[cryptonector]

The problem is that email is store-and-forward, and there's no standard for MUAs to independently interact and perform key exchanges via PGP or anything, so end-to-end encrypted email will always be a much worse experience than end-to-end encrypted IM.

Also, the heterogeneous MUA world, and the fact that users expect to be able to search their email even if encrypted, just makes end-to-end encrypted email a really tough proposition.

I could see something like OTR+PGP for email that could work, but the MUAs would have to get updates, and MUAs are "a solved problem". There's just no real work ongoing on MUAs.

[grobbie]

https://signal.org/docs/specifications/x3dh/

The Signal protocol, which is the one all the big service providers are licensing for the instant messaging encryption part of their service offering, is actually supposed to be designed for store and forward scenarios because messages can be sent when users are offline.

It is founded on Diffie-Hellman, a key exchange algorithm developed in the 1970s (the stuff in the article about PGP being developed "before we really knew anything about cryptography" seems bogus at best) that has very much managed to weather well.

I understood that elliptic curve Diffie-Hellman has been widely adopted primarily because it's just a compact way to represent the large numbers needed in order to make the key exchange process robust (I think the second coordinate of the curve can be represented with just a single bit, so more efficient than other approaches), but perhaps I am wrong or misguided on that.

Anyway, regardless - I don't trust the claims of perfect forward secrecy in services like WhatsApp and Signal for a moment - any more than I believe that Crypto AG sold devices that really worked. Perhaps the protocol implements PFS. But does WhatsApp really implement the protocol?

Besides, I recall reading that running the Unix command `strings` over the popular Signal messaging app revealed a static encryption key hardcoded into the application binary, which was used to encrypt all the attachments downloaded to the phone. Gaining access to the phone meant easily reading the messages (using Android accessibility features to "read them out loud") and with the hardcoded secret, easily decrypting the attachment storage too.

I've never read of a police force anywhere in the world actually shutting down citizen access to WhatsApp, at least not unless they're non-allies or otherwise considered hostile to the US. But I have heard of modified, PGP enabled BlackBerrys being seized by police forces all over the world because they really can't break them.

So my working method, fwiw: if I have something private to say that I do not wish to be snooped upon, I do send it over Signal or WhatsApp, but I say it with PGP, and then I delete it and ask the other party to do the same.

[cryptonector]

The weakest point of any crypto is the implementation itself.

We used to say that key management was the weakest link, but now I think the implementation itself is the weakest link.

Alice and Bob simply cannot defeat Mallory when Mallory is responsible for the implementation of the crypto that Alice and Bob are using to defeat Mallory.

But most users can't implement their own crypto. And the few users that could would stick out like sore thumbs. And they would still have key management headaches.

Basically, crypto can work to protect against criminals, but not against the state. That was always true anyways: the state can apply legal and nominally-illegal rubber hose cryptanalysis (i.e., they can beat you with a rubber hose, real or metaphorical, to get you to give up your secrets).