[Cryptography] Avoiding PGP
Walter van Holst
walter.van.holst at xs4all.nl
Mon Mar 19 03:56:16 EDT 2018
On 2018-03-16 19:11, Alexander Klimov via cryptography wrote:
> We were talking about email. If you want IM, simply teach the grandma
> to start Pidgin and initiate OTR for her. Again a two-minute task
> which is absolutely negligible compared to the rest of the teaching.
OTR + XMPP is from a usability perspective a raging dumpster fire. XMPP
has a piss poor support for people changing from device during a
conversation, OTR even less so.
And even under "perfect" circumstances I have experienced repeatedly
that OTR refused to initiate or stubbornly stuck to an older session.
Generating useless errors "you received a message for a different
session" in the process.
Whoever designed and/or implemented bloody mess that deserves the same
circle of hell as the Microsoft developers who designed their numbered
paragraphs bits in Word.
And don´t get me started about the state of play with GPG. A long time
ago in a Galaxy far away (well, ok, in 1993) I wrote a quasi-GUI for PGP
to make it bearable (it was called PGP-Front). Fast forward to 2018 and
the most of the tooling around GPG has only gotten marginally better.
Enigmail manages to give you the impression that you have sent encrypted
mail when it is actually cleartext. Key management is still an
incredible pain in the behind.
Also, in the real world people want to look at their mail from multiple
devices. Which is not a terribly good fit with GPG right now. To put it
very, very mildly. I have to ask people to resend their encrypted mails
in cleartext on an almost weekly basis if it is urgent.
Encryption that causes people to resort to plaintext just isn´t teaching
good security habits. Both GPG and OTR fall in that category.
Regards,
Walter
More information about the cryptography
mailing list