Controversial article about email

1

I stumbled across this relatively recent article (2020) accusing secure email messaging of being just “role-playing.”
Obviously I set out to read it because it intrigued me and I would like to discuss it with your opinion as well.

I make a list of the passages that seem salient to me by adding my own thoughts:

  1. there is an accusation that pgp is not secure and it refers for example to the possibility of decrypting messages and there is a link to a list of problems.
    I can’t comment on that, the only thing I can say is that I guess the many audits of deltachat should have a degree of reliability
  2. reports that the metadata is unencrypted (sender, recipient, and timestamp) and recorded. Then he makes the sponsorship to signal (which makes me think the article is biased).
    however it is true that that these metadata travels unencrypted and so I think delta’s answer in this case is to use trusted servers, also because the metadata is in plain text only for recipient, receiver and mail server.
  3. He talks about the bad practice of email archiving
    this statement makes little sense to me. Client side precisely depends on the client and the medium has absolutely nothing to do with it, server side I think email is inherently more secure than any signal/whatsapp/telegram… since you can choose the server.
  4. then he talks about messages disappearing and end to end encryption
    deltachat again has no such problems, and indeed by being able to choose the server you can even make sure your messages are deleted there as well
  5. then he talks about limited-life keys and publishing keys on public registries
    and that’s another thing I think you can do in deltachat (I think one way at least is to change your address), anyway that wouldn’t be a bad idea
  6. at the end he ends by saying that a system built on email would still not be as secure as on signal.
    and I don’t think any centralized system is secure unless you have access to the server, this makes me think he is biased
2

I have a whole list of PGP rants (and, well, an academic article), as old as 2014 (actually not bad, the blog post from Matthew Green, it mostly talks about key distribution practices) and as new as late 2024 still saying PGP uses 64-bit CAST5 for symmetric encryption.

What’s the matter with PGP?, 2014-08-13

GPG And Me, 2015-02-24

Cops hate encryption but the NSA loves it when you use PGP, 2016-01-17

I’m giving up on PGP, 2016-12-06

Op-ed: I’m throwing in the towel on PGP, and I work in security, 2016-12-10

Response:
Op-ed: Why I’m not giving up on PGP, 2016-12-20

The PGP Problem, 2019-07-16

(probably the most wrong article about OpenPGP ever)
“PGP begs users to keep a practically-forever root key tied to their identity.”
then tells to use Signal which uses long-term identity keys too.
Most points are addressed in:
The PGP Problem: A Critique
https://articles.59.ca/doku.php?id=pgpfan:tpp

Stop Using Encrypted Email, 2020-02-19

Overview of PGP replacements, 2020-06-10

SoK: Why Johnny Can’t Fix PGP Standardization, 2020-08-16
https://dl.acm.org/doi/abs/10.1145/3407023.3407083

(RFC 9580: OpenPGP was published since then).

A useful, critical taxonomy of decentralization, beyond blockchains, 2022-05-12
https://pluralistic.net/2022/05/12/crypto-means-cryptography/#p2p-rides-again
(“PGP basically sucks”)

PGP is dead. What’s next?, 2022-12-10

(Skiff Mail died shortly after writing this article)

What To Use Instead of PGP, 2024-11-15

(says PGP is using CAST5, probably copy-pasted from “The PGP Problem”).

Bonus: PGP problems
https://saltpack.org/pgp-message-format-problems

3 Likes
3

Oh, what a nice list of rants you have.
I’ll try to have a look at it but actually I don’t think I’m going to understand much more about it, which was actually kind of the point of my question, to hear people more experienced than me disproving those claims :smiley:

Anyway, one thing that’s a bit peculiar I have to mention, at first I had tested deltachat a little bit with a firewall (opensnitch, I don’t remember if I had used wireshark as well) and I was very pleased with the fact that basically deltachat didn’t contact any addresses outside of the specified servers and that the connections were limited to what was necessary.
However one exception to this had come up, I think it was that a thunderbird server was being contacted (unfortunately I didn’t note it, I should retest).
I didn’t give it any weight because I guess it was something that was needed to get the configuration parameters of the mail server entered, however I am taking the opportunity to ask here, do you know anything about this?

However I might re-test it to be more precise, because this way I understand that the question is insignificant.

4

I mostly keep it so I can easily check if this is something I have not seen before. Many of them are a mix of actually true things about PGP and some rumors without references or some proof-of-concept which are outdated or were not true in the first place, so if you cannot verify them it’s usually not worth reading.

It is https://autoconfig.thunderbird.net/ as described in draft-bucksch-autoconfig-04 - Mail Autoconfig
This URL is going to be replaced with https://v1.ispdb.net/ according to draft-ietf-mailmaint-autoconfig-00 - Mail Autoconfig
It is contacted as a fallback if your server does not provide autoconfig XML and only during configuration, never later when you use Delta Chat.
Maybe we should take a snapshot of it and build it into the application.

1 Like
5

might make sense, especially because it is not very active anyway, so if we pull it in around every 3 months we should not be that far behind: Contributors to thunderbird/autoconfig · GitHub
(also it is not that much data, especially zipped, or when we only take the data that dc would actually use, but the latter could also very well be premature optimisation)

1 Like
6

I’m also fine with never updating it, it encourages email providers to not implement autoconfig.

2 Likes