Hacker News new | ask | show | jobs
by dale_glass 1017 days ago
IMO, GPG for email was mostly a mistake, because email can't be secured enough.

GPG leaves all the headers exposed, and reveals who's talking to whom. That, right there, is a huge security problem. Turns out metadata is often plenty. And it can't even encrypt the subject, which is a footgun of enormous proportions.

Picture a high stakes situation like say, a resistance member in the Russian occupied parts of Ukraine. Yeah, the Russians can't see what you're emailing about, but they can see that 3 people of a given village are sending encrypted messages to each other, and then there's some outside contacts. Gee, what might they be talking about? What conclusions should we make if somebody else also sends mail to this outside contact.

Yeah, the encryption might be strong, but it won't do much to protect those people against the $5 wrench.

GPG for email only works in extremely narrow scenarios, and that makes it a bad tool.
1 comments
theshrike79 1017 days ago
Which communication methods leak no metadata?

If two people are communicating, the message always needs to know where it's going and in most cases where it's coming from.

Not encrypting the email subject is an implementation detail really.

link
dale_glass 1017 days ago
> Which communication methods leak no metadata?

All leak something, but there are differences in what and how much.

> If two people are communicating, the message always needs to know where it's going and in most cases where it's coming from.

Yes, but in this case it'd be actually better to use something like Signal. You want something that's plausibly used often, is always encrypted, and is used for random chit-chat all the time, so that it's hard to tell if anything odd is going on from the outside.

GPG just screams "an important conversation is happening"

> Not encrypting the email subject is an implementation detail really.

And it's still unfixed, despite being a serious problem (it's easy to slip up and put something interesting in the subject).

link
mikro2nd 1017 days ago
> GPG just screams "an important conversation is happening"

is just another argument in favour of all email being encrypted.

And yes, there's side-channel/metadata still in the clear, and that's a problem, but still a smaller problem. The only crowd I know working on solutions to minimise/eliminate that problem is the Cwtch project (not product!)

link
dale_glass 1017 days ago
> is just another argument in favour of all email being encrypted.

And that makes GPG unsuitable, because it's such a pain in multiple ways.

> And yes, there's side-channel/metadata still in the clear, and that's a problem, but still a smaller problem.

Absolutely not a "smaller problem". Using GPG in an actually serious scenario like in occupied parts of Ukraine is quite likely to get you imprisoned, tortured, killed or all 3.

GPG mail is only suitable for "polite society" -- situations where your only problem is to securely email documents and account numbers to your accountant, and nothing else.

And that's actually a very narrow application. It's trivial to run into situations where that becomes extremely inadequate.

link
l72 1017 days ago
Sure, but sometimes we don't care about knowing who is communicating. For example:

I don't care if someone knows my bank sent me a message, but I want the content of the message to be secure (not just in transit, but also at rest)

I don't care if someone knows my primary care physician sent me a message, but I want my lab results to be secure.

I don't care if someone knows I communicated with my CPA, but I want my tax and receipts to be secure.

link
dale_glass 1017 days ago
True, but that's incredibly user unfriendly. The average person isn't good at doing that level of risk evaluation. What's important and what not isn't intuitive.

And we have a much friendlier than GPG system for that: putting that on a website protected by HTTPS.

link
l72 1017 days ago
But that puts all the data on a 3rd party site where I _might_ be able to make a copy of it for myself. It is annoying to get an email from my bank about an "important message", and instead of just sending me the message, I now have to go to the bank's app to read it. Oh, and it disappears after 30 days, so I have no way to archive it or look back on important messages from a year ago.

A government system could easily implement s/mime transparently for all emails sent within that system (meaning any other government agency or registered providers).

link
piaste 1017 days ago
> Which communication methods leak no metadata?

> If two people are communicating, the message always needs to know where it's going and in most cases where it's coming from

Sure, but you can still do a lot of things to make it much, much harder for the same Carol to identify Alice and Bob.

SimpleX is a good example of how far you can go and how many obstacles you can pile up onto the same protocol:

https://simplex.chat/#how-simplex-works

https://simplex.chat/#privacy

link