[upofadown]

I really hope that encrypted email is not a lost cause because that would strongly imply that end to end encrypted messaging is a lost cause in general. If we can overcome the problem in any single case we can overcome the problem generally, even for encrypted email.

This isn't something we can overcome with a purely technical solution. The basic ideas behind end to end encrypted messaging will eventually have to be made part of our culture.

[s5806533]

With respect, I do object.

End-to-end encrypted messaging does work, and Signal (among others) is proof of that.

With e-mail, either (a) you are backwards compatible and sending unencrypted (even by accident) remains a possibility, or (b) you break compatibility, but then it's no longer e-mail. (Signal is an extreme example of the latter: it just uses its own protocol.)

[upofadown]

Signal is a good example here because someone did a usability study. In a usability study involving Signal[1], 21 out of 28 computer science students failed to establish and maintain a secure end to end encrypted connection. The usability of end to end encrypted messaging is a serious issue. We should not kid ourselves into thinking it is a solved issue. For all practical purposes it is the issue.

[1] https://www.ndss-symposium.org/wp-content/uploads/2018/03/09...

[s5806533]

This is interesting, and it causes me to reevaluate my stance.

At least we have to agree on what we mean when we say that "end-to-end encryption works". I think there are `shades' of "working" if you will -- for instance, I know I mostly ignore when the key material changes in a Signal conversation, and this could be used to fool me. But then we have to talk about attack vectors and what we want to be protected from. I think it's mostly large-scale data collection and analysis rather than targeted attacks (like the CIA might do).

At any rate, thanks for setting me straight. I will read the paper!