Those people shouldn't be, and thankfully aren't, using PGP. Nobody is suppressing this report on phishing attacks against Signal users; it's just not as big a deal as what's wrong with PGP.

▲

bgwalter 3 days ago | parent [-]

Accidentally replying in plaintext is a user error, scanning a QR code is a user error.

Yet one system is declared secure (Signal), the other is declared insecure. Despite the fact that the QR code issue happened in a war zone, whereas I have not heard of a similar PGP fail in the real world.

▲

tptacek 3 days ago | parent [-]

First of all, accidentally replying in plaintext is hardly the only problem with PGP, just the most obvious one. Secondly, it's not user error: modern messaging cryptography is designed not to allow it to happen.

▲

bgwalter 3 days ago | parent [-]

Modern cryptography should also not allow users to activate a sketchy linked device feature by scanning a QR code:

"Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance."

This is a complete failure of the cryptosystem, worse than the issue of responding in plaintext. You can at least design an email client that simply refuses to send plaintext messages because PGP is modular.

	▲	tptacek 3 days ago \| parent [-]
		I'm comfortable with what this thread says about our respective arguments. Thanks!