Re: [tor-talk] PGP fiddly-diddly - action required

[Jacki M]

No, PGP is not broken, not even with the Efail vulnerabilities

https://protonmail.com/blog/pgp-vulnerability-efail/ 


> On May 16, 2018, at 4:51 AM, Sydney  wrote:
> 
> 
>> On 16 May 2018, at 9:42 pm, Lara  wrote:
>> 
>> On Wed, 16 May 2018, at 11:31, Sydney wrote:
>>> 
>>> encrypted email.”
>>> 
>>> This could easily be interpreted — especially by someone that doesn’t
>>> natively speak English — that PGP is not safe.
>> 
>> Hence the corollary: if you are not a native speaker wait for a
>> translation.
>> 
>>> This is how I initially read the article.
>> 
>> Stop reading PGP email means "everyone would be able to read ALL my
>> email". A problem it is, but language is not.
> 
> It’s a effectively security alert; it warrants caution. I’m a native speaker 
> and read it the same way. 
> 
> You need to pull your head in.
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP fiddly-diddly - action required

[Sydney]

> On 16 May 2018, at 9:42 pm, Lara  wrote:
> 
> On Wed, 16 May 2018, at 11:31, Sydney wrote:
>> 
>> encrypted email.”
>> 
>> This could easily be interpreted — especially by someone that doesn’t
>> natively speak English — that PGP is not safe.
> 
> Hence the corollary: if you are not a native speaker wait for a
> translation.
> 
>> This is how I initially read the article.
> 
> Stop reading PGP email means "everyone would be able to read ALL my
> email". A problem it is, but language is not.

It’s a effectively security alert; it warrants caution. I’m a native speaker 
and read it the same way. 

You need to pull your head in.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP fiddly-diddly - action required

[Lara]

On Wed, 16 May 2018, at 11:31, Sydney wrote:
> >> So now everyone would be able to read all of may emails.
> > I doubt even EFF would have written such a thing.
> The EFF website still has the following, which you actively chose
> to ignore:
>
> “...and temporarily stop sending and especially reading PGP-
> encrypted email.”
>
> This could easily be interpreted — especially by someone that doesn’t
> natively speak English — that PGP is not safe.

Hence the corollary: if you are not a native speaker wait for a
translation.

> This is how I initially read the article.

Stop reading PGP email means "everyone would be able to read ALL my
email". A problem it is, but language is not.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP fiddly-diddly - action required

[Sydney]

> On 16 May 2018, at 6:34 pm, Lara  wrote:
> 
>> So now everyone would be able to read all of may emails.
> 
> I doubt even EFF would have written such a thing.
>> 

The EFF website still has the following, which you actively chose to ignore:

“...and temporarily stop sending and especially reading PGP-encrypted email.”

This could easily be interpreted — especially by someone that doesn’t natively 
speak English — that PGP is not safe.

This is how I initially read the article.

I agree with ProtonMail when they said: “We agree that the @EFF warning is 
overblown and disproportionate... we think that stories claiming "PGP is 
vulnerable" are inaccurate.” 
(https://www.reddit.com/r/ProtonMail/comments/8jabm6/pgp_is_broken/)

Sydney.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP fiddly-diddly - action required

[Lara]

On Wed, 16 May 2018, at 00:37, panoramix.druida wrote:
> > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

The problem with quoting links is that the source can ALWAYS change the
text to fit the latest developments. So you should link as a reference
to the context, but do QUOTE the parts that disturb you.

> So if I have PGP to protect my email, their solution is to stop using
> PGP because someone could read my encripted mails.

The current page says:

+ Our advice, which mirrors that of the researchers, is to immediately
+ disable and/or uninstall tools that automatically decrypt PGP-
+ encrypted email.

Notice the words automatically and decrypt, besides the immediately that
unsettled you.

> So now everyone would be able to read all of may emails.

I doubt even EFF would have written such a thing.

> Wouldn't be better to ask people to disable HTML on email and to
> upgrade their email clients to stay protected.

Only TorBirdy and other email related projects do say that.

And there is no upgrade so asking users to upgrade would have been only
a hysterical reaction.

> I know PGP is not perfect, but it is the best we have for email.

The best you know. And there is no "we". Different needs,
different tools.

> I know email is not perfect but it is more or less descentralize.

More, less, the same. Emotion and zero information.

> Why should be stop using email in favor of something such as Signal
> (recomendation from EFF article) that is centralize and we should
> trust the guys running the server are good guys.

In its current form, it says nothing about "stop using" anything but
software that automatically decrypts PGP. Anyway it is called trying to
give a solution. And as far as I know Signal has a much better security
history than the email client addons.

> I understund that Signal has great security features like foreward
> secrecy that PGP doesn't. I know it is open source, but you are forbid
> to installed from free repostiories such as Fdroid.

Nobody forbids anyone from installing anything from Fdroid. That IS
EXACTLY the point of Fdroid.

> Also you can not use Signal if you don't have a phone number. How
> great is that for anonymity. In the country where I am living you can
> not activiate a mobile phone number without your national id.

In many countries you can't do that. So the responsibility should be
ENTIRELY with you. People from other countries give you FDroid,
Android, Internet, websites, and so on. It is up to you to either
change that reality or vote with your feet if you are too weak,
incompetent, and so on.

Cheers
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP fiddly-diddly - action required

[Sangy]

I feel you, Druida.

Sadly, the EFF is now full of ws and sillicon-valley technocrats
that can't see beyond California. I find it chuckle-worthy that every
single one of the authors pleading for moving past pgp only list their
pgp keys in the staff pages[1][2][3]*. On the signal side, it only takes
less access than the EFail attack and an IMSI catcher for the govt to
whack you, physically.

Stay safe.
-S

* And all encoded differently, oh my! Imagine, they still think that gpg
  defaults to SHA1 for signing. 

[1] https://www.eff.org/about/staff/william-budington
[2] https://www.eff.org/about/staff/david-grant
[3] https://www.eff.org/about/staff/soraya-okuda

On Tue, May 15, 2018 at 08:37:19PM -0400, panoramix.druida wrote:
> ‐‐‐ Original Message ‐‐‐
> 
> El 15 de mayo de 2018 3:01 AM, I  escribió:
> 
> > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> 
> I respect the EFF for all of its work, but I don't understund this one. So if 
> I have PGP to protect my email, their solution is to stop using PGP because 
> someone could read my encripted mails. So now everyone would be able to read 
> all of may emails. Wouldn't be better to ask people to disable HTML on email 
> and to upgrade their email clients to stay protected.
> 
> I know PGP is not perfect, but it is the best we have for email. I know email 
> is not perfect but it is more or less descentralize. Why should be stop using 
> email in favor of something such as Signal (recomendation from EFF article) 
> that is centralize and we should trust the guys running the server are good 
> guys. I understund that Signal has great security features like foreward 
> secrecy that PGP doesn't. I know it is open source, but you are forbid to 
> installed from free repostiories such as Fdroid.
> 
> Also you can not use Signal if you don't have a phone number. How great is 
> that for anonymity. In the country where I am living you can not activiate a 
> mobile phone number without your national id. 
> 
> I am writing this email from Protonmail wich I only connect from Tor. I don't 
> really trust  Protonmail, but I can be anonymouse to them thanks to Tor. 
> 
> Is Signal the replacement to email? I do like the way the Signal protocol 
> negociate offline the keys and that each message is encrypted with a 
> different key. That idea of encryption for asynchronous communication can 
> actually be a good replacement for email, but in a distirbuted network.
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP fiddly-diddly - action required

[panoramix.druida]

‐‐‐ Original Message ‐‐‐

El 15 de mayo de 2018 3:01 AM, I  escribió:

> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

I respect the EFF for all of its work, but I don't understund this one. So if I 
have PGP to protect my email, their solution is to stop using PGP because 
someone could read my encripted mails. So now everyone would be able to read 
all of may emails. Wouldn't be better to ask people to disable HTML on email 
and to upgrade their email clients to stay protected.

I know PGP is not perfect, but it is the best we have for email. I know email 
is not perfect but it is more or less descentralize. Why should be stop using 
email in favor of something such as Signal (recomendation from EFF article) 
that is centralize and we should trust the guys running the server are good 
guys. I understund that Signal has great security features like foreward 
secrecy that PGP doesn't. I know it is open source, but you are forbid to 
installed from free repostiories such as Fdroid.

Also you can not use Signal if you don't have a phone number. How great is that 
for anonymity. In the country where I am living you can not activiate a mobile 
phone number without your national id. 

I am writing this email from Protonmail wich I only connect from Tor. I don't 
really trust  Protonmail, but I can be anonymouse to them thanks to Tor. 

Is Signal the replacement to email? I do like the way the Signal protocol 
negociate offline the keys and that each message is encrypted with a different 
key. That idea of encryption for asynchronous communication can actually be a 
good replacement for email, but in a distirbuted network.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk