[woodruffw]

I think Latacora's (famous?) post[1] sums the situation up here nicely: email is designed in such a way that precludes an encryption scheme that actually works for ordinary users. Even power users consistently fail to use email encryption correctly.

If we care about secure communication, then we should be nudging users towards protocols that enable encryption, rather than fighting against it. For 99% of cases, that probably means Signal.

[1]: https://www.latacora.com/blog/2020/02/19/stop-using-encrypte...

[Metus]

I don't think that Signal is a proper substitute for anything that email is used for. Maybe it would be better to work on more secure successors or extensions to email.

[woodruffw]

Lots of people, including my parents, use email as an asynchronous messaging platform. For those people, Signal is an eminently suitable replacement.

As the post points out: email cannot be extended into a secure position. Attempts to do so either fail to interoperate or fail outright.

[daurnimator]

Email is also an archive of communications with vendors, shops and government departments.

Signal doesn't let you migrate chat history to your desktop.

Trying to migrate between phones while retaining your Signal history is too hard for most people.

Signal is not at all a suitable replacement, and I believe that forward secrecy is an anti-feature for an email-like usecase.

[tptacek]

You know you're in trouble when people start talking about forward secrecy being problematic. What you're saying about the "email-like use case" for cryptography is that it's unserious protection, because a lack of forward secrecy practically guarantees full decryption of the entire history of messages, for any ordinary participant in the system.

[daurnimator]

A major goal of an email-like system is full decryption of the entire history of messages.

Same as it's a feature of my filing cabinet that items don't incinerate themselves whenever I move house.

[tptacek]

Sure. Because people overwhelmingly aren't relying on the security of their email; it's overwhelmingly stuff no adversary would care to read. Then they retrofit the UX requirements they have for those boring mails onto all emails, and suggest that encrypted email should just accept those as constraints, and then we'll declare victory.

[0xDEAFBEAD]

>a lack of forward secrecy practically guarantees full decryption of the entire history of messages, for any ordinary participant in the system.

Can you elaborate?

[wolf550e]

Eventually a private key will leak, and without forward secrecy, that private key will probably decrypt all past messages to that person, and all future messages to that person, until they give all their correspondents a new key.

With email, because people quote when replying, you'll get the other side's messages too.

Like, the simple PGP-like system where sender encrypts message using recipient's public RSA key.

And of course it's not improved by switching from RSA to ECIES.

You need to ratchet the key, or double ratchet like Signal protocol.

[paulryanrogers]

Email as a concept can evolve. We can break backward compatiblity. Call it email v2 and include some killer features. If enough major players and users get involved then it'll happen.

My hope is it'll be something like Dark Mail, yet with a carve out for enterprise recipients to inject their controls and anti-malware before end-user delivery. (To combat spam and malware.)

[Metus]

In theory the giants that already hold the vast majority of all email communications - like Microsoft and Alphabet - are in a prime position to introduce a successor, hopefully this time with a receipt so the last argument in favour of fax dies off. At the same time, they have no proper motivation to do so.

[woodruffw]

That’s the point about interoperability. If we’re going to make “email v2” (not a terrible idea!), then the considerations that will go into securing it will ensure that it’s entirely incompatible with the thing we currently call email.

In other words: without sufficient clarity, email v2 just confuses people like my parents. Who would be better served by Signal anyways.

[paulryanrogers]

Vendors big enough to be known by your parents are sophisticated enough to paper over the differences and make it seamless. (Where possible)

[woodruffw]

“Where possible” is doing a lot of work!

[XorNot]

Signal has no concept of trust delegation: also, the verification API is extremely hidden and sucks (i.e. my brother working at a FAANG had no idea it existed or what it did - it's also extremely confusing when you open it).

This creates two problems: (1) is that Signal functionally operates as "trust on first use", and (2) Signal has no system by which you can communicate to "conceptual entities" - i.e. companies. There's no way in Signal to talk to say, a bank or a government agency as an entity (IMO: to turn a profit, this is the business Signal actually need to be in).

Which makes it a bit of stochastic security measure: encrypt enough communications and probably when something important does come up, the window to intercept it has failed - except of course, that those verification number messages nobody knows what to do with and so they ignore them.

[Metus]

> (2) Signal has no system by which you can communicate to "conceptual entities" - i.e. companies.

This has always kind of bugged me with email as compared to physical mail: While with a physical mailbox I can write a letter "to whom it may concern" and throw it in, with email I need to find out if the special, general purpose inbox is info@, contact@, hello@, or whatever other address the company uses, assuming they use the same domain for their email as they do for their website.

On the next level, there is no first-class support for stuff like 'send this message to person X, although it is adressed to organisation Y, where X works.' Basically, acknowledging the legal and organisational reality that while (single) humans might read, process and respond to communication, it is the legal entity that is actually being adressed.

[tatersolid]

There is a standard for this, most US companies I encountee over 100 people seems to support at least the security, info, postmaster, and support mailboxes at least.

https://www.rfc-editor.org/rfc/rfc2142

[woodruffw]

I agree that the verification UI sucks. I have similar stories about otherwise technical people not knowing about it or otherwise not understanding it.

At the same time: the relevant comparison here is email. Email isn’t even TOFU between arbitrary identities; it’s trust-on-each-message. Similarly for conceptual identities (like a bank’s catch-all address).

(I also agree with your point about this needing to be one of Signal’s businesses. WhatsApp and other chats already do this, I believe.)

[XorNot]

Email these days is however tied to DKIM and domains. We have UI problems, but communicating to a companies email servers at their domain name can be reasonably expected to be communicating with that company.

It's just the security story on that if you never want the content disclosed isn't great, but conversely, conceptual entity communications are always going to be a bit public by nature.

There's a whole other rant I have about this problem, where we really lack domain specific trust standards - i.e. communicating with a business, what I want to know is "is this a recognized legal business entity in it's jurisdiction, and what's it's status to mine?" which is very different to "I need to make absolutely sure me and John Smith's communication is just between us" - but they're in the same space of problem.

[Metus]

> There's a whole other rant I have about this problem, where we really lack domain specific trust standards - i.e. communicating with a business, what I want to know is "is this a recognized legal business entity in it's jurisdiction, and what's it's status to mine?"

I have the same pain, but this seems more like a regulatory issue than a technological one. Here in Germany, (basically all) legal entities need to publish a physical adress where they are reachable, it would be easy, in theory, to extend this to a reachable domain or email adress, thereby giving a guarantee, at least in Germany, that you are interacting with the business you are expecting. As you said, DKIM already exists.

Unless I have missed your point, then rant away.

[tptacek]

DKIM is an anti-spam tool, not an end-to-end encryption tool (obviously, it's not end-to-end at all, and if you're relying on it, you might as well forget about message encryption, because you've simply decided to trust your server).