[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] Avoiding PGP

On 2018-03-16 19:11, Alexander Klimov via cryptography wrote:

We were talking about email. If you want IM, simply teach the grandma
to start Pidgin and initiate OTR for her. Again a two-minute task
which is absolutely negligible compared to the rest of the teaching.

OTR + XMPP is from a usability perspective a raging dumpster fire. XMPP has a piss poor support for people changing from device during a conversation, OTR even less so.

And even under "perfect" circumstances I have experienced repeatedly that OTR refused to initiate or stubbornly stuck to an older session. Generating useless errors "you received a message for a different session" in the process.

Whoever designed and/or implemented bloody mess that deserves the same circle of hell as the Microsoft developers who designed their numbered paragraphs bits in Word.

And don´t get me started about the state of play with GPG. A long time ago in a Galaxy far away (well, ok, in 1993) I wrote a quasi-GUI for PGP to make it bearable (it was called PGP-Front). Fast forward to 2018 and the most of the tooling around GPG has only gotten marginally better. Enigmail manages to give you the impression that you have sent encrypted mail when it is actually cleartext. Key management is still an incredible pain in the behind.

Also, in the real world people want to look at their mail from multiple devices. Which is not a terribly good fit with GPG right now. To put it very, very mildly. I have to ask people to resend their encrypted mails in cleartext on an almost weekly basis if it is urgent.

Encryption that causes people to resort to plaintext just isn´t teaching good security habits. Both GPG and OTR fall in that category.


The cryptography mailing list
cryptography AT metzdowd.com