this post was submitted on 16 Mar 2024
675 points (96.6% liked)

Linux

48200 readers
1065 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 8 months ago (1 children)

Making email secure and good is very hard and it involves either making it inconvenient or getting rid of interoperability with existing systems. As long as I've been tracking it your choices for client when using Proton were webmail or mobile apps. The news here is that a new option has opened up not that an old option is being taken away

[–] [email protected] -2 points 8 months ago (2 children)

This is just patently false. GPG is not inconvenient & there are a plethora of apps that has made it much more user friendly. The fact that Proton has decided to take away freedom & tell you it is more secure is just bologna. There is no reason to trust Proton at all.

[–] [email protected] 2 points 8 months ago (1 children)

GPG is a huge pain in the ass to manage. Everyone knows this, because it's the case. The web of trust also doesn't scale and has many problems, handling key securely is hard, making GPG work on all devices is something which is completely impossible for people without solid technical skills.

If you think otherwise, you are just in a bubble.

[–] [email protected] -2 points 8 months ago (1 children)

You're a serial killer. Everyone knows this, because it's the case.

Do you see how that works? You can say whatever you want, but unless you can provide some proof then you're just parroting whatever you've heard. If you want to learn how to use GPG then let me know and I'd be happy to show you several open source tools that make it very easy so you can stop parroting BS. Otherwise, you're entitled to your opinion and I'll continue to believe you're a serial killer.

The bubble you're referring to is your own ignorance.

[–] [email protected] 4 points 8 months ago* (last edited 8 months ago)

There are certain things that are known facts, there is no need to prove them every time.

The simple fact that:

  • There is not a standard tool that is common
  • The amount of people who use PGP is ridiculously low, including within tech circles. Just to make one example, even a famous cryptographer such as Filippo Sottile mentions to receive maybe a couple of PGP encrypted emails a year. I work in security and I have never received one, nobody among my colleagues has a public key to use, and I have never seen anybody who was not a tech professional use PGP.

You can also see:

We can’t say this any better than Ted Unangst: "There was a PGP usability study conducted a few years ago where a group of technical people were placed in a room with a computer and asked to set up PGP. Two hours later, they were never seen or heard from again." If you’d like empirical data of your own to back this up, here’s an experiment you can run: find an immigration lawyer and talk them through the process of getting Signal working on their phone. You probably don’t suddenly smell burning toast. Now try doing that with PGP.

A recent talk, I will quote the preamble:

Although OpenPGP is widely considered hard to use, overcomplicated, and the stuff of nerds, our prior experience working on another OpenPGP implementation suggested that the OpenPGP standard is actually pretty good, but the tooling needs improvement.

And you can find as many opinion pieces as you want, by just searching (for example: https://nullprogram.com/blog/2017/03/12/).

However, if you really believe I am wrong, and you disagree that PGP tooling is widely considered bad, complex and almost a meme in the security community, you are welcome to show where I am wrong. Show me a simple PGP setup that non-technical people use.

P.s.

I also found https://arxiv.org/pdf/1510.08555.pdf, an interesting paper which is a followup of another paper 10 years older about usability of PGP tools.

[–] [email protected] 1 points 8 months ago (1 children)

I also prefer gpg but it is not super beginner friendly. I generally recommend people away from proton and tuta unless they really want encrypted email and gpg isn't something they can figure out

[–] [email protected] 0 points 8 months ago (1 children)

GPG isn't beginner friendly if you're only using the CLI. However, even then there are tons of documentations and even Gemini/ChatGPT would prob be good at helping users create/manage their keys. However, I can provide a list of user-friendly GUI apps to create/manage/encrypt/etc. using GPG if you'd like that make it as easy. I mean, you can pay a company that says they'll protect your privacy but history has shown paying for privacy is unreliable.

[–] [email protected] 2 points 8 months ago (1 children)

@timewarp @Quill7513 The only real alternative IMHO is hosting your own mail server and *that* is no alternative at all, because big-tech will blacklist your server immediately… so Proton/Tuta are the lesser of all evils. If you have a true alternative I am listening.

[–] [email protected] 0 points 8 months ago (1 children)

You can use PGP with just about any email service. I personally just use SimpleLogin, where you can add your public key to have all your messages encrypted. But Thunderbird, KMail, Evolution, FairMail, etc all support email encryption too with IMAP.

[–] [email protected] -1 points 8 months ago (1 children)

@timewarp ok, PGP … remember EFAIL… and all kinds of usability issues which inevitably lead to security issues by ‘wrong use’ at some point. And another *centralized* ‘web of trust’ (benign as it may be) is also not something I look forward to. O well, some genius will emerge at some point and deliver us 🥳 may he/she/it/them be FOSS-minded

[–] [email protected] 1 points 8 months ago (1 children)

It's quite possible that privacy is too hard for you and trash talking open source makes you feel better about the money you're paying to someone else to say they'll do a better job for you.

[–] [email protected] 0 points 8 months ago (1 children)

@timewarp don’t know what you’re talking about, I love FOSS…

[–] [email protected] 0 points 8 months ago

Okay, well it's just the vulnerabilities you mentioned were geared towards email client issues that among other things would automatically load HTML data upon decryption. Furthermore, primary vulnerable targets were 10 year old email clients at the time that hadn't received any security updates. The SE data packet issue had been documented even in the spec since at least 2007 about its security issues and recommended rapid mitigation techniques. All in all, the EFAIL documented issues with mail client failures, not with OpenPGP itself.

Second, OpenPGP web-of-trust, or whatever you want to call it (public keyservers) is entirely optional. In fact, Proton relies heavily on this in from what I can tell actually enforces it in a more insecure way, but opting users into their internal keyserver automatically.