[tor-talk] PGP fiddly-diddly - action required

Lara lara.tor at emails.veryspeedy.net
Wed May 16 08:34:17 UTC 2018


On Wed, 16 May 2018, at 00:37, panoramix.druida wrote:
> > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

The problem with quoting links is that the source can ALWAYS change the
text to fit the latest developments. So you should link as a reference
to the context, but do QUOTE the parts that disturb you.

> So if I have PGP to protect my email, their solution is to stop using
> PGP because someone could read my encripted mails.

The current page says:

+ Our advice, which mirrors that of the researchers, is to immediately
+ disable and/or uninstall tools that automatically decrypt PGP-
+ encrypted email.

Notice the words automatically and decrypt, besides the immediately that
unsettled you.

> So now everyone would be able to read all of may emails.

I doubt even EFF would have written such a thing.

> Wouldn't be better to ask people to disable HTML on email and to
> upgrade their email clients to stay protected.

Only TorBirdy and other email related projects do say that.

And there is no upgrade so asking users to upgrade would have been only
a hysterical reaction.

> I know PGP is not perfect, but it is the best we have for email.

The best you know. And there is no "we". Different needs,
different tools.

> I know email is not perfect but it is more or less descentralize.

More, less, the same. Emotion and zero information.

> Why should be stop using email in favor of something such as Signal
> (recomendation from EFF article) that is centralize and we should
> trust the guys running the server are good guys.

In its current form, it says nothing about "stop using" anything but
software that automatically decrypts PGP. Anyway it is called trying to
give a solution. And as far as I know Signal has a much better security
history than the email client addons.

> I understund that Signal has great security features like foreward
> secrecy that PGP doesn't. I know it is open source, but you are forbid
> to installed from free repostiories such as Fdroid.

Nobody forbids anyone from installing anything from Fdroid. That IS
EXACTLY the point of Fdroid.

> Also you can not use Signal if you don't have a phone number. How
> great is that for anonymity. In the country where I am living you can
> not activiate a mobile phone number without your national id.

In many countries you can't do that. So the responsibility should be
ENTIRELY with you. People from other countries give you FDroid,
Android, Internet, websites, and so on. It is up to you to either
change that reality or vote with your feet if you are too weak,
incompetent, and so on.

Cheers


More information about the tor-talk mailing list