[blindm]

Baking in automatic crypto to email is a lost cause, since email is not as straight-forward as let's say Signal, which only succeeds because it exists in a monoculture (iOS/Android). Email operates on 100s of different clients (and operating systems), and you get people replying-to-all by mistake, and fat-fingering sensitive data to random recipients (which is possible in Signal, but not nearly as bad as e-mail where e-mail can exist in any hostile environment it wants, unlike Signal which has a user which is more careful about what he/she sends).

[dane-pgp]

> e-mail can exist in any hostile environment it wants, unlike Signal which has a user which is more careful

Could you explain why Signal users are more careful than email users? Aren't all Signal users also email users?

I suppose the reverse isn't true, and there are machines that send people transactional emails (e.g. receipts for online purchases) which it would be nice to secure with PGP.

The real problem with securing email, from my perspective, is the difficulty of creating a UX which accurately and intuitively conveys to the user whether the message they are sending is secure (and what "secure" means). By using a separate app which never sends plaintext, that's basically a non-problem.

[blindm]

> Could you explain why Signal users are more careful than email users?

Sorry, I forgot to mention that phones are typically seen as more secure, and phones are the go-to operating systems that people use now, and are (usually) permanently switched on, so have to be secure since they are constantly exposed to the public Internet. (Yes, Windows can be seen as secure too, but IMHO phones are more secure. Windows is getting better over the years and have mitigated and patched a lot of the common vulns you do see).

> Aren't all Signal users also email users?

No. Email is often reached from many different OSes and environments. It is common and expected to see people logging into their Gmail from potentially compromised systems at work, or at Internet cafes. They just assume that whenever they login, the are 'secure' when in some cases the Internet cafe is logging everything or their employer has setup 'monitoring' software to ensure they are actually working and not dossing.

Signal: not so much. They have a single secure device that they use to communicate with, and since Signal is tied to a SIM: migrating your old Signal 'account' to a new SIM is impossible.

[swiley]

> phones are typically seen as more secure

Like most popular ideas in technology this is absolutely ridiculous and I actually laughed out loud when I read it. Most consumer phones (especially outside the US) ship with malware installed. Often worse than consumer PCs especially since even someone with little skill can install completely free OSes.

Also: Almost every popular OS has FDE as an option (often the default one) which was the main feature (other than sand boxing, which browsers do well enough) that supposedly made phones secure.