Ask HN: Why are we still not encrypting email?

13 points by luxpir ↗ HN
Was it enough for the webmail providers to claim outrage and encrypt internally then act as if we're all safe now, if only we use their service?

If they cared about privacy they'd be helping users to encrypt all email to any recipient.

If we cared about privacy we'd be helping the world to encrypt simply, via an open protocol that was actually usable. The EFF's efforts to push GPG/PGP are falling on deaf ears.

Would it be possible to change the protocols themselves to force TLS and potentially inline GPG functionality?

Let's keep talking and thinking about this. It's quite important, no?

17 comments

[ 13.2 ms ] story [ 94.0 ms ] thread
I think the webmail (gmail / msn / yahoo) made email encryption so much harder than it was when everyone used their own email clients. You need to install an extension which will talk to your gpg and pray that formatting / line wrapping doesn't break the content. It's even harder with signing only. (encryption will at least result in consistent/short lines) Even in outlook you can simply import your pkcs12 and click sign/encrypt and it's done.

On the other hand, keybase did something nobody else managed before. A number of my friends who never used encryption before actually have their own gpg keys. They may not be using them yet, but the keys are there (and probably in their system keychains) - that's a great first step.

What I think would really push things forwards at this point is an official google extension for chrome/ff/ie which allows gmail to talk to local gpg for signature/encryption. No messing around with textboxes - have it interact with the content as gmail sees it. Of course it would have to be opensource so people can verify it doesn't change the contents... And it should never touch the actual keys.

Simply put, folks are lazy and do NOT care.

When 1/2 of your life is already on Facebook, email privacy doesn't seem like such a big deal.

Lastly, encrypt simply and GPG/PGP can not be used in the same sentence. If we want encryption to be universal, it need to be built into the system from the ground up, and transparent for the end user.

If I want to be "secure" email isn't really a system I'm going to be using any way. Maybe as a delivery mechanism for a already encrypted file, and even then that use case is marginal.

Forcing TLS makes almost no difference as the mail is unencrypted at rest. It's also totally impossible to have private mail on a webmail service, since in order to operate it provides you with the mail, the keys, and the code that handles it.

PGP usability is poor, but S/MIME also exists (and is nicer in some respects) and hardly anyone uses that either. The real problem is key distribution. keybase.io have improved this slightly but not much.

Most people also prioritise ease of use and ability to read their mail in varied situations over mail privacy.

Lots of corporate outlook/exchange deployments use S/MIME. Unfortunately users are not aware of that.

Also S/MIME is included in gpg (gpgsm specifically), but barely anyone knows about that :(

I use GPG/PGP sometimes and Telegram-Messenger often and cut all connections (Facebook, private Gmail, Whatsapp).

It seems that this is very unpopular because many ppl just don't care about "this NSA crap" and think of me like "tinfoil hat" when I tell them something about security.

I really would like to teach some lessons so they know what this is all about but therefore you have to break the law in germany... They are going on being lazy and just use "what everyone does", I'm disappointed by humanity sometimes.

Perhaps I've misunderstood, but are you saying it's against the law to teach people about encryption in Germany? If so, what law is that?

My understanding was that "with its strict privacy laws, Germany is the refuge of choice for those hounded by the security services." http://www.theguardian.com/world/2014/nov/09/berlins-digital...

I think they were talking about a demonstration of "why they should care".

e.g.: perform a MITM attack on someone to show them why they should care

Doing so breaks the law in many places, I imagine Germany included.

Exactly! PPL don't care for encryption before I hack their WA/FB communications or show them the content of their "personal documents" folder... This makes an approach to teach them such important stuff much more difficult because it's rather theoretical.

A real attacker wouldn't demonstrate that but just use the material he gains to make money in any way or destroy the lives/careers of the people.

The law is called "Hackerparagraph" (https://de.wikipedia.org/wiki/Vorbereiten_des_Ausspähens_und...)

I'm working on a project/business that makes it easier to give your users an easy way to contact you using PGP-encrypted email/messages.

If you like, send me an email, and I'll keep you updated. A launch is imminent.

Why is GPG/PGP still a pain in the ass to use? Perhaps not for people reading on HN, but my grandma doesn't even know what "encryption" means, much less how to use it. If you want to increase it's reach, you have to make it easy and on by default in a way that doesn't interfere with normal users (much like how a lot of websites are redirecting to HTTPS, now: it just works and the user doesn't have to do anything).
I also think that the problem has always been key distribution and trust. Explaining such things to the average person is a fun exercise in frustration and sounds to that person like way too much effort. Classic PGP "Web of Trust" really is a lot of work, and while the Certificate Authority system is easier to explain, no one wants to pay an annual subscription to some CA to send secure emails... and then how are you going to distribute those CA signed certificates?

I really hope that with the big funding push, maybe Keybase.io helps circle this square and simplifies key distribution and trust enough that more average users will feel it to approachable. I'm not sure that they can, though.

I work for Virtru (https://www.virtru.com) and we aim to make sending encrypted email from your existing email address as simple as possible. For example, send encrypted email to any recipient (even if they do not use Virtru) directly from your existing Gmail account in Chrome.

There have been a lot of competitors entering this space in the last few years, but getting people to change their behavior is incredibly difficult. Businesses which have a regulatory or compliance reason to use encrypted email are looking for products and solutions, but I have not seen the individual customer make a large effort to change their email habits.

I'd love to hear any feedback you might have if you give Virtru a try!

This is similar to : why don't companies better protect their applications? Comes down to primarily laziness.
Public crypto should be a core service provided by the OS. Applications should be able to use that core service without having direct access to the keys. The OS on each of your devices should handle synchronising your keys between themselves, and should provide a simple facility for key material backups.

If we had this, I'm sure a lot more applications would have support for things like PGP. Because all they would need to do is interface with an API provided by the OS. If I had a tonne of money, I'd quit my job, hire a bunch of developers and work on this full time.

Can we get this guy a tonne of money, please?

Seriously. That's actually a new concept to me and makes a lot of sense. Would people trust an Apple/MS implementation fully? I'm not convinced, but something cross-platform that handles all the heavy lifting per machine-account would make a massive difference.

It might not solve the issue of webmail encryption on its own though, which would seem to require either a culture shift or an enforced upgrade.

I stumbled over an interesting cross-platform approach that even has been audited: https://whiteout.io

What do you think about it?