Talking about privacy of a system that requires you to sign up with a phone number, that in my country (and in most other European countries as far as I know, and without talking about non democratic regimes) is required to be associated with your ID (it's illegal to buy a SIM without registration) is nonsense.
And you know another thing? Email works great to me, and it's decentralized. I have my email server, with my domain, so I don't depend on anyone to provide me a service. I have full control of my data that is on my server. I can even send encrypted emails with GnuPG without any problem, and it's as secure as Signal, if not better. I can use whatever client I want, a fancy application, a web interface, or as I do a small CLI program since I don't use graphical user interfaces.
Sure, having a chat protocol that is decentralized like email would be great! I wish that Matrix will evolve in something usable in the following years, we need that. I need a chat application where I can have a client that I can use in my terminal, and Signal doesn't do that (Telegram does, for example, since the API is more open, and it's what I use second to email).
> I can even send encrypted emails with GnuPG without any problem, and it's as secure as Signal, if not better.
Alas this requires a fairly contorted definition of "secure" to be true. The cryptography in GnuPG has plenty of problems even if you insist on manually doing everything from your own CLI tools which maybe don't suffer the problems from EFail.
Mostly it's just kinda old, AEAD hadn't been conceived when Phil wrote PGP you know. That's a big foundational idea for modern crypto and instead PGP had to kind of fudge a separate MAC into the design and hope that's good enough.
When you send your GnuPG encrypted mail, how do you decide which cryptographic primitives to use? With Signal the whole _point_ of Moxie's decision is that Signal gets to insist on all clients having whatever the best option is, so that's always used. But in GnuPG you've got to guess, what might the other participant's client be able to handle? If you guess wrong then your email is unreadable, or, worse, bad guys might be able to read it more easily.
> in most other European countries as far as I know
In England at least SIMs are available in the pound shop. You buy a SIM with cash (a single bright coin) and it comes with a phone number. British people do not carry any ID as a habit, and I make a point of never having ID unless I've been specifically asked to bring it for a good reason (e.g. to leave the country or when I got a job that required security clearance).
>...if you insist on manually doing everything from your own CLI tools which maybe don't suffer the problems from EFail.
The only surprising thing that EFail revealed is that there are email clients out there that will silently allow html emails to communicate with the outside world. Encryption isn't the only thing that leaks from such clients.
>...PGP had to kind of fudge a separate MAC into the design and hope that's good enough.
Well isn't it? What attack is possible here? What attack was ever possible?
>When you send your GnuPG encrypted mail, how do you decide which cryptographic primitives to use?
You use the best ones supported by the receiver as listed in their public key. No one actually has to decide this and no guessing is required. This is something that the OpenPGP standard gets right for a crypto standard. Such things by necessity have to evolve over time. Sure this was hard to figure out, but it's done now. This particular wheel does not have to be reinvented or avoided.
> Well isn't it? What attack is possible here? What attack was ever possible?
No. Unsurprisingly the result is exactly what you'd expect. Idiots build software that throws away the error result and returns the unauthenticated text. This has always happened, which is why AEAD modes exist now. EFail documents what it names "CFB gadgets" to abuse this in typical HTML-based OpenPGP clients but you could attempt the same fun attacking a human subject directly, in some ways it might be easier because humans tend to just sort of "read past" nonsense in the search for meaning.
Phil Zimmerman didn't have a better option. You do.
> You use the best ones supported by the receiver as listed in their public key
So, you never use anything in the least bit new unless you're communicating with somebody who just minted new keys. For older users, you're stuck with whatever was current in the software version they ran five, ten, twenty years ago.
>For older users, you're stuck with whatever was current in the software version they ran five, ten, twenty years ago.
GPG2 doesn't support V3 keys anymore so old keys just won't work. That point is fairly moot in that pretty much all the ancient encryption is still unbroken.
> And you know another thing? Email works great to me, and it's decentralized. I have my email server, with my domain, so I don't depend on anyone to provide me a service. I have full control of my data that is on my server. I can even send encrypted emails with GnuPG without any problem
OK, and how many non-technical people do you email that have GPG keys? If they don't have GPG, how do you have end to end encrypted communications with them?
This is where Signal won and GPG lost, with the Signal protocol integration into WhatsApp, one billion people instantly got secure comms without even having to know what a key is.
> it's as secure as Signal, if not better.
Signal uses a new key for every single message you send, so it could be argued that actually Signal is better than GPG.
When comparing to signal, or indeed to any modern chat client, you need to call out when you are mentioning non-Riot clients that don't support encryption.
In the original article you did this well: when you claimed "no fragmentation," the next sentence explained that the claim didn't apply to encryption.
In general, matrix feature-boasting about things it can do without encryption is confusing people. Most new users are coming to matrix expecting encryption, and they get it. But then matrix advocacy presentations proceed from the ridiculous assumption that open-source chat without encryption would be interesting as something to move onto, while hiding this assumption. Please stop doing this to preserve your credibility.
And you know another thing? Email works great to me, and it's decentralized. I have my email server, with my domain, so I don't depend on anyone to provide me a service. I have full control of my data that is on my server. I can even send encrypted emails with GnuPG without any problem, and it's as secure as Signal, if not better. I can use whatever client I want, a fancy application, a web interface, or as I do a small CLI program since I don't use graphical user interfaces.
Sure, having a chat protocol that is decentralized like email would be great! I wish that Matrix will evolve in something usable in the following years, we need that. I need a chat application where I can have a client that I can use in my terminal, and Signal doesn't do that (Telegram does, for example, since the API is more open, and it's what I use second to email).