Hacker News new | ask | show | jobs
by b112 954 days ago
After persons destroyed the usefulness and value of all the keyservers a few years back, via flooding and other actions, this is no shock.

I suspect this was a state actor funded operation, for this has effectively, and significantly reduced the usefulness of PGP/GNUPG.

Many people I know were starting to use it, now they do not. It doesn't matter that security should overcome conveniences, conveniences often win.

And state actors hate encryption at rest.
4 comments
sgjohnson 954 days ago
> I suspect this was a state actor funded operation, for this has effectively, and significantly reduced the usefulness of PGP/GNUPG.

If it was, they did us all a favour, because PGP as means of encrypting emails is a steaming pile of garbage, as it requires both, client support, and the counterparty to have the same OPSEC as you (e.g. not just forwarding the email unencrypted to someone else)

Email was never meant to be encrypted, and the existing implementations (including S/MIME) suck for this exact reason. And the worst thing is that it’s simply not possible to make it work.

link
b112 954 days ago
HTML support client side, and required libraries are crazy complex compared to gpg integration. Yet that was done, and never meant to be.

Same for images inline, and the idea of attachments was an add-on. Other examples abound.

While I don't use html in my emails, it's effectively a standard now. So much so, that I have to prod some corporations to fix their stuff.

My point is, the "email was never meant" ship sailed decades ago. Change happens.

And there is no way to encrypt anything, ever, and send it to someone, who can't see it, and then copy it and send to others. A person can take a screen shot, or just take a phone and take a pic of the screen! So even if it's not simple, this problem is a non-solve, because if a human can read it, it can be copied to others.

Which means, I do not believe your criticism on this point is valid.

link
thaumasiotes 954 days ago
> PGP as means of encrypting emails is a steaming pile of garbage, as it requires [...] the counterparty to have the same OPSEC as you (e.g. not just forwarding the email unencrypted to someone else)

All encrypted communication protocols have this requirement. And all of them will in the future. By definition, you need the counterparty to be able to decrypt your message, which means you're always vulnerable to them forwarding the unencrypted message to anyone they want.

link
sgjohnson 954 days ago
> which means you're always vulnerable to them forwarding the unencrypted message to anyone they want.

email makes this trivial.

link
thaumasiotes 954 days ago
No more trivial than any other method. Once you have the plaintext, you can send copies to whoever you want, by whatever means you want.
link
master-lincoln 954 days ago
The state actors did us a favor by making the most widely used email encryption scheme less useful?

I must assume you are an opponent of privacy

link
dale_glass 954 days ago
That only means it failed in its aim, and needs to be replaced with something better. If you really rely on encryption for something important, a system so easily broken is no good.

And "state actor funded"? Come on, the spam attack was absolutely trivial. It required no state funding, just a single person with an axe to grind, a target, and a trivial shell script. Attaching spam signatures was a thing decades ago already and didn't require any real resources of technical knowledge.

link
anon-sre-srm 954 days ago
?

There are plenty of keyservers that are usable. There is a visualization diagram of the forest of replication partners.

https://www.rediris.es/keyserver/graph.html

https://spider.pgpkeys.eu/graphs/

link
repelsteeltje 954 days ago
It's that, and the fact that a hacker would enable the feature after compromising the account (some other way, unrelated to PGP) to prevent the legit user from using the account recovery email.

So feature was basically there only to shoot oneself in the foot.

link
b112 954 days ago
That is part of facebook's reasoning, as to why they dropped it. The second part should be kept in mind, and that is, few use it.

If it was popular, they wouldn't axe it.

My comment was certainly about facebook dropping it, but also about how this is a larger picture issue. You don't need to weaken encryption standards(NSA, others), or have back doors(loads of states), if people just find it too annoying to use!

link
repelsteeltje 954 days ago
Would have helped a lot of there would have been some sponsorship and adoption by banks, bigtech, governments. With only push from Snowden and a couple of nerds (I'm making a hyperbole :-) ) and it being complicated, inconvenient this never gained momentum.

Banks, bigtech, government choose other means, for their own reasons. Some of those might have been spies lobbying to hold on to their surveillance superpowers, for sure. Another might have been "not invented here".

link
prmoustache 954 days ago
For that to work, your email has to be compromised in the first place.

And if your email is compromised, well, it is game over already, for every single thing you have access to.

So it is just a poor excuse. I guess the main reason is that virtually nobody knew this feature existed and the intersection between the population privacy savy enough to use PGP and using Facebook is ridiculously small.

link