My understanding is that Matrix is widely considered to have acceptable design tradeoffs for pseudonymous E2EE. It isn't perfect[1], but it's miles better than the theatre of PGP encrypted emails.
> That is still incredibly useful, even if the metadata is (obviously) not encrypted.
To whom? What is the threat model in which a user who is serious about the security of their messages is better served by PGP-over-email?
PGP over email is used in the real world and used successfully.
Research about online black markets (which serves as a nice "case study") will show that the main form of communication between people there have been pasting a PGP encrypted message into a text box and sending it, and sometimes literally using email.
In a situation like this, where anonymity and privacy are critical, signal is not even remotely an option because it requires a phone number.
Matrix may be possible to use, but it would require that someone run a matrix server that allow people to make accounts with no information required for sign up, and allow signup and use of the server over tor, which are all unlikely.
PGP over email or pasted into a web form is simple, it doesn't require signing up with a phone number or any PI, it can be used over tor, and it can be done with basic utils installed on almost any Linux distro.
I suspect a lot of cryptographers have not done research about what goes on "in the real world" or "in the wild". It would be interesting for them to setup a mock situation where two people attempt to send messages to each other without doing anything that could identify them in any way, completely anonymously, to emulate what using these tools in the real world would be like for a whistleblower or journalist or whatever.
It's worth reading through the criminal complaints against various Silk Road people[1]. You'll notice two things: (1) the government nails these people despite encrypted messages, because their email metadata is more than sufficient, and (2) people whose literal lives depend on using PGP correctly fail to do so (e.g. by sending some messages without encryption, or forwarding previously encrypted messages as unencrypted).
There's a selection effect here -- the criminal complaints are the people who got caught. And drug dealers aren't exactly known for technical literacy.
I think the usability complaints here are very valid, but
chlorion has a good point that PGP still wins for particular use cases. Heck, if you're really paranoid [and metadata is not your primary concern], use PGP over Signal. I don't think any of the alternatives proposed in this thread are chainable in this way like PGP.
There's a problem here: we can't make falsifiable claims about the criminals who aren't caught. I could just as easily say the same thing about Signal!
There's one critical difference, however: governments have identified Signal and its ilk specifically as a threat to their intelligence gathering capabilities. They don't talk this way about PGP; the public signals overwhelmingly indicate that (1) virtually nobody uses PGP for anything worth surveilling, and (2) anybody who does use it for things worth surveilling bungles it (see above). Thats the government's dream!
> Heck, if you're really paranoid [and metadata is not your primary concern], use PGP over Signal. I don't think any of the alternatives proposed in this thread are chainable in this way like PGP.
This doesn't make sense. What is the "paranoid" model in which PGP provides (1) better cryptographic guarantees and (2) metadata isn't your primary concern? PGP cannot provide forward secrecy, provides all-around weaker cryptographic primitives, and is significantly harder to use correctly. It isn't a rational choice for a paranoid actor to make.
>This doesn't make sense. What is the "paranoid" model in which PGP provides (1) better cryptographic guarantees and (2) metadata isn't your primary concern? PGP cannot provide forward secrecy, provides all-around weaker cryptographic primitives, and is significantly harder to use correctly. It isn't a rational choice for a paranoid actor to make.
I think you must have misunderstood me. By "PGP over Signal" I meant PGP-encrypting messages and pasting the ASCII-armored ciphertext into the Signal client. The idea being that even if the NSA can break Signal's crypto, they might fail to also break whatever crypto you select with PGP. I should have said "both PGP and Signal", sorry for the poor communication.
I acknowledge PGP's flaws, but I like it as a ubiquitous DIY tool. I'm hoping that niche gets filled with something better. Though to be honest, I think for the "ubiquitous DIY tool" niche, forward secrecy might just be impractical.
No problem, apologies for my response based on a misunderstanding.
> The idea being that even if the NSA can break Signal's crypto, they might fail to also break whatever crypto you select with PGP.
This is an intuitive idea, but I’ll also hazard that it’s probably security theater: at a “building blocks” level, a theoretical NSA that breaks Signal’s crypto has broken the finite subgroup problem that underpins all of PGP’s cryptography as well.
(The reality is that the NSA doesn’t crack this kind of cryptography, at least not when it’s done correctly. They’re much bigger fans of exploits and implants, which they are absolutely not wasting on “ordinary” criminals.)
Hm, interesting. I don't know much about crypto math. I just typed 'gpg --version' on the command line, and it looks like my gpg has support for various public key schemes including elliptic curves. Are they all based on the same variant of the hidden subgroup problem?
Even if the math itself is bulletproof -- as you stated, there could be an implementation flaw in either the Signal code or the GPG code that effectively bypasses the math, right? See e.g. https://en.wikipedia.org/wiki/GNU_Privacy_Guard#Vulnerabilit...
>They’re much bigger fans of exploits and implants, which they are absolutely not wasting on “ordinary” criminals.
The ASCII-armor scheme I described could be helpful here too. Run Signal in a VM (e.g. with Qubes -- endorsed by Snowden). Copy/paste ciphertext in and out of the VM to GPG. Should be fairly idiotproof because ciphertext doesn't look like plaintext. Now even if the NSA sends you a Signal message that owns the VM, they still need some sort of VM escape/CPU sidechannel, or else knowledge of a vulnerability in GPG's encryption.
>The Rule of Two is a data security principle from the NSA's Commercial Solutions for Classified Program (CSfC).[3] It specifies two completely independent layers of cryptography to protect data. For example, data could be protected by both hardware encryption at its lowest level and software encryption at the application layer. It could mean using two FIPS-validated software cryptomodules from different vendors to en/decrypt data.
>The importance of vendor and/or model diversity between the layers of components centers around removing the possibility that the manufacturers or models will share a vulnerability. This way if one components is compromised there is still an entire layer of encryption protecting the information at rest or in transit. The CSfC Program offers solutions to achieve diversity in two ways. "The first is to implement each layer using components produced by different manufacturers. The second is to use components from the same manufacturer, where that manufacturer has provided NSA with sufficient evidence that the implementations of the two components are independent of one another."[4]
I agree that it's error prone and far from ideal, and that most people should be using signal or matrix or something, but I'm not sure what other practical answers there are for more intense cases where people don't have access to those things.
> To whom? What is the threat model in which a user who is serious about the security of their messages is better served by PGP-over-email?
Sending credentials to a coworker, for example. I don't care who knows that I emailed them. I don't even care if they know what it's about (database credentials), as long as they can't get the actual credentials simply by accessing the mail server. I don't have to set up any new infrastructure (not realistic within most orgs), all that is needed is for both parties to use gpg.
What kind of fakakte organization is encouraging you to email credentials? Even the most haphazard, incompetent companies I've worked with have managed to configure an off-prem 1Password group.
Small businesses. But sure, let's hand over our credentials (and a ton of money) to the americans instead of using an open source solution that has worked fine for over a decade.
> That is still incredibly useful, even if the metadata is (obviously) not encrypted.
To whom? What is the threat model in which a user who is serious about the security of their messages is better served by PGP-over-email?