[denton-scratch]

Got it:

"There's a technical issue with email encryption, but we have a solution: don't use email! instead, use this different protocol, that doesn't work with email clients or email addresses, but instead uses a telephone number as an identifier!"

I've never tried Signal, because I don't want my telephone number used as my identifier.

A bug in email encryption can be fixed by fixing the bug; proposing a completely different protocol/application isn't fixing that bug, it's just saying that this other protocol/application doesn't have the same bug. It's not a solution; at least, not for me.

[dale_glass]

It's a pity, but email never was designed for security, and you can't graft it on.

GPG doesn't really do much for security, because a lot can be told from simply who communicates with who and when, and GPG does absolutely nothing there.

[SAI_Peregrinus]

The biggest bug in email encryption is that important message data & metadata can't be encrypted for SMTP to work. It's a bug in email, and there's no backwards compatible fix.

[jcranmer]

This is like asking how to drive across the ocean and getting mad when someone tells you that you need to take a boat.

Email just fundamentally isn't encryptable; the protocol and the way it actually works in practice (hi, antispam!) requires that important parts of the email not be encrypted, and things like asynchronous communication make it difficult to do encryption to the gold standard of quality. Also, turning on encrypted email also disables several email features from the perspective of the user (hope you didn't want to search your emails!). The end result is that email encryption is, as someone else put it, LARPing rather than security.

There are a few very narrow use cases for which encrypted email may make sense (largely in cases where you're not concerned about hiding the existence of communication channels, just message contents, and you can do out-of-band public key communication). But notice that those use cases don't include "I want to message someone else securely," and it's definitely not someone that would work if you tried to let regular users do it.

[denton-scratch]

> things like asynchronous communication make it difficult to do encryption to the gold standard of quality.

I agree. Thing is, asynchronous communication is a killer feature. My primary communications channel is email, but I don't use encrypted email.

I do use GPG, but not for email.

[38529977thrw]

None of this explains why I need to give you my telephone number to get on your boat.

Identity is the core of the matter and that is invariant of the modes of transport. On top of that comes key management. On top of that you can build your secure application on whatever platform.

Total end to end encryption can only be built on top of identity and never (ever) on a specific channel. And TE2E should be the social goal.

[xoa]

Even to the extent that's true (and a lot of it is not), none of that explains why there are absolute zero email replacements, and indeed "security" people seem to promptly display brain damage whenever the idea is brought up. "Email-like" doesn't mean it has to be actual current standard email, there could be an "xmail" that has a UX near exactly like email but is more modern. But instant messengers (let alone centralized ones) are not a replacement for email and never will be, and the stubborn idiotic insistence they are is as surprising as it is infuriating. If you insist it's security or email, the answer is email, and that's how very important information will continue to be sent.

Although that said, and while not disagreeing about its flaws, I still can't let entirely go by:

>the protocol and the way it actually works in practice (hi, antispam!)

But anti-spam works fine with encrypted email (putting aside practicalities of no forging making spam harder anyway).

>asynchronous communication make it difficult to do encryption to the gold standard of quality

Nobody gives a shit. Asynchronous communication is well worth it.

>hope you didn't want to search your emails!

lol wut? If I go into Mail and searching something it can include encrypted emails the same as whatever else, why wouldn't it?

[tptacek]

There are, obviously, replacements for email. Most of us get a tiny fraction of the email we did just 10 years ago because so much has moved out of email and into other messaging systems. The faulty logic being used here is that there is nothing shaped precisely like email to replace email, and, of course, there never will be.

[petre]

Wire uses the Signal protocol and your e-mail address or a username as your identifier. But you still depend on somebody else's infrastructure. We probably want XMPP with OTR or OMEMO.