against the kinds of threats you generally use end-to-end encryption against.

* If you need secure messaging, use Signal

* If you need to send documents securely, use Magic Wormhole or age

EDIT: and if you don't need secure messaging, then continue to use email

[tptacek]

Not that I want to perpetuate a discussion about my post on this thread, but "use Signal" isn't the claim we make; "use any modern secure messenger, they are all better than email" is the claim we made.

[lliamander]

Fair enough. I was attempting to be succinct, but the correction is appropriate (I believe you did say that Signal was "standard" and "best").

Btw, I did find your essay persuasive. In my search for a paid email provider (as an alternative to Gmail) I've decided not to go for one that uses E2E encrypted email. If I need secure messaging, I'll use Signal (or something similar) but for email I would rather go for features and ease of use than E2E encryption.

[majormajor]

If you read the essay, the scenarios being considered and the type of security desired are pretty clear from the examples.

And then you realize that things like "providers opportunistically encrypting in transit or at rest" are largely irrelevant to having truly secure communications. You could have a conversation about "is Gmail less bad than Outlook.com" or whatever, but the whole point of the essay is that neither are meaningfully different if you have important secrets.

[skybrian]

"Truly secure communications" isn't all that matters when discussing email security.

There are meaningful differences in the scale of access. It matters whether the NSA (or China or whoever) can just read everyone's email off the network, versus law enforcement sending requests to email providers where they are verified to be legal. It's the difference between lawful access and espionage.

[conductr]

Gmail.com uses HTTPS. Already encrypted. /s