[Cryptography] This happened to end-to-end email encryption
Dan Kolis
dankolis at gmail.com
Sat Aug 21 14:11:40 EDT 2021
The sorta famous R Perlman said:
> " Despite PGP and S/MIME having been designed zillions of years
> ago, it seems like end-to-end email encryption/integrity protection
> are not widely used. Which of the following is reasonably close
> to the truth ?"
My not particularly humble opinions are indented under the reenumerated
questions. Is 'reenumerated'
a real word ? -anyway- They are all good reasons it's a lead balloon.
R1: Of course they are widely used. I'm just not aware.
dbk: Nobody uses it except strange hobbyists and computer science
people we love to fuss over there stuff.
R2: The usability issues were not worked out. Hard to get magic strings
from servers, share them.
dbk: Average people figure its pretty complex, so why bother, but even
more profoundly, doing 'stuff like that' just means trusting
some other organization or people you don't know. Why do a hard
thing to swap trusting one heap of people for a different heap.
R3: It never reached critical mass…there were never enough people.
dbk: Yes.
R4: Big companies do not want end-to-end encryption of email.
dbk: Of course. Anythign that empowers employess is entirely
unwelcome. Add some; "Maybe its a little illegal", and its
over. Companies can't even figure out they should protect t
here heaps of computers, from regular crime. Anything like
this looks and smells like a cost, So its a dead duck at work.
R5: Even individual users need middleboxes to scan for spam and other
services.
dbk: Spamboxes on free email work well enough that gloss a sheen of
'somebody is doing security for me for nothing', over the issue.
R6: Ordinary users just aren't worried about having their email seen by
others.
dbk: They correctly ascertain unless there is an unusual reason,
nobody cares enough to snag messages. Even more simply
stealing there computer seems like how leaks would happen.
so simply deciding to erase them seems like its doing a lot. It
isn't. Its not like paper but all the terminology makes it seem
like that. No copies = more secure.
R7: Other solutions became popular, which involve a central server...
dbk: Trusting one heap of people you don't trust for antoher. Adds a
cost, Kerberos is way to complicated for company upper
management to understand unless its a solid I.T. company.
R8: People don't really know what different forms of "encrypted email" mean.
dbk: Careful studies of people applying end to end crypto show
average people absolutely, totally don't understand the base
ideas of PGP at all. Careful experiments show they constantly
reveal secrets and comprimise there messaging forever,
thinking there doing the stuff correctly.
R9: Something else?
dbk: Spook shops buy companies and tinker with international laws
just a little but on an ongoing bases. Its no huge secret
project,
its a small secret project with infinite funding forever.
You see companies change countries, disappear, etc in this
field much more then other fields. A shopping bag of money
with a threat is probably the usual approach.
Regards,
Old Dan
In Toronto with a PGP sales office right downtown
Document end 21 Aug 2021
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210821/e2f940a6/attachment.htm>
More information about the cryptography
mailing list