Is there any reason left to use PGP?

jonathanstray · 2017-05-03 17:53:56 UTC

Signal now has the ability to send arbitrary files. That was kind of the last use for encrypted email, at least the last use I saw.

Would anyone here still recommend / teach / support PGP? If so, in what circumstances?

Jonathan

KAC · 2017-05-03 19:49:29 UTC

Isn't Enigmail built on GPG? I think ProtonMail is also based on GPGjs. Signal is fantastic for smartphone use, but (according to an article on May 1 by Micah Lee in "The Intercept"), " Keep in mind that, by setting up Signal on your computer, you’re opening up new avenues for attackers to read your private Signal conversations. Think of it like this: When you just use Signal on your phone, if someone wants to read your private conversations, they have to hack your phone. But if you use it on both your phone and your computer, they have to hack either your phone or your computer, whichever is easier — and, because of the differences in how desktop and mobile operating systems are designed, chances are it’s easier to hack into your computer". I guess that's one reason I'd use Signal on my phone and (if it's really important), something else on my computer.

jonathanstray · 2017-05-06 20:05:04 UTC

You're right that installing the desktop Signal app on your computer opens a new avenue of attack. In particular, it means someone who can get into your computer can get into messages that would normally only be on your phone. And generally, phones (especially Apple phones) are harder to hack than desktop computers.

But then, installing anything that syncs with your phone opens up a potential attack -- have you considered whether you should perhaps not sync your phone address book to your computer?

Meanwhile, purely on the desktop side, using Enigmail isn't going to be any more secure than Signal, and in fact I would guess less secure because PGP is an older protocol that has some real problems and because Enigmail is just a larger and more complex piece of software.

So yes, installing Signal desktop does open up a potential route to get at phone messages via your computer. That may be a problem. But if you're going to use a desktop messaging app at all -- especially one that syncs between your desktop and phone as most do -- it's as least good as anything else.

roo · 2017-10-17 12:46:37 UTC

Possibly bucking the trend, I will say yes, it has it’s use cases, but these are narrowing as things like Signal, Wire and other highly usable apps are getting more normalised.

I think it’s a good skill for any researcher or investigative journalist who will be dealing with highly sensitive information, and it has it’s non-email uses. I also like that going through the process of understanding PGP does help people come to grips with what end-to-end is and what fingerprints and authentication are. You don’t need to command line it, but learning how one gpg front end works is still a good skill.

jonathanstray · 2017-12-27 20:12:50 UTC

This seems a pretty good guide to when and how to use PGP.

tl;dr Signal etc. is probably better, but if you’re going to use PGP just put your key on a YubiKey and don’t worry about subkeys and other such nonsense. Oh, and delete your emails as soon as you are done with them.

Jonathan