That's exactly the point. Take a step back and think about what you just said. It's true: most people don't care about crypto. But here's are two other true statements:
* In modern messaging protocols, they don't have to care about encryption. The protocols are designed to reliably encrypt messages without user intervention, and security isn't "opt-in".
* The people who most need encryption are not the ones who are most aware of the need. In fact, the Venn diagram of "need" and "want" for crypto has very little overlap.
> In modern messaging protocols, they don't have to care about encryption. The protocols are designed to reliably encrypt messages without user intervention, and security isn't "opt-in".
Sounds good. Doesn't sound worth giving up decentralisation for. Doesn't even seem like something we'd need to give up OpenPGP to get - if client design were equal (and it isn't at the moment, but I see no reason it can't be) I'd far rather have that client experience but with the more established/tested protocol.
> The people who most need encryption are not the ones who are most aware of the need. In fact, the Venn diagram of "need" and "want" for crypto has very little overlap.
I think that's even more true for decentralization than it is for encryption.
What's the benefit of decentralization? Not being snarky, I just don't really see it. What does a decentralized PGP email have that I don't have with my Signal Messenger?
Also, given how PGP works I fail to see how you can claim that you can achieve comparable client design/ease of use/UX to Signal.
At the very least it appears evident to me that the problem is much much harder than Signal (and it should be, Signal was designed from the ground up with UX in mind, and made several important trade offs for it).
> What's the benefit of decentralization? Not being snarky, I just don't really see it. What does a decentralized PGP email have that I don't have with my Signal Messenger?
It's a lot harder to block. You can have anyone run a mail server on any port (SSLed if necessary), which means you can use it for secure communications inside any "great firewall" (like that of China or Kazakhstan), or even in a country/region that's been cut off from the Internet (which we've seen happen for various amounts of time in Syria, Crimea, Turkey...). WhatsApp/Signal have a very limited version of this by getting makers of popular HTTPS services to work with them, but those services are subject to their own commercial pressures (all the big names have been known to collaborate with e.g. the Chinese authorities in the past) and attackers always have the option of just blocking those services outright.
It rules out a whole class of attacks involving compromising the central servers and tricking the client into redoing an initial exchange. If the Signal client is implemented correctly this shouldn't be an issue, but it's an extra attack surface that simply doesn't exist for OpenPGP.
Also compared to Signal et al it's more practical (though still difficult) to use pseudonymously, because a pseudonymous email address is eaiser than a pseudonymous phone number. Signal advocates talk about having deniability because your messages aren't provably signed by you, but I don't think that advantage exists in any reasonable threat model - if we're worried about a state adversary hunting down everyone who corresponded with dissident x, they'll find it easier to track down a phone number than an email address, and once they've tracked down one of x's correspondents (i.e. someone who has a phone with a number that exchanged messages with x) they're not going to be bothered by the fact that they don't have signed mathematical proof that this is the same person who corresponded with x.
> Signal was designed from the ground up with UX in mind, and made several important trade offs for it
One of the explicit protocol level trade offs is federation:
> One of the controversial things we did with Signal early on was to build it as an unfederated service. Nothing about any of the protocols we've developed requires centralization; it's entirely possible to build a federated Signal Protocol based messenger, but I no longer believe that it is possible to build a competitive federated messenger at all.
Thanks, I wasn't aware of this. Though to be honest, I am not exactly convinced. Calling HTML federated seems a real stretch. My browser doesn't have to talk to other browsers, just servers, and those can speak many languages. The network effects are really _very_ fundamentally different.
The reality is that, no matter how much I wanted xmpp (and google wave for that matter) to succeed, Signal (and if you are willing to trust the closed source client WhatsApp) are the only ones that did.
And that's even though XMPP preceded Signal by a decade. The argument that a good federated user experience is possible in principle starts to sound a lot like talk about "sufficiently smart compilers".
Let's grant it is true that we don't have sufficient resources to update a host of different clients to use all the extensions. So then it still seems that in a resource constrained environment federation is not feasible. Open Whisper Systems managed to get encryption on a billion devices with a team of three people. The idea that it only succeeded due to a resources advantage (rather than fundamentally different trade-offs) does not seem very plausible.
> And that's even though XMPP preceded Signal by a decade. The argument that a good federated user experience is possible in principle starts to sound a lot like talk about "sufficiently smart compilers".
For how much of that decade did we even see "a couple of full-time developers" applied to XMPP though? Yet alone an actual UX designer.
Have you tried Conversations? You might want to give it a try. On the whole, the user experience is not significantly worse than Signal. With both sides using OMEMO encryption, privacy should be about the same.
Trade offs:
Onboarding is trivially more complex. You have to enter your JID and a password -- registration of a new JID adds one checkbox to that.
Contact discovery does not piggyback on phone numbers, so you will have to add JIDs to your address book if you want Conversations to pick them up.
Another new XMPP-based app, Zom (https://zom.im/) makes some of this easier by letting you automatically register on their hosted XMPP server, locking you into sane default settings, etc. Android app seems still a little buggy, though.
All due respect it not exactly mind-blowing that to compete with some of the most successful businesses in the world you have to do things they can't. The author often likes to use catchy quotes so let's go with the classic "It is difficult to get a man to understand something, when his salary depends on his not understanding it". They make their money selling licenses and consulting for centralized messaging services. It's not in the interest of either party to have disagreements on this issue.
Signal making choices for ease of evangelizing it doesn't condemn the entire idea any more than poor implementations of secure email means we should totally give up on it
Also, is it really true that a state actor could not effectively block email? Or for that matter all encrypted email? They are, after all, blocking web pages. It seems to me (as a lay man observer) that at the state actor level the Internet is relying on centralized resources already, maybe that's why decentralization seems intuitively less important to me. This is not to disagree with your points.
It's more that a private actor can exclude you from any network. Maybe WhatsApp blacklist you for "abuse". Maybe they're right. But even if you kill someone you're allowed to use the telephone network, and send or receive letters.
As long as the message silos aren't regulated as utilities, decentralised systems give us more of the freedoms.
It's pretty easy to run a separate dns system - you can even blend your own private "authorities" dns for new tlds with fall back to the centralised root servers.
That's a fair point actually. Does the fact that signal is open source and based on phone numbers change that though? Seems that as long as you have access to the phone network you have access to the signal network...
They can block any traffic in/out of their network. But e.g. it's possible to use email on a LAN (or a wireless mesh network) entirely disconnected from the Internet.
Sure, but that only catches messages that cross the wall. They could disconnect China from the Internet entirely, but email would still work within China.
No single point at which to apply judicial- and/or rubber-hose cryptography is the big one.
I do agree that the problem-space of attempting to make a reasonable UI for GPG has been explored for a long time with no useful results. I'd love someone to prove me wrong, but it seems like that's a hopeless endeavor.
It is worth asking why, though. I'm not a UI person, so apply appropriate weighting to my opinion. I think this is one area - application of the Unix philosophy to task-driven security software - results in software that only the really invested will use. A combination email encryption/key distribution system with most nonessential options stripped out, targeting one mail client (at least at first) might be simple enough to achieve something closer to Signal-level usability. And the rounding-errors can continue to use the full GPG for our weird open-source rituals.
But who knows. Maybe the entire model is just too complicated for mere mortals.
> the problem-space of attempting to make a reasonable UI for GPG has been explored for a long time with no useful results
Has it? Have we ever had even e.g. 2 reasonably skilled design professionals spend a year trying? That would, I suspect, be much less effort than has gone into Signal et al. But still beyond the resources of volunteer-only FOSS, unfortunately.
I don't think the real problem with OpenPGP is the UI issues. OpenKeychain and K9-Mail together provide a not terrible UI for OpenPGP, and if someone wanted to more tightly integrate them with each other,the UI could probably be improved further.
But PGP-over-SMTP would still leak important metadata, and you would still have problems with forward secrecy and key revocation.
Matrix looks like a much better decentralized solution to build a new email infrastructure on. But there are still metadata leakage issues with federation, and there need to be some standards and an example implementation for email-over-matrix.
> But PGP-over-SMTP would still leak important metadata, and you would still have problems with forward secrecy and key revocation.
I don't think a well-integrated PGP-over-SMTP client would leak any more metadata than the likes of Signal does? Build in a good subkey rotation config and you'd solve most of the forward secrecy issues, and good defaults for how to treat revocation (including better expiry defaults) would resolve that issue. No?
You would still leak unencrypted headers, which in SMTP are numerous and interesting. A client could minimize the useful content of the message headers, but you're always going to have at least the envelope headers available to every intermediate mail host.
I do not know enough to be sure about your point about forward secrecy. You may be right.
”But that's the case with Signal et al as well isn’t it?”
No.
”Because your phone will be connecting to Signal’s servers, your cellular carrier can determine whether or not you are using the service. However, your carrier cannot gather any information about the individuals or groups with whom you are communicating.”
Decentralization/Federalization + Standard Protocols. To really get the full potential, one needs both, since only then the network is truly free.
Nobody can tell you how to access the Network, what software to use, who you can communicate with, etc.
If you try using an unofficial WhatsApp client (eg. when you don't have you're phone), they can delete your account, and you can't do anything against that. This is IMO just too much control the central server has over the client.
Harder to prevent access to, harder to wire-tap. As other people pointed out WhatsApp has been blocked in countries before. Not to mention that with WhatsApp having a central location all messages are routed through we really don't have any guarantee that there isn't a compromised actor in there intercepting everything. Even if WhatsApp's crytpo is as flawless in implementation as we'd like FB still has access to all that metadata.
Note that this argument is even more problematic for OpenPGP-encrypted email, as such email sends all metadata and some message data in plaintext.
I ususally respect tptacek a lot but when it comes to Whatsapp I actively avoid it if at all possible, preferring Telegram even if the crypto is more than questionable. Same goes for mail: I prefer it - even unencrypted - over Whatsapp.
For some of us our treat model is more concerned about Facebook and less about major TLAs.
With Whatsapp I have to expect that all metadata about me - and my friends - are fed into Facebook and datamined from here to eternity and back again or until the end of the world as we know it.
I have little to hide but given the catastrophically bad ad targeting of Facebook (yes, I am still a happily married father, a Java developer, a Norwegian. I don't need ANY more ads for dating websites until I specifically change my profile to let you know, THANK YOU. I would be happy to learn about useful developer tools or underrated fast food restaurants though. I also appreciated the uber ad with bundled coupon in google maps a few weeks ago and tested uber for the first time.)
Given the same catastrophically bad targeting and given that it is the same owner who as far as I know hasn't yet apologised for his remarks about how trusting him was stupid it wouldn't surprise me if is more a WHEN than a IF that Facebook is going to sell everyones data to insurance companies, support scam call centers etc.
I agree with not using WhatsApp due to it's ties to FB and metadata issues, but Telegram is arguably even worse. They've been (rightfully) panned for implementing their own crypto and doing it poorly. You should be using Signal on a phone if you're trying to use a secure messenger.
You should be using Signal on a phone if you're trying to use a secure messenger.
I am not trying to use a secure messenger. I am trying to use a good one without ratting on my friends to the worst (as in size x badness) company I am aware of. Ohh, and I don't want to be be part of their network effect either.)
All reasonable views, but I don't think that's a Telegram given their track record. At this point I'd put more trust in a transport-encrypted-without-end-to-end messenger than Telegram, and there are plenty of good options in that space (e.g. Discord, or hell, AIM). And if you want genuine security there are good decentralised options: XMPP (Conversations et al), Riot/Matrix, possibly Wire.
I'm not advocating for WhatsApp or PGP encrypted email, I'm pointing out that people who make the line in the sand at "decentralized vs centralized" are boiling the problem too far down.
Decentralization is good to help protect the user against abuses from the central service provider.
It also encourages competition, since the user can switch to a different service, and not be penalized by network effects preventing them from communicating with other people.
I use MX records in my domain so that I can switch to any mail provider I want, and people will still be able to contact me with the same address.
How is this possible in a centralized system? If I switch from WhatsApp to Signal, I lose all my contacts. If I want to keep communicating with them, then I have to convince them to switch to a different app, or just never stop using whatsapp. The network effects dynamic here makes it very difficult to switch from one centralized encrypted chat provider to another. If you try to leave, you lose all your contacts.
The other thing I dislike is that they all seem to require a valid phone number. This puts you at the mercy of the phone company. If you change your phone number, then you have to get all your contacts to change their contact info for you. This is a huge step back, compared to email with own domain and MX records!
The other thing I dislike about these centralized encrypted chat providers is the lack of client choice. 1 company can only support so many platforms, fair enough. But that will likely mean I'll never see the company develop a Linux desktop client, or a terminal based client for their network. And because of centralization, no-one else will be allowed to develop one either. In contrast, there are many different tools I can use for sending and receiving email on the Linux desktop, cli based backup tools, etc.
And as far as the spam problem goes, I'm not sure how Signal/WhatsApp are better in this regard? If you have to give your signal address to out for people to communicate with you, or to do business with a company, then I don't see why companies can't just spam you. Signal can centrally filter all messages you receive to make sure they don't have spam in them and block spammers messages from going through (but this is no different than what many mail providers also do). You can block individual contacts, but that doesn't help if there are a very large number of different accounts sending spam. You can whitelist your contacts, but then noone you don't know that wants to talk to you can contact you.
It also doesn't stop known contacts from sending spam to you either because
- They are forwarding spam messages to you, like chain letters.
- They got a virus or some malware which sends spam to all their contacts
- It's a "legit" company you need to receive communication with, but sends spam mixed with vital communication: marketing lists you get auto-opted into (imagine if all the "give us your email to read the article" pop overs got replaced with "add us on signal to read the article"), amazon sale ads, facebook constantly trying to entice you to go back on the site, etc.
If signal replaced email, I don't see how it could remain spam free.
We give up decentralization for diversity and redundancy. We don't limit ourselves to one platform for communication. Decentralization worries me as much if not more than centralized systems of communication. Suddenly there are n number of actors I need to worry about vs one.
I sometimes preferred it even on Windows and even when I have a valid office subscription.
Some people really manage to mess up styles and Open or LibreOffice used to make it much easier to clean up those docs. (I'd switch back to get page numbers right though :-/)
I've also preferred it on Windows, having a valid Office subscription, because I've needed to open obscure/obsolete file formats that Word/Excel don't support.
* In modern messaging protocols, they don't have to care about encryption. The protocols are designed to reliably encrypt messages without user intervention, and security isn't "opt-in".
* The people who most need encryption are not the ones who are most aware of the need. In fact, the Venn diagram of "need" and "want" for crypto has very little overlap.