[Cryptography] What ever happened to end-to-end email encryption?
Michael Kjörling
michael at kjorling.se
Sat Aug 21 08:33:12 EDT 2021
On 19 Aug 2021 18:44 -0700, from radiajpc at gmail.com (R Perlman):
> - Something else?
Another three that I can think of right off the bat:
- Lots of people use webmail, and webmail interacts poorly with
end-to-end cryptography unless the endpoints are defined to be the
webmail server, in which case it really doesn't actually add all
that much over opportunistic STARTTLS, let alone SMTP-STS. (There is
_some_ benefit, yes, such as an additional layer of data at rest
protection, but nowhere near as much potential benefit as when the
endpoints are the actual devices physically handled by the sender
and recipient respectively.)
- Lots of people use multiple devices and want to be able to access
their e-mails equally on all of them. This compounds the usability
problems by requiring (secure) sharing of secret keys between
devices. (This is somewhat related to webmail usage.)
- People in general are _notoriously bad_ at backups. Lose that secret
key for any reason, and you lose access to all the e-mail encrypted
under it. While a good number of people probably don't care all that
much about old e-mail, a sufficient number of people care
sufficiently about access to old e-mails that this becomes
problematic for an appreciable number of people. Just consider the
rate at which people in general seem to lose their Bitcoin wallet
keys, where there's actual _money_ (sometimes serious amounts of it)
involved.
Also, _really_ don't underestimate the importance of your point that
"ordinary users just aren't worried about having their email seen by
others". The vast majority of people just want to solve the task at
hand; they don't care about AES, RSA, ECC, GCM, SHA, CBC, AEAD, TLS,
... but just want to share that funny cat video so their Aunt Carol
can see it, and really don't care whether or not Eve also gets to see
it as well.
--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
More information about the cryptography
mailing list