Yes, I think you're right. An explanatory sentence would be nice. In the FAQ it says
"Mailvelope is a browser extension (in Firefox it is called an "Add-On", in Chrome an "Extension") and it expands the functionality of your web-browser. Mailvelope offers email encryption with PGP for the Firefox and Chrome browsers."
I really hate how product pages are made these days. You get four callouts - "Revolutionary Engagement!", "Insight at the Speed of Business!", "Continuous Introspection!", "Value Sharing Ethos!", with no explanation of what the damn thing is actually supposed to do.
This is such common thing nowadays, I'm not even sure how we got here. About 50% of the products (including open source projects) people pitch here have websites like this. I literally give up if I have to click more than twice to understand what a product is.
It's free for personal use, but there's also some paid tiers. As far I can tell it looks like the only thing Mailvelope does that is outside of the extension/your-local-machine is host their own key server: https://www.mailvelope.com/en/faq#key_server
Unless there's something also it does that I'm missing?
Looks like this is a PGP addon for existing email web interfaces. In case anyone is considering using this, they should first think about the strong recommendation to not use encrypted email https://latacora.micro.blog/2020/02/19/stop-using-encrypted....
I understand that PGP might not be the way to go. I understand that metadata might leak. I understand that every cypher will be broken, eventually.
But what's wrong with trying to send a an e-mail with contents you want no other party than the recipient to read, again, provided the recipient doesn't share it with other people.
For the record, I don't send encrypted mail. UX for these is generally terrible, hard to verify sigs, etc. I am genuinely asking what part am I missing. Is there a fundamental reason that encrypted e-mail cannot work with current e-mail protocols? (but replacing PGP if needed)
I think that there is nothing wrong with trying to do it. The argument is that we shouldn't have expectations that things sent through email can be truly secure and that doing any encryption with email should be thought of as a hobby. If you need real security, use something else.
All valid concerns, but where is the tool that fixes all of them, while keeping the decentral organization that email allows?
I recently noticed that some of our federal offices allow to use pgp when communicafing with them. I still think it is an improvement over exchanging unencrypted email with them.
Good question. There isn't really a great answer right now.
Matrix supports e2ee. Though I believe the only existing implementation is Riot-IM (which actually planned on stabilizing e2ee and making it default today, Apr. 16 https://github.com/vector-im/riot-web/issues/6779).
Also the MLS protocol (https://messaginglayersecurity.rocks/) will likely support federation once it's published, although it'll be a long while before people start implementing and federating it.
If you’d like to see how this is setup or how it’s used, Posteo (posteo.de) has detailed instructions to use this extension with its web interface. [1]
Me too. For a site this nicely designed, it would be good to dispel that misconception early and repeatedly. It took me a while to realize it's digital, since envelopes... aren't.
I'm really surprised that Keybase hasn't pushed harder in this direction. From the beginning that's always felt like one of the most logical tools for them to build on top of their product.
Agreed. I was disappointed that they instead decided on a failed attempt to capitalize on a cryptocurrency via airdrops (ironically they attempted this a couple years after the hype)
They did recently add a "Crypto" tab, but it's totally opaque to me as a user as to how it works and why I would use it (aren't my messages within Keybase already signed and encrypted? should I be concerned they aren't?).
I agree that they probably should just lean into PGP as at least it would make sense for folks who know what it is.
Yup. Building a email-plugin that uses Keybase for key-discovery has been on my ideas list for years now, but I never got around to it. Maybe someone else will.
35 comments
[ 3.3 ms ] story [ 86.4 ms ] threadI was looking for something like: “Mailvelope is blah blah blah...”
Seems like a browser extension for PGP encryption.
"Mailvelope is a browser extension (in Firefox it is called an "Add-On", in Chrome an "Extension") and it expands the functionality of your web-browser. Mailvelope offers email encryption with PGP for the Firefox and Chrome browsers."
which is quite different from what I'd expected!
https://www.mailvelope.com/en/help
It's free for personal use, but there's also some paid tiers. As far I can tell it looks like the only thing Mailvelope does that is outside of the extension/your-local-machine is host their own key server: https://www.mailvelope.com/en/faq#key_server
Unless there's something also it does that I'm missing?
FYI, it's open source: https://github.com/mailvelope/mailvelope
Seems pretty clear to me
I understand that PGP might not be the way to go. I understand that metadata might leak. I understand that every cypher will be broken, eventually.
But what's wrong with trying to send a an e-mail with contents you want no other party than the recipient to read, again, provided the recipient doesn't share it with other people.
For the record, I don't send encrypted mail. UX for these is generally terrible, hard to verify sigs, etc. I am genuinely asking what part am I missing. Is there a fundamental reason that encrypted e-mail cannot work with current e-mail protocols? (but replacing PGP if needed)
I recently noticed that some of our federal offices allow to use pgp when communicafing with them. I still think it is an improvement over exchanging unencrypted email with them.
Matrix supports e2ee. Though I believe the only existing implementation is Riot-IM (which actually planned on stabilizing e2ee and making it default today, Apr. 16 https://github.com/vector-im/riot-web/issues/6779).
Also the MLS protocol (https://messaginglayersecurity.rocks/) will likely support federation once it's published, although it'll be a long while before people start implementing and federating it.
It's been posted on HN before: https://news.ycombinator.com/item?id=8257148 (this link is from 6 years ago)
My guess it's a response to this HN discussion from earlier today: https://news.ycombinator.com/item?id=22888488
[1]: https://posteo.de/en/help/how-do-i-set-up-end-to-end-encrypt...
Some support:
* https://enigmail.net/index.php/en/
* https://www.openkeychain.org
I agree that they probably should just lean into PGP as at least it would make sense for folks who know what it is.
https://github.com/captn3m0/ideas#email-on-top-of-keybase