[tptacek]

Hold on, there's a sleight of hand here. You're trying to compare all of email against WhatsApp. Now, it's possible that if you took transactional email out of the picture, and just stuck with interpersonal communication, WhatsApp could beat email. But that doesn't matter, because in this discussion, the figure of merit is encrypted email, and on that metric, every single one of those platforms on their own roflstomps email for daily usage.

[viccuad]

Only Matrix is federated, like email. I really enjoy sending emails without opening an account for each recipient or being subservient to 1 stack provider for 50 years, with all the inbreeding that entails.

[tptacek]

That wasn't the point being made, was it?

[thayne]

> Now, it's possible that if you took transactional email out of the picture, and just stuck with interpersonal communication, WhatsApp could beat email

Everyone I know uses email. No one I know uses whatsapp. A couple of people I know use Signal. A handful use iMessage.

> But that doesn't matter, because in this discussion, the figure of merit is encrypted email,

Ok, let's consider one case where encrypted email is commonly used: reporting security vulnerabilities. Do you really think any of these would be a good medium for that? Do you see companies or other organizations putting a whatsapp username as the contact in their security.txt?

I do want there to be a more secure replacement for email. But most of the newer e2ee messaging systems can't really fully replace email.

[akerl_]

Is encrypted email commonly used for reporting security vulnerabilities? It seems like increasingly, more reports occur via bug bounty programs, or are disclosed publicly by the researchers, or are just sent as plaintext emails to security@ or whatever is publicly listed. When I've found security vulnerabilities in somebody's code, I can't think of a time I ever thought about GPG-signing my notice to them.

[0xDEAFBEAD]

>When I've found security vulnerabilities in somebody's code, I can't think of a time I ever thought about GPG-signing my notice to them.

It's not authenticity that matters here, it's confidentiality.

[tptacek]

Basically nobody cares. Vulnerability researchers don't use GPG either.

[tptacek]

Yes: I think Signal is drastically better for reporting security vulnerabilities than email. I think if you're actually worried about operational security for accepting vulnerability reports, using email is practically malpractice. The fact is, most security teams, even the very large ones, are not especially concerned about operational security for inbound vulnerability reports.

[thayne]

From a security point of view, absolutely. But there are logistical problems. Currently, a signal account has to be tied to a cell phone number. How does that work when you want it sent to a team instead of an individual? There isn't a sanctioned API, so it is difficult (and unsupported) to set up an integration with bug tracking software. Not to mention that the reporter may not have Signal set up yet.

[tptacek]

Most reporters don't have PGP set up, either --- far fewer than have Signal set up. But this is all kind of a moot point: the industry norm is to use plaintext email, and to make ad hoc arrangements (including voice calls) for the very rare cases where things are too scary to email.

[maximilianburke]

Honestly these seem like pretty minor issues compared to the task of properly managing a GPG install.

How do you manage the keys? If you've shared them with a team, how do you ensure someone hasn't taken a copy? What if the key is lost? What if someone ends up replying to the thread without doing the encryption song and dance? It's just such a pain. I'd rather copy and paste something out of Signal and into my bug tracker a thousand times than have to deal with all the footguns of email encrypted with GPG.

[0xDEAFBEAD]

>The fact is, most security teams, even the very large ones, are not especially concerned about operational security for inbound vulnerability reports.

This never made sense to me, can anyone explain?

[kasey_junk]

“A handful use iMessage”.

Right…

[berkes]

The fact they know no-one who uses WhatsApp is a giveaway of their demografy as well. In many countries "not having WhatsApp" equals "not participating in anything". In my country everything, from my insurance help desk to the coordination for a friend's birthday gift happens on WA.

Despite my reluctance to use Meta projects, I read and write far, far more WA messages per day than emails.

[akerl_]

I mean, only a handful of my friends use iMessage, but that's because I don't have that many friends.