1. 71
  1.  

  2. 28

    As much as I believe every single last person involved in cryptography yelling “use Signal”, it doesn’t fit everyone’s use case of a chat application.

    Signal has a hard requirement that you give them a mobile phone number to tie to an account and register from a smartphone. This number is also exposed to other contacts. As for the alternatives in the article, namely: Wire has monthly fees that may prove difficult to pay anonymously. WhatsApp is owned by Facebook; even if you consider this okay enough somehow, that still requires you to go through your smartphone, on which it requires a phone number for registration; not that you could install it on an OS that isn’t macOS or Windows anyway.

    People may suggest to “just get a burner SIM”. But that is not a reasonable option if your goal is to hide your real life identity: For example, in Greece and Spain, you must provide ID and formerly anonymous SIM cards were blocked see COM(2010) 253, p. 69. That’s a non-starter in these scenarios. Of course, you may still argue that people that need to go to such extents to hide are almost certainly criminals, terrorists or dissenters (none of which may be worth protecting depending on your morals), and you’d probably be right. Nonetheless, the increasing disappearance of an untied, non-real-life identity scenario is a worrying prospect to me.

      1. 5

        Read to the end of the article, where Signal clarifies that they don’t consider it a problem because the goal was never for Signal Desktop to provide at-rest encryption. (I will say however that I too have always wondered why they bothered using SQLCipher to begin with.) If you need that, use full-disk encryption. That will protect you much better.

        “But they should be aiming for at-rest encryption.” Let’s play this out:

        1. The only way Signal Desktop can accomplish this without some additional support from the platform*, AFAICT, is to require a decryption password that the user types in at startup. Already this breaks a lot of useful things: it breaks the ability for the app to autostart when the user logs in, and that means that if the user forgets to type in the password (and they will) notifications for new messages won’t work, silently. So already we’ve seriously broken the UX.
        2. The decryption password can’t even be secured properly. A malicious app on your system can just sniff the keystrokes. Or, it can just record the screen. AFAIK Windows and macOS don’t restrict these operations by default (maybe keylogging, but I’ve never gotten a prompt or anything for screen recording IIRC). Wayland on Linux is supposed to fix this but adoption is “in progress” at best on that front so that doesn’t do us any good.
        3. Let’s say that isn’t a problem. Maybe something changed since I used Windows or macOS and they’re better now. The password still isn’t secure. Your disk isn’t encrypted so the attacker can tamper with the Signal binary if they have physical access. Now Signal is malicious. Game over.
        4. But let’s say that the attacker doesn’t have physical access, and you’re sure all the apps on your system are trustworthy. Are you sure they don’t have a security vulnerability and won’t get compromised to sniff your Signal password?

        The list goes on. This can’t be mitigated at the app level because the platform is fundamentally not designed for this. Mobile devices isolate apps by default; you don’t routinely run processes that aren’t sandboxed. But on desktop, the opposite is true. There are valiant efforts to sandbox apps, like the Mac App Store requiring that all apps distributed through it enable sandboxing, and Flatpak on Linux. But those are still opt-in. Are you sure that everything on your system is sandboxed enough? To actually guarantee this, you need something like Qubes.

        Signal Desktop absolutely has problems… but I don’t think this is one.

        [*]: keyrings have this same problem. Usually they’re unlocked automatically on login, so any unsandboxed app running in the user’s session can just ask the keyring to give it the Signal password. At least AFAICT… I vaguely recall macOS having some sort of access control.

        1. 2

          The core premise of the article is completely mistaken. The database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide. Full-disk encryption can be enabled at the OS level on most desktop platforms.

        2. 8

          I definitely agree that, when possible, people should avoid communication tools that require phone numbers and use something like XMPP with OMEMO instead.

          If you do need/want to use Signal or similar, there are phone number options that let you maintain anonymity. For example, https://jmp.chat/ gives you a Canadian or US number without requiring any identifying information (you can even signup over Tor). If you want to keep the number past 30 days, you can pay in Bitcoin Cash or Bitcoin, or use https://shapeshift.io/ to pay with other more anonymous cryptocurrencies.

          1. 8

            Yep. I use Signal extensively in my labor activism. This is an example of an activity which is entirely legal in the United States, but where I am putting people in danger simply by talking to them. I agree 100% with all your criticisms, and it’s quite unfortunate that there are many situations in which there isn’t a realistic alternative.

            1. 2

              Is there at least groundwork for such an alternative to Signal that doesn’t require a phone number? I’m in the same situation.

              1. 1

                The protocol is open, although it’s my understanding somebody would need to do a lot of implementation. I’d also suggest that future work should be based around expecting users to explicitly manage their keys, rather than trying to abstract that away.

                1. 2

                  I’d also suggest that future work should be based around expecting users to explicitly manage their keys

                  Why? To me this is the main selling point of Signal. And from my observations teaching PGP (long ago), key management is one of its biggest downfalls.

                  1. 1

                    Sure. It’s because the automatic management both introduces insecurities, and makes it so that good key-verification practices are more friction than sloppy practices.

                    The most significant insecurity is that anyone with control over your phone number can gain control of your account. A stolen SIM or a number-porting attack could both be used that way. They won’t see message history, but they’ll be able to impersonate you. The only defense against this is that there’s a small notice in each chat about the safety number being reset.

                    The point about safety numbers dovetails with my larger point about good practices being hard. When you’re scaling up a large organization, educating everybody about what the safety number means and how to verify it is a constant undertaking. Meanwhile, people are constantly replacing their devices, accidentally reinstalling the app, intentionally reinstalling the app, etc for a variety of reasons. It’s constant tedium, and if you just punt on doing the work, there’s a chance of an impersonation attack being successful.

                    What I would like is to put key management front and center, so that everybody gets the message that this is something they should be paying attention to and learning more about. I’m envisioning, for example, a first-start wizard that walks users through creating an offline key and using it to sign a per-device subkey, with alternatives also presented if they want to add a key some other way. Yes, it’s a lot of work which would slow down adoption immensely. Thus, I don’t realistically expect any for-profit entity to be the first to offer a product that works this way. Still, in my ideal world, it’s what I’d like to see.

                    1. 1

                      Hm. So if I can rephrase this position, basically you’re saying that good practices (i.e. verifying safety numbers) isn’t on a level playing field with unsafe practices, because it’s much easier to do the latter. And basically you want to level the playing field by making both take equal amounts of effort? Did I get that (somewhat) right?

                      1. 1

                        I think that’s right, yes. I know it’s in some ways a quixotic idea.

            2. 6

              I use Signal constantly, but this is a sound comment and still only covers maybe half the serious concerns I have with Signal.

              1. 2

                We are pseudonymous in Peergos (no phone number or even email required to sign up). At the moment we are focussed on storage and sharing, but we plan to implement a group chat/messaging solution using Messaging Layer Security once it stabilises.

              2. 23

                Assuming that the criticisms of PGPGPG here are valid, I am left unsatisfied by the proposed alternatives, which in every case are products (or at least, implementations) rather than being interoperable standards. According to this thing I can’t any longer have a single digital identity and must instead maintain identities/presences on Signal and on Wire and on Whatsapp and on FB Messenger (and presumably, on every other platform based on Signal protocol) and I also need to entrust my backups to tarsnap instead of using my own infra. I mean, not that PGP was (usefully) an interoperable standard either, but at least it didn’t make the fragmentation worse.

                This doesn’t seem to be the open internet we were promised. Also, where’s my flying car?

                1. 17

                  I do agree. The other solutions seem to make key-management an even bigger hassle and it is the one thing that PGP did solve: Identity verification for small independent groups of people, operating in an environment where having seen each other face 2 face is the only valid method of authentication.

                  I’ve exchanged PGP keys with some of my long-term friends I’ve known for more than a decade, some of those have moved abroad, some to downright hostile countries, and that means we only get to meet once of twice a year, but we are still in contact through messengers like Signal.

                  I’ve noticed that Signal has broken down multiple times over that time-period due to various reasons. Examples include, phones breaking, phone numbers changing due to different operators and operators from different countries.

                  As of yet, the PGP-keys and the small “web of trust” we’ve built with about 10 people, still holds up, while other solutions have broken down multiple times. Ironically PGP is the tool we get out to validate each other’s identity (like a Signal security number) when everything else fails. It’s not our day-to-day communications tool, but it is perfect for setting up some other secure channel in a scenario like this.

                  Also, where’s my flying car?

                  Are you willing to settle for a Zapata Flyboard Air?

                  1. 14

                    Don’t fret. Identity management is solved by yet another product! Keybase :-p

                    1. 11

                      Happy to see someone also noticing this problem. Alternatives posted here while technically good are “just” implementations not standards and in some cases it’s impossible to rewrite them under a different license. What if funding disappears and Signal will struggle? What if Colin gets hit by the bus and tarsnaps stops working?

                      The entire post reminds me of the “rewrite in Rust” meme (full disclosure: I like Rust :) ).

                      1. 6

                        I’m not a crypto expert, but I’m old enough to know by experience that “One-Size Fits All” is a deceitful pipe dream in practically every field I’ve encountered it. Why should crypto be different?

                        Also, it feels like your argument about maintaining identities on Signal + Wire + WhatsApp and FB Messenger is a straw man. If you don’t need to maintain all those accounts now, why would you suddenly need all of them to replace PGP? (Or is the group you communicate over PGP with really so technologically fragmented that you would need an account on each of those systems to keep in touch with everyone? How do you currently communicate with people who don’t use PGP?)

                        1. 8

                          Again: I’m happy with the claim that different problems (backups vs messaging vs file transfer vs …) require different solutions, but I’m less happy with the idea that the solution to each of these problems is to buy into a platform

                          1. 5

                            I’m less happy with the idea that the solution to each of these problems is to buy into a platform

                            I don’t think that’s true. The places where you’re told to buy into a platform are messaging and backups.

                            Messaging you have to buy into a platform anyway because of network effects (even if you’re buying into a federated platform, you have to choose your federated protocol).

                            For backups, most people want a backup service, where you are always buying into some platform. If you’re making file (not disk image) backups, and you’re storing them yourself, you fall into the narrow but well-identified gap mentioned at the end of the article.

                        2. 3

                          Isn’t what you’re saying just a restatement of the article’s take that PGP tries to solve too many unrelated problems?

                          1. 7

                            Not what I’m trying to say (it may have been how it came out, in which case I wasn’t clear). I’m happy with the claim that different problems (backups vs messaging vs file transfer vs …) require different solutions, but I’m less happy with the idea that the solution to each of these problems is to buy into a platform (or in the messaging case, buy into a bunch of platforms that don’t interoperate), and there isn’t an actual open standard that I can choose my own implementation of.

                            1. 5

                              For messaging, the open standard is the OMEMO extension to XMPP. You have the problem of getting people to use XMPP, but with Conversations on Android it’s not that bad; you could probably talk a lawyer through it without smelling burning toast (as the article says about Signal). Not all XMPP chat applications support it, but by now there’s at least one good one for every platform that does, I believe.

                              1. 7

                                For messaging, the open standard is the OMEMO extension to XMPP.

                                Sadly this “open standard” is tightly coupled with libsignal and even re-implementing libsignal wouldn’t let people use permissive licenses. That’s my problem with Signal, it’s open-source but with “strings attached”.

                                (full disclosure: I use OMEMO daily and the experience has been great including multi-user chats).

                                1. 4

                                  I hope we are able to get OMEMO into a shape where it depends on the open specifcations from https://signal.org/docs/ instead of telling implementors to “do whatever libsignal does”. This would require a non-backwards compatible OMEMO protocol update though.

                          2. 3

                            Back when I was a kid, I hated the idea of eg. having a separate PGP key for work, because I am the same person regardless.

                            People tried to talk me out of it, to explain that identities aren’t really people and applicable uses aren’t necessarily the same as identities.

                            Eventually I changed my position and life is easier now. Time to move on, with gratitude to the people who worked hard in the 90s and after.

                            1. 11

                              I want to have separate identities for work and each of my hobbies — but I want to have a work identity, not a work-email identity, a work-Go-signing identity, a work-Python-signing identity, a work-git-signing identity, a work-Slack identity, a work-password-encryption identity, a work-backup-encryption identity &c.

                              1. 2

                                You can use subkeys for this and have the main key signed by others, right?

                                1. 2

                                  That’s kinda my point, but feels like most people just use a “burner” key for work. The employment is expected to last a shorter time than your life, and no one cares in practice about subkeys.

                                  I suppose non-subkeys are generally weasier to distance yourself from in more cases than this.

                                  The autistic-ish part of my brain just wanted to model myself in a neat little package, but it really doesn’t matter.

                                  Now I just tell mutt to ignore everything pgp when I send mail because I’m not sure I remember the passphrase or have keys for anyone I email etc. It’s strange I never uninstalled the damned thing, instead got the muscle memory for ignoring :D

                              2. 2

                                Well, yes. The Signal developers said that they didn’t make an open protocol because they didn’t want to have to deal with backwards compatibility. This blog post says that backwards compatibility is at odds with security. That sounds like what you want and what the OP wants are in conflict.

                                1. 1

                                  My personal biggest painpoint is that it requires me to use different key schema for each of the solutions. I cannot have “one key to rule them all” but I need to generate new one for each of them. Why the hell I need the same key in N different encodings? Why I cannot share them between applications?

                                2. 12

                                  Pretty much every critic of PGP somewhere ends in “use Signal”. This one even goes as far as to demand not sending e-mail at all anymore. I want to emphasise that there are persons who are not compatible with instant messaging. Me, for example. I don’t want an instant messager for any serious discussion. I want an asynchronous medium. You can make your IMs as secure as you want, I won’t use them as they don’t fit my communication model. Not to mention legal requirements, where IM is just not possible.

                                  And, please! Get rid of your prejudice. Quote from the article:

                                  If you’d like empirical data of your own to back this up, here’s an experiment you can run: find an immigration lawyer and talk them through the process of getting Signal working on their phone. You probably don’t suddenly smell burning toast. Now try doing that with PGP.

                                  I am your PGP lawyer. Not actually there yet, but I’m a law student immediately before the final exam, and I am a happy PGP user. I’ve worked for a while at a data protection authority, and I’ve seen a number of lawyers using PGP. IT people are proud of being inclusive and not excluding anybody, but prejudice against jurists is always a good one, is it?

                                  1. 6

                                    Why is PGP not useful for file encryption? I would like to know because I am using zx2c4 pass, which relies on PGP for password file encryption using a public key and decryption using the corresponding private key.

                                    My thinking is the following: An attacker would need the private key and the key passphrase to get access to my passwords. I would argue that an attacker who has that level of access to my machine can not be stopped with encryption. Thus, PGP is as good as any other encryption method.

                                    Any thoughts on this?

                                    1. 6

                                      Someone stick a Windows installer on a Go or Rust implementation of Magic Wormhole right away; it’s too great for everyone not to have.

                                      I was actually working on this earlier. The naming gives a convenient way to explain it to people. (The software would be called “Wizard” - when you give the wizard the file, (s)he opens a magic wormhole and gives you the spell that another wizard can cast to open the same wormhole. You can’t close “Wizard” because otherwise the wormhole will close and the file can’t be sent.) That could lead to some cute animations and explainers :)

                                      I got stuck at choosing between wormhole or croc. They seem super similar but I haven’t spent the time determining which is better.

                                      1. 5

                                        I can’t believe we still don’t have signify built right into Git…

                                        1. 4

                                          Comparing PGP to something like Signal is an apples to oranges comparrisson. If you’re using Signal then you’re basically trusting Moxie’s server. No trust of any particular server is required for PGP and nor do you need to give out your phone number. It’s not that PGP isn’t without numerous problems (hence its lack of adoption) but it’s designed for a different sort of use.

                                          1. 2

                                            How does one use PGP without trusting the keyservers?

                                            (And don’t they permit anyone to upload a key for anyone else’s address, BTW?)

                                            1. 3

                                              You exchange keys personally, or over the phone, or via keybase.io.

                                              1. 1

                                                So do people actually do this? Do you know any PGP users who don’t use the keyservers? (And what’s keybase.io? Why doesn’t it involve trust?)

                                                1. 2

                                                  I have used PGP without keyservers In the past, though I don’t have an active PGP use case right now. In most of my usage, all the potential recipients were local and members of the same organization, so we just exchanged keys in person.

                                                  PGP was mostly used for signatures (“I attest that I produced and/or verified this file”) and not for encryption.

                                                  1. 1

                                                    I don’t know any PGP users.

                                                    The keyservers have had major issues since a decade, owing to the fact that it’s an open append-only database, and the latest version of GPG won’t read signatures on keys from keyservers.

                                                    Here’s my keybase.io entry: https://keybase.io/gerikson - you can see I have cryptographically signed multiple social media accounts, so you can be fairly sure I am who I say I am. If you want to exchange keys, you can either use the public key on that page, or DM me via a social media account and offer yours. Keybase provides identity in this case. You don’t really have to trust the PGP key on that page if you feel nervous.

                                            2. 3

                                              I wonder if PGP is salvageable.

                                              SSL and CA PKI used to be pretty bad. Eventually the spec was cleaned up, CT logs and CAA were added, CA/B forum has shown teeth, some CAs were booted, Let’s Encrypt happened, and clients were forced to upgrade. It’s still not perfect, but it’s not ’90s crypto any more.

                                              1. 3

                                                I don’t really agree that the problems have been solved for SSL and CA PKI. The only thing that has happened for the CA infrastructure, is that everything has been centralized now, while PGP stays decentralized.

                                                TLS requires X.509 certificates, which still use ASN.1, which is very much 80s technology. The handling of certificates or the actual encrypted stream is typically done by a library (god forbid you write your own) and those have to be backwards compatible because so many applications use them. OpenSSL is a popular library, and it’s really difficult to work with. Alternatives (such as GnuTLS) seem not to get so much traction. OpenSSL really feels like 90s technology to me.

                                                CT logs and CAA are simply layers on existing infra, adding small amounts of security, at the cost of adding complexity to an already complex system. If I check CT logs, I’m telling Google about the websites I visit (leaking metadata). If I trust CAA, I’m trusting various governments and companies in less-than-ideal political climates to abide by CAA.

                                                CA/B forum and the Mozilla CA Certificate Store are a centralized Web of Trust. Mozilla simply gives you a list of CAs that you should trust. If you were to implement something like this for PGP, simply provide a list of key IDs that your users should set to “Ultimate” trust.

                                                Let’s Encrypt is just one CA, which now functions as the central gate-keeper to publishing your website to the internet. What would happen if lobste.rs suddenly couldn’t get a new certificate from Let’s Encrypt?

                                                1. 3

                                                  What would happen if lobste.rs suddenly couldn’t get a new certificate from Let’s Encrypt?

                                                  They always can use different CA, there is bunch of them, maybe not so convenient, but there are other solutions possible. The problem with PGP is that it is really hard to upgrade to newer versions and deprecate old, pretty much in contrast to TLS which is being updated and removes parts that didn’t worked out.

                                                  TLS requires X.509 certificates, which still use ASN.1, which is very much 80s technology.

                                                  Pretty good technology. Yes it have gain bloat over years, but it is still pretty good idea and it’s concept is repeated by other technologies like ProtoBuffers or C’n’P. TBH I think that there should be initiative to provide ASN.2 which would remove the bloat while keeping good parts of the ASN.1.

                                                  1. 1

                                                    They always can use different CA, there is bunch of them, maybe not so convenient, but there are other solutions possible

                                                    I find most CAs I’ve worked with convenient enough, however only few of them are as free as in beer. Paid certificates typically don’t come cheap. If Let’s Encrypt suddenly were to reject you service, you’d be forced to choose between dropping HTTPS in favor of good ol’ HTTP, or taking out your wallet.

                                                    I think that there should be initiative to provide ASN.2 which would remove the bloat while keeping good parts of the ASN.1.

                                                    I think that the same thing can be said about PGP. Both are good enough for their job, but both of them are from the 80s-90s and have become bulky over the years, with different methods of accomplishing the same thing. In both cases, it would be an improvement to make a new version that basically does the same things as the old version, but does away with obscure and largely unused features.

                                                  2. 2

                                                    That’s an expansion of what I meant by “not perfect”. ASN is horrible, but doesn’t really impact day-to-day usage.

                                                    But TLS went from a buggy soup of MD5, RC4 and padding oracles to modern ciphers with forward secrecy. It went from tech almost no sites used (do you remember Gmail was over HTTP?) to 80% world-wide deployment.

                                                    So in the same vain, if PGP could switch people from GnuPG to Sequoia, drop the cruftiest hacks and force people to re-generate their keys and re-encrypt their data with this millennium’s crypto, then maybe PGP wouldn’t be so terrible?

                                                    1. 1

                                                      Sequoia

                                                      Do you have a link for that? All I found was the car and the music program

                                                      1. 1

                                                        https://sequoia-pgp.org

                                                        An implementation of PGP in Rust, which also drops some of the oldest cruft.

                                                2. 4

                                                  So, majority of this is UX problem or not end user problem as far as I can see it. There is nothing there that states that PGP is insecure. Furthermore, I would rather use something that exists since Mc Hammer then something that came upon with Justin Bieber.

                                                  PGP email argument is ludicrous - you can record anything that you can read or listen and send to others unencrypted , there is no need to have forward button.

                                                  Not to mention that Signal has seriously fucked up UX, regardless its perfect security and is basically unusable. All engineers that I communicated with stopped using it at some point because of bugs, slow or non-received messages, massive boot time (on desktop you can easily wait tens of minutes to startup up) etc. And we all wanted to like it…

                                                  Big meh from me.

                                                  1. 5

                                                    This is why people are saying PGP is a cultural problem.

                                                    Over the last few years quite a few people in infosec/cryptography wrote detailed explanations why PGP shouldn’t be relied upon and at the end of the day there are always replies like this that state it’s a “UX” problem or nothing to see.

                                                    Ultimately it’s some cultural attachment to PGP or the ethos or its ecosystem. It’s completely orthogonal to what a reasonable security-minded person would start from: a threat model and seeing how different needs are met by given groups of users. Instead of that we’re getting emotional attachment on par with cryptocurrency fans.

                                                    1. 6

                                                      You are overreaching. I couldn’t care less about PGP. The main problem is that there are no good alternatives. Comments like this actually show lack of certain group of people to accept that and try harder to replace PGP, not marking other group as emo nostalgie one.

                                                    2. 3

                                                      I have only a few more people I know who agreed to use Signal than I know that would use GPG. The voice calls still screw up enough that I have to just call them. The texts seem to work fine. That’s all we do with it.

                                                      1. 2

                                                        I used Signal with bunch of people. Almost none of them uses it anymore.

                                                        1. 2

                                                          What do they use now?

                                                          1. 3

                                                            No single stuff - some utilize protonmail, some keybase, others viber and whatsup.

                                                          2. 1

                                                            Your experience may have been part of the hype cycle that came from it getting media attention. I just see someone pop on there occasionally through its contacts system. Maybe once a year. I don’t know how much they use it or for how long. Definitely not growing a lot in my area.

                                                        2. 2

                                                          I use Signal with a couple of people (who’d never use PGP). So far it has been as reliable as WhatsApp, which was what we used previously. Neither are perfect in terms of notification delivery. I haven’t seem any issues with boot time on Windows or Android.

                                                          1. 2

                                                            Just couple out of my head. Feel free to dive in

                                                            As of notifications, me and my team had regular delays on Signal messages - messages not received until Signal is opened (with everything working as it should months before), messages never arriving and messages arriving with some dummy miranda encryption warning instead of text (spam), thousands of messages arriving in a tempo 1/s and so on.

                                                            Its just horrible, it might even be a fubar based on github discussions.

                                                            I even had a quarrel with my wife several times when I didn’t receive very important messages from her. I am in the privacy-all-the-time camp and tried hard to convince her that using Signal is right, but later that backfired a lot.

                                                            1. 2

                                                              You didn’t give information about your phone. Would that be a Samsung, by any chance?

                                                              1. 1

                                                                Samsung and Huawei

                                                              2. 1

                                                                The desktop app is, in my opinion, extremely buggy and slow. If you use signal, I recommend you stick to using the mobile app.

                                                                1. 1

                                                                  It was working fine when it was Chrome extension.

                                                                  Mobile app exclusive use is not practical - most devs are on the laptop constantly and are way slower to respond using the phone.

                                                            2. 1

                                                              The Signal desktop app (electron based) is hot trash for sure. I would only recommend the mobile apps to anyone interested in Signal — certainly a “mobile first” ecosystem.

                                                              1. 1

                                                                That will solve only some problems. The app as a whole is simply not ready for serious usage.

                                                            3. 4

                                                              The author gives no alternative to the web of trust or their arguments against it do not hold up during scrutiny.

                                                              Long term identities could be built on rotating keys. Yes, this is one of the many areas where PGP lacks (with its identity key rotation not being user friendly). This is also where Signal lacks (binding long term identity to the phone number only instead of allowing chaining of keys).

                                                              None of this identity goop works. Not the key signing web of trust […]

                                                              Yet they give no details in which way it doesn’t work. For finding the key of someone you haven’t met, the web of trust idea improves security over trust on first use. Man in the middle attacks work for trust on first use, but don’t on web of trust.

                                                              Experts don’t trust keys they haven’t exchanged personally. Everyone else relies on centralized authorities to distribute keys.

                                                              They just mentioned web of trust in the same paragraph… What do they think of people who do use the web of trust?

                                                              Yes the usability and privacy of web of trust can be improved. See e.g. https://claimchain.github.io/ . Getting introduced to other people is something many people do in real life and did before the Internet existed.

                                                              1. 12

                                                                At this time, it’s up to the proponents of web-of-trust to prove that it’s a workable concept, and not a theoretical construct that doesn’t work in today’s world.

                                                                The recent brouhaha over keyservers shows that the infrastructure at least is sorely lacking.

                                                                1. 3

                                                                  At this time, it’s up to the proponents of web-of-trust to prove that it’s a workable concept, and not a theoretical construct that doesn’t work in today’s world.

                                                                  I personally believe it is a better option than centralized services (remember StartSSL ?) if you use TLS client certificates – see weird CAcert – or OpenSSH keys – see Monkeysphere.

                                                                  1. 3

                                                                    At this time, it’s up to the proponents of web-of-trust to prove that it’s a workable concept, and not a theoretical construct that doesn’t work in today’s world.

                                                                    Some open-source projects use Web of Trust, for example Arch Linux or kernel.org. IIRC Debian also requires their developers to have “strongly connected” keys.

                                                                2. 2

                                                                  “Use Signal.”

                                                                  I have met more than one woman who wasn’t a fan of this advice.

                                                                  “The GnuPG community, which mishandled the Efail disclosure”

                                                                  That’s a funny way of spelling “The EFF,”.