[Cryptography] Avoiding PGP
Jah Love
jahlove at riseup.net
Mon Mar 19 18:50:00 EDT 2018
Some links and short notes that are relevant to this discussion:
A free software Gmail-type replacement with PGP encryption built in is
approaching its 1.0 release after nearly 6 years of work:
https://www.mailpile.is/
They also just hired some devs to finish up the Mac and Windows
packaging: https://twitter.com/MailpileTeam/status/973594524730699776
Among a lot of other amazing things, Mailpile has implemented encrypted
subject headers via Memory Hole:
https://twitter.com/HerraBRE/status/831636607543427072
https://github.com/mailpile/Mailpile/issues/156#issuecomment-279998595
https://github.com/autocrypt/memoryhole
Mailpile has some good blog posts about PGP:
https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html
https://www.mailpile.is/blog/2015-02-26_Revisiting_the_GnuPG_discussion.html
https://www.mailpile.is/blog/2016-12-13_Too_Cool_for_PGP.html
That last blog post is a response to anti-GPG posts like this one:
https://moxie.org/blog/gpg-and-me/
Signal on Android is *not* 100% free software because it does not build
without these nonfree libraries:
https://github.com/signalapp/Signal-Android/blob/master/build.gradle#L67-L69
The play-services maven repo also would need to be removed from Signal,
but no one has figured out how to do that and still get it to build:
https://gitlab.com/fdroid/fdroiddata/merge_requests/1229#note_4151671
It'd be great if Signal or some independent contributors could address
this issue and provide a way to have an APK that is 100% free software,
but I'm not holding my breath. Please contribute to this if you can!
LibreSignal has the exact same problems and so it isn't Libre and should
stop using Libre in the name because that is super confusing:
https://github.com/xmikos/fdroiddata/issues/43 https://fdroid.eutopia.cz/
Signal for GNU+Linux has a number of issues with it as well, some of
which are outlined here: https://labs.riseup.net/code/issues/15200
My hot take:
You can't have privacy without security.
You can't have security without freedom.
XMPP+OMEMO is way better than XMPP+OTR: https://conversations.im/omemo/
You can find clients with OMEMO support here: https://omemo.top/
You have to make sure you're using an XMPP server with the proper XEPs
installed. Use this chart if you need help finding one:
https://conversations.im/compliance/
NeoPG is a modern drop-in replacement for GnuPG 2: https://neopg.io/
A presentation on NeoPG can be viewed at around minute 47 here:
https://media.ccc.de/v/34c3-9258-lightning_talks_day_4#t=2855
Why is GPG "damn near unusable"? An overview of usable security
research:
https://media.ccc.de/v/31c3_-_6021_-_en_-_saal_g_-_201412281130_-_why_is_gpg_damn_near_unusable_-_arne_padmos#t=2085
Briar is a new kid on the block which looks promising:
https://briarproject.org
https://media.ccc.de/v/34c3-8937-briar
Ricochet doesn't seem to be updated often enough, but is worth
mentioning as a possible email replacement:
https://github.com/ricochet-im/ricochet https://ricochet.im/
More information about the cryptography
mailing list