So, #Tutanota says in its blog that #PGP for email (that #ProtonMail uses) is not very secure, and Tutanota doesn't use it! 😳

I'm confused! 😐

tutanota.com/blog/posts/differ

Tutanota doesn’t use PGP and needs to rationalize their choice by portraying PGP as inferior. Let’s take their “Why Tutanota does not rely on PGP” (https://tutanota.com/blog/posts/innovative-encryption/) and disect it:

"PGP does not encrypt the subject line (already achieved in Tutanota)" -> already achieved in PGP too thanks to https://www.ietf.org/archive/id/draft-autocrypt-lamps-protected-headers-02.html

"PGP algorithms can’t be easily updated" what? PGP got ed25519 and ed448 recently and there is entire space of “vendor specific” algorithms that some providers use internally.

"PGP has no option for Perfect Forward Secrecy." and Tutanota doesn’t too so why bring this to the table? “We also plan to add Perfect Forward Secrecy to Tutanota.” very nice but wait… ProtonMail is already working on it: https://mailarchive.ietf.org/arch/msg/openpgp/ifm3dqQdyh8kOTZF7yONAsDZb3Q/ oh, and Thunderbird people too: https://mailarchive.ietf.org/arch/msg/openpgp/i2qnaxF0RNhcVnobv0C_HE211wk/

Tutanota is just vendor lock-in and when something like this happens: https://www.cyberscoop.com/court-rules-encrypted-email-tutanota-monitor-messages/ you don’t have a choice of switching implementations 🤷

Follow

@wiktor @strawberryfieldsforever

PGP shouldnt be used for anything.
Its old and insecure. There are much better tools to use.

latacora.singles/2019/07/16/th

As for email, dont expect it to have encryption. Even if you have something like protonmail it doesnt matter. Because it requires everybody to have the same fragile complicated setup.

Latacora’s attitude towards PGP is well-known and a vast amount of their arguments is valid although I'd disagree with their conclusion: “Use Signal. Or Wire, or WhatsApp (...)”.

Signal is known to be centralized and even though they are open-source you can’t have your own clients: https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217231557

Wire stores unencrypted metadata of users and has apparently moved from Swiss to US: https://www.vice.com/en/article/gvzw5x/secure-messaging-app-wire-stores-everyone-youve-ever-contacted-in-plain-text

Whatsapp… I guess I don’t need to commment on this one :)

Why not recommend fully open systems such as XMPP that are decentralized and not fully controlled by one party?

As for ProtonMail it doesn’t “require everybody to have the same fragile complicated setup” since it uses open protocol everyone can participate the way they want not the way the corporate overlords say you have to.

But consider me biased since I’m actually trying to improve the PGP status quo by writing in memory-safe languages (Rust) a better PGP implementation: https://sequoia-pgp.org/

@wiktor @strawberryfieldsforever

Havent heard of the rust implementation of pgp. Good luck in your efforts. :)

As for the messenger part i agree. I use tox/briar myself while checking out some other stuff.

Regarding the email part. Personally i am looking forward and advocating for i2p/pybitmessage/retroshare style. If it needed at all.

That way you dont need to do all the complicated setup you have with pgp.

Sign in to participate in the conversation
social.coop

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!