[Users] secure email providers
Slavko
linux at slavino.sk
Sat Apr 2 09:44:22 UTC 2022
Dňa 2. apríla 2022 7:58:51 UTC používateľ Paul <paul at claws-mail.org>
napísal:
>On Sat, 02 Apr 2022 05:41:22 +0000
>Bob Williams <usenet at karmasailing.uk> wrote:
>
>> I think they use PGP/GPG under the bonnet (or hood).
>
>But without your own keys, that's not so secure
Sure, you are right.
People often think, that encryption itself is enough, but any
encryption is as secure as secure is used key only. And manage key in
secure way is not as simple as most of people want.
The key is secure only when it is accessible only by one authorized
person, if there are more than one authorized person, problem the can
happen. To ensure this in many OSs only the hardware key storege can
accomplish this (Windows & MACs are known to upload your files to
central storage, and it doesn't matter how they name it -- telemetry,
backup, ...). But Linux, *BSD, ..., can be compromited too, of course
;-)
The HW key teach us how to use key on different devices -- you simple
cannot use it on multiple devices at once ;-) If you really want this,
you need multiple HW keys (which can contains the same key data, but...)
I didn't use HW key, i rely on password protection, and on secondary
devices i use separate keys (eventually subkeys for decrypt system
messages/alerts)... Yes, some messages i cannot see on all device, but
i consider it as security price, as nothing comes withou price).
The key management is IMO main reason, why OpenPGP or S/MIME are not
widely used. No, not because it is hard, but because nobody can use key
with webmail by secure way. Yes i am aware of some JavaScript
implementation, but i will not name it secure by any mean. Thus problem
is not key management itself, but webmail, which is used by most of
people nowadays (and clients, which do not support encryption at all).
If someone delegate its key to third party by any way, it can be
convenient, but this already opens path to use that key by any (many)
not authorised entities, which i consider even worse than not encrypt
at all, as it provides false security feel.
Managing and using OpenPGP is not hard, nor inconventient, it simple
requires to do some extra step(s), which can be (relative) hard to
understand why they are needed for not security focused people. But i
was able to teach multiple (totally not IT) people to use OpenPGP, once
they understand what privacy in network is.
regards
--
Slavko
https://www.slavino.sk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: Digit��lny podpis OpenPGP
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20220402/48dbebbe/attachment.sig>
More information about the Users
mailing list