[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] Avoiding PGP

People bag hard on the way private mail plugins work.

The problem isn't that the programmers aren't able to make the plugins
behave the way they should; the problem is that a thousand people who
assume with no evidence or consideration whatsoever that they know
exactly how the plugins "should" behave - that of course they are right
and everybody else is wrong - have never even considered what the hell
their assumptions even MEAN in terms of security.

You don't get privacy in a building if you don't allow builders to
install doors that close.  You don't get security if you don't let them
put locks on some of the doors, and then actually lock them sometimes.
And they're not locked if nobody has to do anything out of the ordinary
to get them open.

I'd be perfectly happy if there were never any confusion of encrypted
mail with unencrypted mail - in fact I'd prefer to be using entirely
different applications for private and non-private communications, and
rest assured that the mail program not designed for security or privacy
simply had no access whatsoever to addresses or contacts or header
information pertaining to messages other than the plain-vanilla SMTP
stuff it knows how to handle.

Failing that?  I don't want something to decrypt just because somebody
using my machine looks at it.   Not unless whoever is sitting behind the
keyboard can actually unpack the key for that message, at any rate.  I
don't want a message received encrypted to be stored in plaintext. I
don't want any part of it to ever be quoted in plaintext in another

If I delete a key, it means that I *INTEND* for messages stored
encrypted to that key to become unreadable.  If they fail to become
unreadable, or if there is any way they can be "recovered", then the
application has done the wrong thing.

Nothing that can be configured to run an executable attachment, or which
loads assets over the network when someone reads messages (like graphics
in "html mail"), or which by default launches a browser for clickable
URLs, should also be handling messages, addresses, or keys intended to
remain private.

This is sort of like saying you don't run around naked in public if you
don't want naked pictures of yourself published.  Pretty straightforward

But it's the first thing people point at when they say they want the
plugins to be "Better."  Thing is, they don't mean "Better" in the same
way I do.  Mostly they want what I would call "Worse."


Attachment: signature.asc
Description: OpenPGP digital signature

The cryptography mailing list
cryptography AT metzdowd.com