Ask HN: Why are we still not encrypting email?
Was it enough for the webmail providers to claim outrage and encrypt internally then act as if we're all safe now, if only we use their service?
If they cared about privacy they'd be helping users to encrypt all email to any recipient.
If we cared about privacy we'd be helping the world to encrypt simply, via an open protocol that was actually usable. The EFF's efforts to push GPG/PGP are falling on deaf ears.
Would it be possible to change the protocols themselves to force TLS and potentially inline GPG functionality?
Let's keep talking and thinking about this. It's quite important, no?
17 comments
[ 13.2 ms ] story [ 94.0 ms ] threadOn the other hand, keybase did something nobody else managed before. A number of my friends who never used encryption before actually have their own gpg keys. They may not be using them yet, but the keys are there (and probably in their system keychains) - that's a great first step.
What I think would really push things forwards at this point is an official google extension for chrome/ff/ie which allows gmail to talk to local gpg for signature/encryption. No messing around with textboxes - have it interact with the content as gmail sees it. Of course it would have to be opensource so people can verify it doesn't change the contents... And it should never touch the actual keys.
When 1/2 of your life is already on Facebook, email privacy doesn't seem like such a big deal.
Lastly, encrypt simply and GPG/PGP can not be used in the same sentence. If we want encryption to be universal, it need to be built into the system from the ground up, and transparent for the end user.
If I want to be "secure" email isn't really a system I'm going to be using any way. Maybe as a delivery mechanism for a already encrypted file, and even then that use case is marginal.
PGP usability is poor, but S/MIME also exists (and is nicer in some respects) and hardly anyone uses that either. The real problem is key distribution. keybase.io have improved this slightly but not much.
Most people also prioritise ease of use and ability to read their mail in varied situations over mail privacy.
Also S/MIME is included in gpg (gpgsm specifically), but barely anyone knows about that :(
It seems that this is very unpopular because many ppl just don't care about "this NSA crap" and think of me like "tinfoil hat" when I tell them something about security.
I really would like to teach some lessons so they know what this is all about but therefore you have to break the law in germany... They are going on being lazy and just use "what everyone does", I'm disappointed by humanity sometimes.
My understanding was that "with its strict privacy laws, Germany is the refuge of choice for those hounded by the security services." http://www.theguardian.com/world/2014/nov/09/berlins-digital...
e.g.: perform a MITM attack on someone to show them why they should care
Doing so breaks the law in many places, I imagine Germany included.
A real attacker wouldn't demonstrate that but just use the material he gains to make money in any way or destroy the lives/careers of the people.
The law is called "Hackerparagraph" (https://de.wikipedia.org/wiki/Vorbereiten_des_Ausspähens_und...)
If you like, send me an email, and I'll keep you updated. A launch is imminent.
I really hope that with the big funding push, maybe Keybase.io helps circle this square and simplifies key distribution and trust enough that more average users will feel it to approachable. I'm not sure that they can, though.
There have been a lot of competitors entering this space in the last few years, but getting people to change their behavior is incredibly difficult. Businesses which have a regulatory or compliance reason to use encrypted email are looking for products and solutions, but I have not seen the individual customer make a large effort to change their email habits.
I'd love to hear any feedback you might have if you give Virtru a try!
https://www.mailvelope.com/en/blog/gmx-and-web-de-launch-pgp
If we had this, I'm sure a lot more applications would have support for things like PGP. Because all they would need to do is interface with an API provided by the OS. If I had a tonne of money, I'd quit my job, hire a bunch of developers and work on this full time.
Seriously. That's actually a new concept to me and makes a lot of sense. Would people trust an Apple/MS implementation fully? I'm not convinced, but something cross-platform that handles all the heavy lifting per machine-account would make a massive difference.
It might not solve the issue of webmail encryption on its own though, which would seem to require either a culture shift or an enforced upgrade.
What do you think about it?