Christian Pietsch on Mon, 19 Dec 2016 17:56:03 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: <nettime> Ars Technica > Valsorda > I'm throwing in the towel on

Dear Nettimers,

On Sat, Dec 17, 2016 at 04:05:46AM -0100, nettimes_weakest_link wrote:

> < >

I like this rebuttal by Bjarni Rúnar, reproduced below:

Bjarni mentions PEP (Pretty Easy Privacy or pEp or p≡p). If you think
PGP is too complicated, try p≡p for Outlook which makes PGP usable. If
you do not want to use Outlook, wait until p≡p for Thunderbird or p≡p
for K9 Mail is ready. If you think PGP is not enough because it only
encrypts content but not metadata, wait for p≡p 2.0 which will be able
to use GNUnet as a transport layer. Those who attent 33C3 can meet p≡p:

Regarding instant messengers, Signal is not the worst choice you can
make, but I would not recommend it. As one security expert put it, it
is time to “let Signal die in peace” <>
because it leaks metadata to Google by requiring the Google Cloud
Messaging API, it no longer allows people to run their own Signal
servers, and user identities are linked to phone numbers. Signal did
pioneer an excellent chat encryption protocol known as Axolotl, but
this is now becoming available in Jabber clients (e.g. Conversations,
and soon ChatSecure) under the name OMEMO, so Jabber/XMPP is the chat
technology of choice if you value your privacy or if you want to avoid
vendor lock-in.

But now it is time for Bjarni's rebuttal:


Too Cool for PGP

Posted by Bjarni Rúnar on December 12, 2016

Some kids are just too cool for school.

And some security experts are too cool for OpenPGP.

It's almost become a rite of passage for security folks: work in the
trenches, build a reputation, climb the ivory tower, write a detailed
epiphany about why you've given up on PGP. Suggest we all buy an
iPhone and use Signal, start giving people phone numbers instead of
e-mail addresses...

Wait, what?

Please take a moment to go ask any young woman if she thinks giving
random strangers her phone number will improve her security. I'll


Of course, the experts are right about many things. OpenPGP is old and
more recent tools with more modern designs have a lot going for them.
But I still think they're mostly wrong.

The experts, by and large, have yet to offer any credible replacements
for PGP. And when they suggest abandoning PGP, what they're really
saying is we should give up on secure e-mail and just use something
else. That doesn't fly. Many people have to use e-mail. E-mail is
everywhere. Not improving the security of e-mail and instead expecting
people to just use other tools (or go without), is the security elite
proclaiming from their ivory tower: "Let them eat cake!"

Furthermore, if that "something else" also requires people use their
phone number for everything... well, that's the messaging world's
equivalent of the widely despised Facebook Real Name Policy. If you
ever needed a clear example of why the lack of diversity (and empathy)
in tech is a problem, there it is!

Compartmentalization, presenting different identities in different
contexts, is a fundamental, necessary part of human behaviour. It's
one of the basics. If you think taking that away and offering fancy
crypto, forward secrecy, deniability instead is a win... well, I think
your threat models need some work! You have failed and people will
just keep on using insecure e-mail for their accounting, their work,
their hobbies, their doctor visits and their interaction with local
government. Because people know their needs better than you do.

But I digress.

The ridiculous phone number thing aside, I also take issue with the
fact that when our opinionated experts do suggest replacements, the
things they recommend are proprietary, centralized and controlled by
for-profit companies. Some of them (mostly the underdogs) may be open
source, but even the best of those use a centralized design and are
hostile to federation. In pursuit of security and convenience (and,
let's be honest, control, power and money), openness has been hung out
to dry.

This is short-sighted at best.

These cool new apps may be secure today. But what about tomorrow? Odds
are, they will be compromised by government mandate, blocked or shut
down. Or just dead because messaging is a cut-throat business and the
money runs out. Anyone remember ICQ? MSN? GChat? Sprinkling these new
messaging apps in security pixie dust doesn't make them qualified to
replace e-mail.

But what if I'm wrong? What if one of these businesses succeeds,
e-mail dies and all our comms become dependent on proprietary
protocols mediated by for-profit monopolies? Is that a problem?

Here, let me google that for you.

I really hope it doesn't happen.

Please, if you are at risk, if you have powerful adversaries, follow
the advice of the cool kids. The experts are absolutely right when
they say PGP is too confusing and messy today for most people to use
safely. It takes training, practice and diligence.

So sure, get an iPhone if you can afford it. Use Signal or iMessage.
Use Tor, carefully. For e-mail, create as many GMail accounts as you
need to blend in with the crowd and not draw attention to yourself;
their security team is the best in the world, let them protect you!
Enable two-factor auth, use HTTPS.

But most importantly; if you can avoid digitizing incriminating
information, do that. Rubber hose cryptanalysis is real and it's much
easier to avoid creating data in the first place, than it is to keep
it secure after the fact.
Mental Models and Deniability

A rule of thumb for creating usable software, is don't make me think.

What this means in practice, is software should match the mental
models of its users as closely as possible. If it doesn't, users will
inevitably make mistakes. If your tool is a security tool, those
mistakes may compromise their security.

PGP in e-mail has failed this on many fronts. The lack of protection
for message headers (the subject line) is one, as is pretty much
anything to do with encryption keys (too much math). But it's not all
bad! OpenPGP gets other things right, and actually corrects some of
the things insecure e-mail gets wrong.

One of the most vexing things about e-mail, is people actually think
e-mail is already secure. They just assume e-mail is like regular
mail, in an opaque envelope that will prevent tampering and keep
postal workers from reading it. Encryption and signatures bring e-mail
closer to user expectations, which means if we can get it working
smoothly, users won't have to think as much to make good security

One thing people don't expect from e-mail, is deniability. Deniability
means after a message has been delivered, it can no longer be strongly
linked to the sender. It's like an anti-signature... which most sane
people would consider a horrible misfeature in any communication
system. Explicitly designing a system so people can disavow their
statements and go back on their word? What is this, a system for

And yet, all the cool kids in the security world seem to want exactly
that. They keep bringing up the lack of deniability (and forward
secrecy) in PGP as if it were some sort of fatal flaw.

Why? Are security people all assholes? I don't think that's it.

I think they're quite enamoured with the elegant math, and really,
really pissed off with certain Three Letter Agencies. There is good
reason to believe major governments plan to, or already have been
recording all our encrypted communications in the hope of being able
to decrypt them later. Forward secrecy (deniability's more attractive
twin sister) prevents that sort of thing. But OpenPGP doesn't need to
provide forward secrecy to thwart mass surveillance. If we just use
TLS (with the right ciphers) for SMTP, IMAP and web-mail then that
does the job just fine.

So I agree forward secrecy in transit is a good thing. Let's do that!

Let's put our mail in secure envelopes, and let's also drive it from
place to place in nice, secure vehicles. Users don't expect the cops
to routinely stop the mailman and photocopy all the mail, so let's
make sure that doesn't happen to e-mail either. Let the mental models
be our guide.

But we don't need or want deniability. Deniability for individual
messages is, quite simply, a horrible misfeature to be avoided. People
already assume e-mail is on the record; trying to change that means
going against their mental models and setting them up for failure in
new and exciting ways. The fact that OpenPGP wasn't designed to
empower assholes is a feature, not a bug.

(Yes, there are other arguments for forward secrecy and deniability.
They are in my oh-so-humble opinion, mostly bunk. And this post is
already too long...)
Making Progress

Anyway, like it or not, e-mail is important.

E-mail is the most successful open messaging standard we've got and
OpenPGP is the best tech we have to secure our mail. OpenPGP may be
dated and a bit clunky, but it's a hell of a lot better than nothing.

Folks like myself, implementors who are not cryptographers, have long
been admonished to not invent our own crypto. Over and over again, we
are told to use tried and tested solutions. OpenPGP is that. It may
have baggage, it may not be perfect, but it is mature and it solves
certain problems. Most of the flaws can be avoided and worked around.
If the security community really wants us to use something else,
you're going to have to step up and provide something a bit more
tangible than rants on the Internet.

OpenPGP is also not standing still, OpenPGP is still developing. The
community is well aware that the technology is flawed and needs work.
An update to the standard is in the works and there are multiple
projects working on improving both the security and usability side of

Mailpile is one such project, but we're in good company: PEP, LEAP,
OpenKeychain for Android, Mailvelope, and more. Even Google and Yahoo
are developing solutions based on OpenPGP. There's actually quite a
lot going on!

As an industry, we should be supporting these efforts, not writing and
promoting self indulgent posts on how we've given up and moved on.

Oh, and stay in school kids! It's worth it!


Christian Pietsch · job: Bielefeld University
volunteering for and

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info:
#  archive: contact:
#  @nettime_bot tweets mail w/ sender unless #ANON is in Subject: