On 01/16/2015 11:11 AM, Seth wrote:
On Fri, 16 Jan 2015 01:48:02 -0800, odinn <odinn.cyberguerrilla@riseup.net> wrote:
And now here's the kicker: This two-person team which they are trying to get funded, IS NOT FUNDED!
Take a look here:
Again:
NOT. FUNDED.
This line of argument seems to imply that throwing money at GnuPG will somehow fix its well-known usability issues. http://secushare.org/PGP
OK, I'll bite :) | 1. Downgrade Attack: The risk of using it wrong. ... | The mere existence of an e-mail address in the process is a problem. ... | 2. The OpenPGP Format: You might as well run around the city naked. ... | 3. Transaction Data: Mallory knows who you are talking to. Well, correspondents ought to: 1) always use pseudonyms if they care about attribution; 2) avoid meaningful subject lines; and 3) use VPNs, JonDonym and Tor to obscure network connectivity. Given that, why care that adversaries see OpenPGP? | 4. No Forward Secrecy: It makes sense to collect it all. So what? Just secure your shit properly! | 5. Cryptogeddon: Time to upgrade cryptography itself? Smart folk who care about attribution never put anything online that links their pseudonyms to their real names. Just sayin'. And they rotate their pseudonyms periodically. So stored messages go stale within a year or two, tops. | 6. Federation: Get off the inter-server super-highway. That's prudent for stuff that matters. But OpenPGP is still good within the transport layers. | 7. Discovery: A Web of Trust you can't trust. I've never used WoT, and tend to agree. WoT is especially impractical because I don't at all mix meatspace and online activity. I am starting to like Keybase, however. I don't worry very much about sharing publicly who my conversation partners are. I always use pseudonyms, and so do many of my conversation partners. Sometimes we all use multiple pseudonyms, just for fun :) | 8. PGP conflates non-repudiation and authentication. Again, use those pseudonyms! | 9. Statistical Analysis: Guessing on the size of messages. Having my pseudonyms profiled doesn't worry me greatly. | 10. Workflow: Group messaging with PGP is impractical. Why bother? Just set up a Tor hidden-service forum, or whatever. | 11. Complexity: Storing a draft in clear text on the server I use both IMAP and POP, and I've never seen plaintext drafts stored on the server. I believe that Enigmail's "convenient encryption settings" (in particular "auto send encrypted") prevent this, as long as you have the public key of the person whom you're drafting a message to. It's also prudent to switch to manual mode, and to set "confirm before sending" to "Always". | 12. Overhead: DNS and X.509 require so much work. Who's enslaved? One uses whatever tools are appropriate. | 13. Targeted attacks against PGP key ids are possible This is an advantage of Keybase. Then we're not depending on the KeyID, or even on the fingerprint, but rather on an identity that's multiply and independently authenticated. | 14. TL;DR: I don't care. I've got nothing to hide. I hide in many ways, and don't depend on message encryption ;) My "preferences, habits and political views" are fragmented among multiple unlinked personas. How to do that is one of my key soapbox topics ;) | 15. The Bootstrap Fallacy: But my friends already have e-mail! Again, it's a tool. But of course it's not the only tool.