Finally, Debian has ditched OpenPGP for repository signing in favor of Ed25519 with SHA512. This is a step ahead for privacy and security. You can see the article here.

As @anon123@lemmy.ml pointed out, the following issues about PGP are not specifically related to Debian article I linked.

  • No authenticated encryption.
  • Receiving a signed message means nothing about who sent it to you
  • Usability issues with GnuPG
  • Discoverability of public keys issue.
  • Bad integration with emails.
  • No forward secrecy.

There’s usuful documentation about it:

  • @Lunacy@lemmy.mlOP
    13 years ago

    Forward secrecy is a panacea for emails. Emails do not work like instant messenger protocols.

    I understand your point. However, that’s why email are not recommended as secure way to send/receive messages. Email, even when encrypted leaks metadata and lacks security features like forward secrecy. Email was not created with security in mind.

    ProtonMail is not an ideal example of encrypted email. If you could explain it with an email that allows custom PGP encryption, it would be a valid example.

    As far as I know, ProtonMail is considered the gold standard. Even then, encrypt subject in email it’s not possible even with custom PGP encryption. However, maybe I’m wrong here. Glad to be corrected.

    Signal is most likely a government op, considering it has its servers exclusively in USA, which are governed by US CLOUD Act, and Elon Musk nd Snowden promoted Signal. Similar actions happened with Wire Messenger, which was in Switzerland before, but later moved to USA. Wire was also promoted by Snowden and others in the same fashion

    I’m sorry but this statement doesn’t prove anything. Just because it’s plausible and common sense ( I don’t think this is the case to be honest) it doesn’t mean its also the truth. Signal has a good end to end encryption protocol with minimization of metadata. There are no evidence of backdoors.

    • @TheAnonymouseJoker@lemmy.mlM
      13 years ago

      email was not created with security in mind

      This is true, and I do say it often. But emails have a culture around them, see mailing list culture. XMPP is email 2.0 to me, and to people who understand these protocols.

      ProtonMail is not a gold standard of anything except marketing. I am a R!seUp Collective member.

      Signal does not necessarily have backdoors, but metadata issues. And metadata going through US servers is an issue if you start talking to strangers. Moxie says it is not an app made for anonymity, and this was said during the blocking of USA software in Iran.

      • @Lunacy@lemmy.mlOP
        13 years ago

        ProtonMail is not a gold standard of anything except marketing. I am a R!seUp Collective member.

        I searched for both ProtonMail and RiseUp features, I not found relevant differences. However, I never used RiseUp, maybe I’ll try.

        Signal does not necessarily have backdoors, but metadata issues. And metadata going through US servers is an issue if you start talking to strangers. Moxie says it is not an app made for anonymity, and this was said during the blocking of USA software in Iran.

        Nonetheless, Signal minimize the metadata. You can see here they received a subpoena from the United States Attorney’s Office in the Central District of California. However, they only provided two type of data:

        • last connection date
        • account created

        The entropy of data collected is very minimal.

        it’s not made for anonymity, but it’s still a private application.

        In my opinion (just my opinion, so you can skip this part) signal it’s safe to use for 99% of users.

          • @Lunacy@lemmy.mlOP
            13 years ago

            Hi. I read the article. Specifically, the section about ProtonMail, RiseUP and disroot. I understand your point. ProtonMail has surely many issues.

            Sincerely, I’m glad I don’t have to use email for communication, there are better alternatives like E2EE. Even using the most secure email provider your communication still leaks metadata. Actually, also E2EE leaks metadata, but the encryption protocol it’s way better than PGP.

            You can see the metadata leaked by element here.

            A question not related to this topic: there are communities dedicated to Opsec here?

            Anyway, good discussion. :)

            • @anon123@lemmy.ml
              23 years ago

              E2EE is not a protocol. It just means “end to end encryption”. Signal, OpenPGP, Wire, OMEMO, etc all fit the description.

            • @TheAnonymouseJoker@lemmy.mlM
              13 years ago

              I do not think so, and even on reddit, r/opsec is very vague. For this reason, I have a guide for it https://lemmy.ml/post/34223 and have been trying to bring a change in the privacy community and in the culture to make it a pro libre and pro privacy culture via r/privatelife and c/privatelife.

              I have helped a lot of people successfully, and continue to try and help communities and individuals in a hope for a changed future.