Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ameliaquining 18 hours ago

https://www.latacora.com/blog/2019/07/16/the-pgp-problem/#th... lists a bunch of them.

p2detar 17 hours ago | parent [-]

> Encrypting email

> Don't.

https://www.latacora.com/blog/2019/07/16/the-pgp-problem/#en...

I’m not sure I completely agree here. For private use, this seems fine. However, this isn’t how email encryption is typically implemented in an enterprise environment. It’s usually handled at the mail gateway rather than on a per-user basis. Enterprises also ensure that the receiving side supports email encryption as well.

edit: formatting

jcranmer 16 hours ago | parent | next [-]

There's like one or two use cases where encrypting email could work. The best case I've come across--Bugzilla has the ability to let the user upload a public key to encrypt emails for updates to non-public bugs. It's not a big use case--pretty much the intersection of "must use email" and "can establish identity out of band," which does not describe most communication that uses email. (As tptacek notes in a sibling comment, you pretty much have to limit this to one-and-done stuff too, not anything that's going to be in an ongoing discussion, because leaks via unencrypted replies are basically guaranteed).

tptacek 17 hours ago | parent | prev | next [-]

Your mail either needs to be encrypted reliably against real adversaries or it doesn't. A private emailing circle doesn't change that. If the idea here is, a private group of friends can just agree never to put anything in their subjects, or to accidentally send unencrypted replies, I'll just say I ran just such a private circle at Matasano, where we used encrypted mail to communicate about security assessment projects, and unencrypted replies happened.

p2detar 2 hours ago | parent [-]

> Your mail either needs to be encrypted reliably against real adversaries or it doesn't.

It is, GPG take care of that.

> If the idea here is, a private group of friends can just agree never to put anything in their subjects, or to accidentally send unencrypted replies

That’s not what I’m talking about. It’s an enterprise - you cannot send non-encrypted emails from your work mail account, the gateway takes care of it. It has many rules, including such based on the sender and recipient.

Surely, someone can print the mail and carry it out of the company’s premises, but at this point it’s intentional and the cat’s already out of the bag.

kuschku 6 hours ago | parent | prev [-]

Even my doctor's office and local government agencies support PGP encrypted emails, and refuse to send personal data via unencrypted email, but tech nerds still claim no one can use it?

LtWorf 3 minutes ago | parent | next [-]

In general the userbase here is startuppers, they hate distributed solutions and love centralisation.

johnisgood 5 hours ago | parent | prev [-]

s/tech nerds/Arm-chair self-proclaimed cryptographers here on HN/