[Cryptography] This happened to end-to-end email encryption

[Dan Kolis]

The sorta famous R Perlman said:
> " Despite PGP and S/MIME having been designed zillions of years
> ago, it seems like end-to-end email encryption/integrity protection
> are not widely used. Which of the following is reasonably close
> to the truth ?"

My not particularly humble opinions are indented under the reenumerated
questions. Is 'reenumerated'
a real word ? -anyway- They are all good reasons it's a lead balloon.


R1: Of course they are widely used. I'm just not aware.
  dbk: Nobody uses it except strange hobbyists and computer science
         people we love to fuss over there stuff.


R2: The usability issues were not worked out. Hard to get magic strings
from servers, share them.
  dbk: Average people figure its pretty complex, so why bother, but even
         more profoundly, doing 'stuff like that' just means trusting
         some other organization or people you don't know. Why do a hard
         thing to swap trusting one heap of people for a different heap.


R3: It never reached critical mass…there were never enough people.
  dbk: Yes.


R4: Big companies do not want end-to-end encryption of email.
  dbk: Of course. Anythign that empowers employess is entirely
          unwelcome. Add some; "Maybe its a little illegal", and its
          over. Companies can't even figure out they should protect t
          here heaps of computers, from regular crime. Anything like
          this looks and smells like a cost, So its a dead duck at work.


R5: Even individual users need middleboxes to scan for spam and other
services.
  dbk: Spamboxes on free email work well enough that gloss a sheen of
          'somebody is doing security for me for nothing', over the issue.


R6: Ordinary users just aren't worried about having their email seen by
others.
  dbk: They correctly ascertain unless there is an unusual reason,
          nobody cares enough to snag messages. Even more simply
          stealing there computer seems like how leaks would happen.
          so simply deciding to erase them seems like its doing a lot. It
          isn't. Its not like paper but all the terminology makes it seem
          like that. No copies = more secure.


R7: Other solutions became popular, which involve a central server...
  dbk: Trusting one heap of people you don't trust for antoher. Adds a
          cost, Kerberos is way to complicated for company upper
          management to understand unless its a solid I.T. company.


R8: People don't really know what different forms of "encrypted email" mean.
  dbk: Careful studies of people applying end to end crypto show
          average people absolutely, totally don't understand the base
         ideas of PGP at all. Careful experiments show they constantly
         reveal secrets and comprimise there messaging forever,
         thinking there doing the  stuff correctly.


R9: Something else?
  dbk: Spook shops buy companies and tinker with international laws
          just a little but on an ongoing bases. Its no huge secret
project,
          its a small secret project with infinite funding forever.
         You see companies change countries, disappear, etc in this
         field much more then other fields. A shopping bag of money
         with a threat is probably the usual approach.

Regards,
Old Dan
In Toronto with a PGP sales office right downtown

Document end 21 Aug 2021
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210821/e2f940a6/attachment.htm>