Stop Using Encrypted Email with William Woodruff

There was a bug in an OpenPGP library which finally gave us an excuse to tear encrypted email via PGP to shreds. Our special guest William Woodruff joined us to help explain the vuln and indulge our gnashing of teeth on why email was never meant to be encrypted and how other modern tools do the job much, much better.

Watch on YouTube: https://www.youtube.com/watch?v=IoL3LfIozJo

Links:

—–BEGIN PGP MESSAGE—– U2FsdGVkX1/OF+EynrukxZnSAXwgksTGSIkQ6s4X9Ns7JgQ2ZymeQAp8uD09MtkJ ce5HOKcjhUkZOMbJl3I5iOcPgSxCGG8KccNXcY6msdAD3pdlmR5cWJpn6+qGwqvo KCsj+DYwFW6tltLBXP/cdnh9z8ktRXqfwQW+uhB5Zcaw28pzmNz/rA0cb0cLGiaX uxp9A0iWhwf2gFpUSiIJyXGLJAc8eeI1LXfISXi7IkowDMp4x+iDbOlrR0d6zCkp IKpNGReokcWhUrlGVONiVUrApZS2fvxQoHgaIvwLl5FM1WdrbQIV41DB+rgtZJhE NSgMkhQ0y1bBAOM25ykRjC/UUS/q0ddXz1ThGi6vRIp4/8vkqOsEXHv5M1oT9FQT UGK3zyffq0FqGBFj6kwVZ0X0JQFmtydZKhSYEPE9s4mcfvxKNQsySK7wlxMerKrf f9ZxOR7rHjE3IfqtoizX8EH+MYy2lRCoCKeLbZd0G1LcVhBhRpoXfqL2IboAWqT+ U8R2eyts7qiNuWQUtmCzKNmaJMS+1M+pVN5ZXAdSqK2OJVJZgO8Ie7q4HVZeAd3G HzP7owf+VerCguOYN41cxGle1QpeFi0xcYHNna1bgbodFZ8eGDOq5yCuvmQa04Xy J4vRv7xcp/v16CniL1rN6KhnzdW2gLky8depnYyhm8NvdMFETA6K6eIYm1roD+C2 wwOOKRxUpTI54ov+HYDDU+HUmpFykSesHQJ75o9m0w7V2kR/+E46olFMhHo8JWnL NsGd5QlD/fyedMXHAjimXuFk/YFnwa1lh4XwSwYm+c8ZnIfrS6oEEdUSwXMCwwVT 7/tMw+ab0YRsx19hBLS41oxMz+DCah+/KDMEHv0I+VxaCH8ZfaKD4tRhduSvcWkn Nat3Xp8/MAmO5xN1U8s1dFvrlnt+yqDz7Wn0kVDiax2dTJVgftetqOkoSVvGdMex 9K0ILUUMEpHYBISIaAc7NjoG4BieSeK7wuzBXdhHutVZVKp2ty+mAd8xPlrmemsX lzBhV/kcmF4rcG4eqoWcKpZQY8ZUDufwhIcNqIZEA+wQoKbmBQCR/NradwUrCAIs AQFMVhSYmr7ffA6Ty0twSWeVMDQmxdW+6gKA3EiTAJkFXPpdkhBUzuZHC7Eeph7D F0Ks8Vu/wzOhNsd2s2wYYF6Dl3xctcOj7eMw8VS1HtExszulM57TnqTDaLGPcX6o m8NORwMEtQrCbJd/fdmoNPN/cXzLPHQj3qVZ0F50iNec6zSnmBLIRX4SAYOqzN/2 icvr98Caa1oX3pUlm9W2Hcz30SXJDxOf+mqH6zL4QTAMs3/K9OkaO9nmyPelwoCw VI1q/PsMpqQhGikdM5hrzg6IcEOg5zpLB6N+wqkcGyXFzI2gSQTWYOv4thrIxPY5 G9yNi4dhU+2+KJCa6aoPyAlyc41Yd3ARTeahHEjtdj6PcueRPQdVm+qWCRp09bp3 oic7ljzMVrPRgdbRrzFyEAIhN9Fi4QZ08/yCLEt/BPG+N8j0cZixoj54SKi07uSO WRDrzGvgSegGCCIFKjAsq9ay0sBm61XLcZqdtj57NpNzd/y/yFYvjEQLyyn8VnFA RwOaM3zjrufNC+kYVkHCYzfvu+JopScZjMiuBXI9v8OTOXlj+Ai97bnftwmpQ263 5vyearRHCNATFNa96Sxd1cLjV+ECUlD4hAZQPyel8groXsyjKaMxoOkaZjG/5MDQ 8KPtes32kjTmneyLSzrUaAD0F4l/iltBXzDNiT6BHD7HJmERbdkoab7+DC1hxxC1 VuOHOX+G/U5NUNjxAercuFOY6kgAH5HM+woGjLUsoc5LESqyPdddeg==

—–END PGP MESSAGE—–

This rough transcript has not been edited and may have errors.

Thomas: Almost all PGP encrypted emails are— they’re encrypted because, you know, people feel cool encrypting it. They’re like play-acting. It’s like a, you know, nerf swords version of whatever it is they’re doing.

Hello, and welcome to Security Cryptography and Whatever. I’m your host, Tom, with:

Deirdre: I’m Deirdre.

David: I’m David. Oh, we did at the wrong time. I’m always second. I’m always second.

Deirdre: I know, but. Oh, well.

Thomas: And with us today is William Woodruff.

I spent, I’m a little wrecked. I spent the day moving boxes and bookshelves and furniture from my mom’s office to clear out some space for her, which is a thing I would rather do than ever read a PGP email message, which is what we are here to talk about with William Woodruff today. The secure email ecosystem. And I kind of think we should kick this off with the reason we’re talking about that this week, which is. I think there was a bug. There was a bug this week in OpenPGP?

William: Yeah. Oh, it was an openpgp.js.

Thomas: Does anyone know how it worked?

David: No.

William: It was a packet confusion of some sort.

Thomas: I was not being serious. Do you three really not know how this bug works?

David: I really do not know how this bug works, and I’m excited for you to explain it to me.

Thomas: You had one job. This is the thing we talked about that you were going to talk about. Oh, my God.

Deirdre: I read the other things.

David: You told me to overread the packet format, and I looked at it and I was like, oh, cool. The new packet formats from 1998.

Thomas: I think we should talk. I think we should talk for a little while, for a very short while, about how PGP messages are formatted. Can I ask if any of the three of you know how a PGP message is formatted?

David: It’s binary data that’s been ASCII armored and for some reason has a CRC checksum at the end.

Thomas: Oh, if only that were the case.

Deirdre: Oh.

David: Go on.

Thomas: This is the point where somebody comes in and explains why it’s not the case. All right, so there’s a blog post from. What is it? The name of the. It’s a good find. Cody and Labs, they deserve credit for this, Right? So they have a vulnerability, they. That allows you to spoof arbitrary OpenPGP messages as valid. And that message opens up with the claim that PGP has a relatively simple packet format, and then points to the RFC where they explain the grammar of The PGP packet format.

Deirdre: RFC 4880.

Thomas: This is RFC 9580. Okay, so an open PGP message is a packet or sequence of packets that adheres to, blah, blah, blah. The following grammar, which is OpenPGP message, consists of encrypted message or signed message or compressed message or literal message. Where a compressed message is a compressed data packet and a literal message is a literal data packet. It goes on and on with this in like a pseudo BNF thing. And any of these things can wrap any of these other things. So it’s like an arbitrarily nested, you know, set of packets, like, you know, type length value packets.

David: And the packets have types. So this is like every network protocol has like a type packet format.

Thomas: So why, why are we so like this? Like, this packet format has apparently been a nightmare for PGP implementers for like a really long time. There was like, in the, up until like, I guess the late 2000s, somebody’s going to call me on this. But it’s somewhere around that time frame there was a network of PGP key servers that everyone used. There was like a global Internet key server network where you could register your keys. This is by itself a bad idea and we’ll get into why that is later. But it existed, it stopped.

Deirdre: It’s a bad idea because the way the keys are used, we have bulletin boards for certain kinds of keys. That is not the worst thing in the world.

Thomas: Yeah, you’re definitely right. And we’ll get into PGP as like a PGP is like a strata for like signing things, for like signing packages and things like that. Versus for secure messaging. Right?

Yes, but like, so the thing that takes my understanding is the thing that takes the key server down is a series of DOS attacks on the key server stuff based on packet parsing problems. Like there are ways to make the parsing of those packets go quadratic so you can send like, you know, fork bombs of PGP packets. William is nodding. So I think William knows something so I can stop talking.

William: Yeah, well, the main thing that I remember was I think the big PGP key server explosion was in, I want to say 2018 or 2019 was.

David: Because that’s far too late.

William: Yeah, shockingly, I would say. And it was, you know, it was trivial to make both GPG and other PGP backends. There’s so many. But the ones as well go quadratic on key person.

Thomas: Which keys and like keys and BGP messages are themselves packets.

William: Yes. Yeah, I guess I’m using key interchangeably with what PGP calls a certificate, which is a set of packets, right?

Thomas: So I was going to say it’s easy to explain and complicated in practice, but it’s not even easy to explain, right, because there’s a grammar in 10, three of that RFC, but then there’s 12 different exceptions to the grammar and all sorts of weird shit happens, and there’s just no reason for any of this stuff to exist in the format. But it does. It’s like a 1990s format that we still live with today, or some people do, right? There was an openpgp.js vulnerability in the handling of that format. And that vulnerability was you take a valid signed PGP message from anywhere and you tack onto the end of it an additional compressed data packet, and that is the vulnerability. So the signature on that message for what preceded the message is valid. Whatever the hell you tacked into the compressed data packet at the end is not valid. It’s just a random thing you slapped to the end of the message. And openpgp.js returns the data from the unsigned thing that you slapped onto the end of the packet.

That’s the whole bug. The whole bug. Which is like, it’s interesting, right, because this is also like an XML DCIG SAML vulnerability type situation. It’s kind of the same idea, or it’s a similar vibe as what’s called XML signature wrapping, where in that format there’s this idea that you have a single XML document and a subset of the tree of that document is the signature. And kind of the way that HTML has IDs for different elements in the document, the signature in that subset of the document has an ID that points back to the part of the document that’s signed. Just saying this out loud, you can hear how fucking crazy this is. But that’s how XML DSIG works. But like, you sort of give XML Basic, you don’t give it a pass.

It’s literally the worst format. Like, literally the worst format that there is, right? But like, open BGP isn’t xml. Like, it’s not. It doesn’t. It’s not supposed to have that kind of flexibility. It doesn’t even. It doesn’t benefit from that kind of flexibility. It’s not like an extensible grammar or whatever.

It’s not like it’s not xml, but they managed to recreate the vulnerability anyways. Like, a funny thing, when you see, like, people in that ecosystem responding to this bug, it’s just like, well, this is an implementation failure, right? Like, and it is an implementation failure, right? Only openpgp.js has this bug, right? But like, there’s the obvious objection to that, right? Which is it shouldn’t be possible to have this kind of whatever. So that’s that.

David: Like, have you ever read PGP code? Like, my, my theory here, I. I did this once when I was trying to figure out, like, you can talk to like, yubikeys through some PGP protocol that’s separate from piv. And sometimes like, yeah, those that lets you do operations that aren’t exposed in PIV, like Curve Q5519. And so I was trying to understand, like, how OpenPGP did this at one point and I, you know, I went to grad school, meaning I’ve dealt with some like, bullshit code that wasn’t written by me more than perhaps in other situations. And PGP was scary, Like, I could not figure it out, like, for the life of me, like, what the code even did. Like, not even like, where it talked.

Thomas: Just.

David: It was very like 1990s C code. And I have a feeling that the packet structure is like, downstream of some imperative C code that someone wrote.

Deirdre: Okay. Because I was going to say, like.

David: Got back solved into some sort of packets format using whatever, like, style of writing C code was acceptable, popular, whatever, in 1990.

Deirdre: Because I was gonna say, like, pre K and R. The format seems like it’s like miserable and would lead to a miserable parser with all these exceptions and like circular. And like, it’s the fact that you have nested, Nested, nested types. It’s a key, but it’s also a packet. But it might also be a certificate. I would think it would be the other way around, but I could totally see it being like, no, no, no. We have code that resulted in a format, not a format that resulted in this gnarly parser code. I don’t know.

William: That’s. My understanding of the history of BGP is that the tail wagged the dog in terms of the standard. The standard came well, well after the set of initial needs were established.

Deirdre: And so awesome.

William: That’s just sort of delicious.

Thomas: I don’t think that’s necessarily a bad thing, right? Like, I think more standards should start. But, like, you want to start with something good.

Deirdre: Yes.

David: And they’re usually like the 90s.

William: Yeah. I think the history, the process itself is just pliable. It’s more. The timing is unfortunate.

Thomas: Sorry.

David: If I recall correctly, like, the early versions of like the Doc file for Microsoft Office was just like, you just mem copied or mem Mapped the struct that they used to represent a document in the program to disk and then like unmap mapped it. And this had obvious problems for years and eventually someone solved it by introducing XML and DocX. But like, same, same story, I think, type of thing where like the format, it’s perfectly fine to do things without standards, but like, if you’re operating under the constraints of the 90s, it’s likely that your format is like a little insane. It is not necessarily what it would look like if you built something without a standard that used a format today.

Thomas: Yeah, yeah. I’m not sure we’ve ever done a proper PGP takedown before. And there’s a lot wrong with PGP like this. Like the signature format is crazy. The way they handle authentication is crazy. Like there’s all this crazy stuff in it. Like if there’s anything like top line important to talk about there. I think, like, generally, if you’re kind of paying attention to us, I think pretty much everyone here mostly is written off pgp.

Every time this comes up on a message board, I’m always like, please find me one cryptographer, just one, anywhere, any, any cryptography engineer that works anywhere that will stick up for pgp. And I’m not sure that exists, right? So like going through the litany of all the things that PGP does not get right is like, I don’t know how super productive that is, but I think there’s a more important thing which is like PGP has two use cases, right? It is a package signing system for packages that people don’t check signatures on. And it is a secure messaging system for messages that no one will ever care to read.

Deirdre: Or it’s a way to encrypt data. But usually that data is a message, not like a file format, although it is also used to encrypt files.

Thomas: Yeah, I mean, that’s a fair point, right? So it’s actually, it’s three things, right? It’s is the two things I said. And then it’s also like encrypting files. And for like a very long time, a thing that really pissed me off was that none of the, like Mac os for instance, doesn’t have like a tool to just password protect and encrypt a file. You have to download something to do that, which means that people, you know, download like whatever the zip program is and then that’s like its own complete nightmare, right? And like, for that problem, like you should use age or ag or whatever, how you, however you pronounce Filippo Sting preference to pgp. But like the big problems with PGP aren’t going to screw you if you’re just encrypting a file, right? Like, I mean, I guess it has a really bad password, kdf. So don’t password, like usually use a random password or something like that, right?

But that aside, right now, yeah, I can’t remember what it was. I just remember that it’s bad. But like, so there’s the three things, right? But like, I think the, like, the important thing to talk about is PGP email, right? It’s, it’s, and it’s, it’s more broadly any attempt to get email to be secure. And like this is a thing that has been setting. This is like the fifth thing in this conversation we’re having where I’ve pointed out that something sets me off, right? But this one really sets me off, right? Which is like, there’s. So for obvious reasons, we are in a time period where we’re reading lots of security guides for activists. It’s a big problem. Lots of activists, you know, doing important work and don’t want to be surveilled, right?

So you’ve got all these security guides and there’s like, there’s two really big tells for me when I’m reading these things that like whoever wrote this was not super plugged in to, you know, serious kind of digital security stuff, right?

Number one is when they uncritically recommend that people use Firefox. I’m fine if you have a, well, a well reasoned Firefox argument, but if it just says use Firefox, it’s open source, you don’t want to, you know, be up in Google or whatever, right? Like that’s a red flag for me because that’s not, that’s not that simple. Right?

But the other thing is any attempt to get people to use PGP for email and you see this all the time, like this is like a really big recommendation that people try to give people. Like they’re trying to get people to do encrypted email. And encrypted email is bad, can’t be made to work.

Deirdre: Thomas, why is encrypted email bad and can’t be made to work?

Thomas: You, you can just disagree with me.

Deirdre: No, no, I’m, I really, I like, tell me. I, I agree with you almost entirely. Please tell me. Because I literally scratch my brain and explain this to a normie the other day and they were like, well, what? Well, why is that then? So on.

Thomas: Well, I mean, I think I Think David. So I was talking to Deirdre. I saw Deirdre’s face and then a blog post that I wrote like five years ago was in my face because she pushed the button. I think David should, should kick this off. Otherwise it’s just going to be me talking this whole time.

David: Yeah, well, I, I think we should go through this blog post by which I mean I will read out loud and pretend I am that streamer who shall not be named. This blog post called Stop Encrypted Email. Stop using encrypted email. I’ve already screwed up reading it.

Thomas: You’re reading about as well as a.

David: YouTuber would read it, which Thomas wrote in 2020 that I thought this was older than this.

Deirdre: 2020 before the world.

Thomas: It has a timeless quality about does.

David: But it began saying that email is unsafe and cannot be safe. The tools we have today to encrypt email are badly flawed. Even if those flaws were fixed, email would remain unsafe. Its problems cannot be plausibly be mitigated. Avoid using encrypted email. Which I think was just Thomas’s point.

Thomas: I think I write in a way that is difficult for people to read on streaming things.

Deirdre: Oh, we’re doing it.

David: We’re doing it. And as Thomas noted, technologists hate this argument because few of them specialize in cryptography or privacy, but all of them are interested in it. And everyone wants to use encrypted email tools. I don’t know if by everyone you really mean everyone, but I think you mean people who write guides for journalists online.

William: I think it’s also nerd currency. I mean, I definitely, when I was a teenager, I was like, man, this is the coolest thing ever. I want to encrypt emails to my friends. Which didn’t go well, but was like nerd prayer at the time.

Deirdre: I think technologists see, like, I can make this work in the golden case. And you may be able to do that, but a lot of security and privacy is like, is not the golden case. It’s the average case or often the worst case. And a lot of that comes down to kind of usability and like defaults of the whole system, which is not a technologist sort of thing. It’s like a usability and design sort of thing. And that’s not necessarily where our. That has evolved over time with the tools that we have available today. And that was not part of how encrypted email came about.

Deirdre: Really.

David: Yeah. So we have like the LARP case that Thomas mentions here of just of what you Know, William was describing of, oh, let’s send encrypted emails to each other because it’s cool. And I set up the software. But then we have the case that Thomas refers to going on in which security does matter because messages can be material to civil cases of discoveries subpoenaed by law enforcement action, all that fun stuff. Journalists, confidential sources.

Thomas: Yeah.

David: And in this case you have like actual harms coming where if the message leaks.

Thomas: I think it’s fundamentally true that almost all PGP encrypted emails are larp, right?

They’re encrypted because people feel cool encrypting it. They’re like play acting. It’s like a Nerf swords version of whatever it is they’re doing, right?

The subtext here is like, when you talk about how shitty encrypted email is, people are always like, well, what else are you going to use? What’s your suggestion? And if you say signal, they’ll scoff or whatever, right?

David: Signal was created by the US Government, Thomas.

Thomas: I, I don’t, I don’t think that’s true. But continuing, right. Like, so like you, it always kind of boils down to like, you know, like the choices are sending plain text email or sending encrypted email. And so you sound crazy when you tell people not to send encrypted email because it might go wrong. The thing I think people need to get their heads around is that those are not the only two choices, right?

The more important choice, like the important third choice is don’t send the email to begin with, right?

Like if you’re coordinating a protest like thing or a direct action or something like that. Like there are very good reasons not to trust any secure messaging system with those messages, right? Like that’s opsec. And like almost all of the discussions about secure email don’t have that premise. They all have the premise that the message has to get sent, right? And that can’t be true.

Deirdre: I do think there are some systems deployed out there that are like in our little email system where we control all the ends we require pgp, we require, you know, there’s other, there’s other things that are kind of like BGP and that like you have a message encryption key that’s encrypted under some other key, but it’s all still like bolted onto email and you can still send a plain text email and it’s really hard to enforce that in practice.

David: That stuff is all mostly S mime, which is like, yeah, S MIME is different. Separate discuss technology but like, kind of same concept but like there are ways to deploy S mime mildly effectively within the context of a single enterprise and get like exactly something maybe out of it. Out of like.

Thomas: I think most of these arguments will apply to S mime as well.

William: I would agree with that. I mean S mime is the. The basic flaws is present in both cases. The only difference is that S mime has the. The benefit of actually having a community because standards body, it’s I guess somewhat serious.

David: And you can configure like most, I think web like organization like enterprise Webmail now to be like, use S mime and you have to use S mime for emails within my organization. And like here’s the key server now like does that actually do anything if like the keys are all escrowed somewhere else? I don’t know. But if you’re really concerned about the emails existing in plain text on the mail provider server, you can understand why people might like this.

Thomas: So you are thankfully giving up on the premise of just reading this straight through, which I appreciate. Right. So like what I’m going to do is just introduce the first argument and then let you discuss and tell me if I’m wrong.

Deirdre: Okay.

Thomas: All right.

So my first argument, no matter whether you’re using S mime or PGP or the secure email system of the future, you have this problem, which is that ultimately if you’re using a system that defaults to plain text, wants to send plain text, eventually you’re going to send plaintext. Which is to say like everybody who’s ever used PGP or S mime in anger. And at a security consultancy I ran in the mid 2000s, we used S M for everything, right? Like inevitably somebody will respond to your message with an unencrypted reply which will include your message that you sent originally encrypted. Everybody who has ever used secure email has seen this happen. This is the thing. If you are, if you’re a journalist or if you’re like, you know, you know, organizing or anything like that, that can’t happen. You’re talking about like life and death there, right? And so the first reason that secure email is completely broken, right, is that that can happen. Tell me if I’m wrong or tell me or commiserate with me.

Deirdre: I think of your. This whole blog post from 2020, this is the strongest argument. And this is also the argument that some people had about the old school variant of, I think it was signal when it was tech secure, text secure, which was like it was encrypted chat over sms. It was using the best ratcheting cryptography on top of the SMS messaging protocol that was the in the clear visible to your mobile provider messaging protocol to start and that it was definitely like be careful, you can send a end to end encrypted chat message on Tech Secure or you may, you know if you are sending it to the wrong person, you may be sending it in the clear. And this is, this is also kind of what happens in my imessage to this day, which is like you use one client to send a chat message but you may or may not know that going to the non iPhone receiver phone number it will be in the clear. And if it goes to the iPhone receiver or imessage receiver it will be end to end encrypted. It’s an unfortunate failure mode for like signals way like years and years and years has been all signal clients are end to end encrypted. There is no accidental sending of a signal chat message or or WhatsApp chat message.

After they migrated their entire client base to end to end encryption, they originally were sms, they were in a nice space because they were SMS and then they migrated the whole thing to end to end encryption. Whereas signal in the very early days was kind of this, possibly both case. But that is impossible with Signal. Now everything is end to end encrypted by default. That is impossible in WhatsApp everything is end to end encrypted by default. Even though it has a little bit less metadata privacy then signal. That is not the case in encrypted email. You might have S mime, you might have this pgp, you might have everything nicely done correctly.

The protocol is still a default plaintext protocol. You are layering this extra crap on top of a default plaintext protocol and it’s up to you to never fuck up. Like what is it? You have to be perfect all the time. The adversary only has to get it right once, something like that. Or you have to fuck up once and the adversary just has to catch you. That’s the case for trying to make end to end encrypted email work. And we’ve learned those lessons of why this is bad in other places for secure communication. And it just doesn’t seem like we’re ever able to make it work with email.

Signal, WhatsApp. All these other imessage aside, they aren’t on top of the default plaintext protocol anymore. They completely moved away from it. Email is still plaintext by default. So I think this is the strongest part of your arguments here.

William: Yeah, I think kind of a funny thing that keeps happening is every once in a while someone who defends BGP will bite the bullet on this and they’ll say, well, what we’ll do is we’ll control the client and we’ll force the client not to send plaintext responses. And that gets to the argument that I’ve seen honestly before, which is that, well, if you’re going to do this entire thing where you build the whole ecosystem around PGP such that you can’t use PGP wrong, why not simply do the easier thing and not use pgp, given that you’re going to break compatibility anyways? Yeah, that’s like the Delta Chat thing. I haven’t really looked too closely at what they do, but their whole thing is they claim to do the ones who are finally done it. They finally crack the code on encrypted secure email, but they do that by totally breaking the compatibility assumptions in email.

Thomas: But I mean the one thing and that like you do that, the one thing that you are retaining from email is the possibility of being compatible with somebody who won’t encrypt their messages. That’s all you’ve saved.

Deirdre: Well, also like the sending of messages solution, like I think people are, they want to use the thing that already works, which is like the modality of sending emails, but they want to do it securely. And so they it like it’s so I can see it being so easy to just be like, well, we just don’t send emails. It looks like email smells like email, but it’s not email. But then people like, well, why can’t I email this person who uses this client who that is supposed like, it’s not secure, it’s not set up to take my anti encrypted email. And then you kind of, you’re back at square one, man.

David: I would love it if I couldn’t accept email from people. So.

Thomas: There is that subtext.

William: I think there’s a lot of like, I think about this a lot with like, with like protocols in general. There’s a lot of like nerd pattern matching. People love the username at Domain Scheme for things. And I think email in that sense is very comforting. And so the idea that you can do encryption on top of that is especially comforting.

Thomas: Speaking of speaking of the thing that users love about this, which is the username @Thing. Right.

My second argument, which I think might be stronger than the first argument. So I’m waiting for you guys to tell me I’m wrong About this. The second argument is for a serious adversary, you know, if it’s a, you know, a state level adversary or whatever, the metadata surrounding the message is often, maybe even usually just as valuable as the message itself. Right.

What they want to do is roll up the network of who’s talking to who. They’re probably starting from a point where they’ve got like some particular person or contact that they know they’re targeting and they’re just trying to work out what the network is like, who they should like expand surveillance to and all that. Right.

So metadata, super, super important. And email doesn’t just like leak the metadata. Email proudly publishes the metadata. It’s a store and forward system where every time you send a message, no matter what you’re doing to encrypt the content. The funniest thing about this whole thing by the way, is that PGP email doesn’t encrypt the subject header, which is like the subject header isn’t even metadata, it’s just message. Right.

It’s part of the, it’s the summary of the message. Right.

Deirdre: I hate this.

Thomas: But that aside, like the two in the frame of that message and that graph that you build of who’s talking to who, like this is the entire reason why signal asks for your phone number so they can draft off of your local contact list and not maintain a server side contact list. Because if they had that server side contact list, somebody would eventually target them for it, legally or otherwise, and get it and then have the entire graph of everybody who’s talking on the service. By the way, if you use like a secure messaging system where like you go from device to device and you just automatically have the complete contact list everywhere, you should ask yourself how that’s working, right? Because if the way that works is that they have a server side contact list, they’re keeping the whole graph of who’s talking to everybody. Like server side just there, right?

Deirdre: Yeah, yeah. The imessage and Apple like migration tooling and now the signal migration tooling from device to device has like become very advanced to avoid this scenario in particular, they literally take everything on your device. You do a little bit of a diffie Hellman handshake to make sure that you do a daisy chain of off and you’re authorized to move things from an old device to a new device and they go from device to device. There’s nothing going up in the cloud really other than I am registering a new device like at timestamp. Like that’s kind of it. That’s going from device to device. If you’re not doing that kind of like kind of little dance protocol between devices and things just show up on your new device. It’s because it’s up in the cloud and maybe there’s some sort of password and maybe some of it’s encrypted or whatever.

But going from device to device and not going up through somebody else’s computer is less risky and less exposed. The other part about the contact list being public and available and subpoena able or hackable or whatever, Signal’s done a lot of work to keep as much metadata about who’s talking to who, who’s in what groups, what the groups are about, the profile pictures and aliases and nicknames of people in groups and between people completely encrypted and private and not accessible or visible to Signal the service. But that has involved a lot of advanced cryptography that no one else does. WhatsApp doesn’t do it. A lot of these advanced, you know, end to end encrypted messengers that aren’t super popular yet. They’re not quite there yet either. Signal has done a lot of work and that was definitely not available when they were kind of up and coming. And that’s like why the bootstrapping of your local contact list of phone numbers in your phone, which is just on your phone and does not get uploaded and none of that occurred.

And it’s sort of like the historical legacy that’s kind of inherited into Signal doing that. Syncing privately is a ton of work and Signal may be the only encrypted messaging service that could do it. And they’re still not doing it because it’s very difficult.

Thomas: Like it’s going to sound, I think a lot here. Like we’re just boosting Signal and like really just use anything but email. And I don’t have this much of a gripe. Right. It’s just email is the problem. Right.

Use Matrix. That’s fine. I have things to say about Matrix, but I think Matrix is generally a well intentioned and heading in the right direction project. Right. Like there’s lots of different things you can use just matter most. You should, I guess, matter most.

William: The email argument or the rather the metadata argument with email is that email is uniquely profligate with how much metadata it encourages everybody to use. Like all the email clients have emoji reactions now and those are in metadata and those are also part of the message semantically in metadata. And so now people, I think probably don’t realize the five People will both use PGP and the emoji reacts in Gmail or something. You know, clear text emojis.

Deirdre: I hate that and I love emojis.

Thomas: Do we know this is. This is. You’re breaking news here. This is. So how does this work? Is it like MIME headers that get attached to the add?

William: I can’t remember what the Gino one is, but the microphone is like XMS React or something like that. And then it’s. I would have to. I would have to look up the exact details.

Thomas: But it’s like you can just off the top of your head this. You don’t actually have to have it, right? But it’s like. Is it like a single line base 64 header? Like an actual header?

William: I’m pretty sure it’s an actual header.

Thomas: I can imagine like a MIME section, right? Like it’s the. You do the whole like the messages like this set of MIME packets or whatever. I believe you when you say it’s a header. I just think that’s crazy.

William: It may also vary by email provider. Is the thing that is concerning me is that I think what I’m saying is correct possibly for Outlook, it may not be correct for genealogy. You know, may do the MIME thing. But let me. I am trying to actually find this documented somewhere.

Deirdre: I hate this so much because emojis are content. They are the body of communication. I mean you can have an entirely important, very sensitive conversation just in emoji reacts. Because I’ve done it. I’ve done it on the argument that metadata is important as content. It really depends. Some it’s important to protect it. It’s also difficult to protect it.

The emoji reacts, not being counted as content is just wrong. But like the metadata about who’s talking to who at what time and how long the conversation is and things like that. The subject line that is content that should just be encrypted and the fact that it’s not is ridiculous. But the other stuff, it’s hard to protect it because a lot of it is like control flow, like how do we route information? Even WhatsApp doesn’t encrypt this stuff. They know who is talking to who at what times and things like that signal has done a lot of work to not be able to detect a lot of this. But it got better at it over time. And the stuff that’s subpoena able from signal is literally like the time that someone registered an account like the very first time and the last time they contacted the signal service, like that’s, they’ve very proudly put up their, you know, responses to, you know, subpoenas and court orders about like give me information about XYZ users.

Thomas: Right.

Deirdre: But even if you get it, it, I think there’s like this, this has been kind of the evolution of what you can get from devices. If you just be like, just try to give me access to devices. If you can get access to devices. There’s a lot including previously secure, securely communicated, end to end encrypted content on devices or on clouds, especially like iclouds that are not fully encrypted backup or other cloud backups that you might be able to get access to. And that’s really rich. And if you can get, get access to that, that’s really good stuff. If you can’t get access to that, the metadata is useful. And especially if you’re trying to spider out from a target, if you’re trying to find people in like a communications network and you’re trying to find links, I do think it’s important, I don’t quite agree that it is as important as content in the year of our Lord 2025 because there’s just so much content available out there from random places, whether it’s the cloud or you know, just give me access to your device via some sort of like corridor door or if you want to be really targeted at a specific person, you can try and target their devices specifically and send them an attack depending on the security of the device and get everything, effectively everything right.

Thomas: Those are all totally valid points. I think the thing I’m trying to call out about the unsalvageability of email is just if you think about how email works, um, when you, there’s so many places where you can do a dragnet and just collect all of the metadata going through like a message flow for a bunch of people, right? Yeah, like every, every MX hop, whatever. Like they’re just.

Deirdre: Yeah.

Thomas: The processing of these emails leaves a log trail of who is talking to who and not just on the central, the one central place that you could potentially protect or whatever, but just like everywhere that the message goes, just like leaving this trail. Yeah. It’s also like to me another important thing here is just that governments are already really good at accessing this metadata. They understand SMTP metadata. Right.

For a long time there was a thing that got passed around about for each of the different messaging services. What could the FBI access? Which things could they actually use? And it’s like with signal it was like that you use signal and then nothing else. Right.

But like the amount of stuff they can mine out of SMTP metadata, I think is a lot more than they can, like they’re ready to get from anything else.

Deirdre: Yeah.

David: And in like every client just like rebroadcasts all the metadata from their perspective at every step. And that’s like how the protocol works. Right. You include all the parent responses, you say exactly who you’re responding to and why, and like the chain of how you got there. And then the provider signs every message to make it clear that the metadata is real. Because everything via was dkim.

Deirdre: Yeah. Is anti spam. Yeah.

David: Because everything that we had to build for spam is all about like authenticating the method, allowing servers to authenticate the metadata to each other.

Thomas: Can we do like a one minute thing about how you should never take any kind of security advice from anybody who says that dkim messages should be authentic and like that it’s a bad idea to burn DKIM signatures? This is very definitely a thing. Right.

There are definitely. This is how the Hunter Biden messages got authenticated. They were published with valid DKIM signatures. And it’s like you respond to that and say, well, we should burn the DKIM keys so that you can’t really authenticate them.

David: That’s how we fought the deep state. We would never be able to fight the deep state without DKIM keys.

Thomas: And it’s like people will say things like, well, no, we need to keep these DKIM keys secret so we can authenticate messages. Because that’s how we’ll do journalism, by like authenticating people leaked messages. That’s like you’re the adversary. You are being the adversary right now.

David: I mean, leaking them on the scale of like, you know, rotating them every one month to six months or whatever, and then like publishing the old ones. I think, yeah, I don’t think we should stop authenticating messages at time of send. Like, I for one, in a way that I’m. My inbox is only like 50% send spam and not 95% spam.

Deirdre: Yeah. And like 50% spam is like stuff that I signed up for once upon a time. And not like boner pills are us or whatever.

David: Speaking of new sponsor.

Deirdre: If you do want to sponsor us and you, you are not boner pills R Us. We’re trying to hold an event in Las vegas during blackout defcon. Contact us@securitycrotographywhatever.com are we.com.

David: Just, just contact me. Figure it out.

Deirdre: David’s the one that handles this.

David: If you send me a PGP email, I will not respond. After I defended my PhD, I sent a number of people thank you emails and then one person responded to mine with a PGP email. And to this day I still not have read it.

Deirdre: Yeah, this is the way that it stays secure is when you do send the encrypted email, no one will ever be able to decrypt it. And so that part stays secure. All this metadata discussion is reminding me that one of the pros of email of SMTP is that it is federated. That is why part of the reason it’s leaving this metadata trail all over the Internet. This is a thing that some people like about the protocol.

David: I don’t know that I would call it a pro that it’s federated. I would simply state that it is federated.

Thomas: I have a bigger thing here which is just, okay, so it’s federated and people might or might not like Federation. This is like a long time thing with signal. Like Moxie wrote a whole thing about why they weren’t federated, which really set people off, right? And like, I feel like he was utterly vindicated on that after what happened with Matrix and their attempt to convert from encrypted non encrypted to encrypted. But there’s a deeper issue here, right? People complain about Federation. Maybe that’s a colorable argument. People complain about things being open source, maybe that’s a colorable argument. People complain about running too much stuff through Google. Maybe that’s a colorable argument.

But none of those arguments are about security, right? If, if, if the premise is we’re creating a transport for messages that are life or death sensitive, then none of that can matter. It can’t matter whether or not. So if you are, if you are talking to, like if you are talking to an activist community, especially if you’re talking to an activist community in some other country, but increasingly in ours as well, right? If you’re talking to people who are like organizing to protect immigrants from ICE for instance, or something like that, right? And you tell them to use PGP email because the alternatives are not open source or federated enough for you, that’s malpractice. It’s literally malpractice. Not in a funny way, not a dunking way, like you are committing professional malpractice, right? You’re like, you’re putting people at risk to serve your weird goal of getting a federated or open source or non Google transport. And that’s fucking crazy. Like I don’t understand why people, why people’s jaws don’t drop when they see people saying this stuff out loud.

William: I think this is now getting into the crank side of the world, but I think people sometimes just don’t believe that things are actually end to end encrypted. And because they don’t believe that, they then believe contrapositive things like it should be federated. Like well they’re not going to end to end encrypted. Then I might as well do the federated thing. And this is obviously wrong to me, but I think this is why we get into these weird online arguments as a community over and over again about this stuff.

David: Yeah, like yeah, the set. The set of people that think the signal has a back door there because it’s centralized or because Moxie wrote a blog post they didn’t like or because they think the CEO is like too. Whatever.

Deirdre: Yeah.

Thomas: My next argument, this one is I think more small ball than the first two. I think the third, the, the last one, there’s four of them total. The last one gets us back to kind of grand theory stuff. This one’s really specific, right? Which is everybody who uses email has an archive of their email messages, which is a thing that secure messengers deliberately go out of their way to not have. So I can go and search through pretty much every email that anybody’s ever sent me going back like a staggeringly far back time in history in my Gmail account. Right.

So all of those things will eventually somehow leak. Like every day that you hold that archive you’re incurring some kind of risk that it’s going to leak. It’s just inevitable that at some point it has to. Right.

So there’s no plausible mechanism for doing any kind of disappearing messages in email. And I think that’s not the most super interesting, fun technical topic to talk about because it’s really simple. Right.

But I think it might be pretty important in terms of actually impacting people’s safety. Just the fact that you can’t set a maximum amount of time for a conversation to live.

David: Yeah, I think that’s actually like the most important feature for quote unquote like secure messengers for like non activists as well. Like, like even imessage like you can, if you go into settings you can set your imessage to delete after like 30 days, but it’s like per device setting.

Deirdre: Oh that’s.

David: You can end up with like imessages that are on one device from like I just saw some that were over like a year old. On this, on. On this laptop, even though I have it set to delete after 30 days on my phone. And that’s not because, like, it’s a life of your death scenario or because I’m an activist, but just because I’m like, I don’t want these messages, like, yeah, like, I just don’t want old to like, come up and bite me regardless of what it is, because it’s old. And like, oh, remember when, you know, David cheered for the wrong football team? Right? Like, even like that, like, it’s just like, no, you don’t want, you don’t want that to come to. Just like somehow get screenshotted or whatever. Right.

Thomas: I like the idea that some point in your past you cheered for Ohio.

David: No, I cheered for Michigan State for like a small period of time when I was in high school and my brother was a student there before he had the good sense to become an engineer here at Michigan.

Deirdre: Yeah, like, I’m in Gmail right now and like, Gmail’s not, I don’t know, a fold. It’s a web client. It has other, you know, desktop clients. But like, there’s no option for me to just like, automatically delete things at any age. Like, I can throw stuff in the trash that requires me to take an action and it will auto delete stuff in the trash. But like, yeah, I’ve got thousands and thousands and thousands of emails from many years in my. In all, like, and then I’ve got.

Thomas: Multiple email accounts and like a comeback you can imagine is somebody saying, okay, well, they’ll just add the feature or you’ll use an email client that has that feature. But that’s actually not the feature. Right.

The feature is the protocol accommodation where you can communicate to your counterparty that they should also delete these messages. Which is something that’s like, you could write a signal client that didn’t honor that message, but no one’s going to use it. Right.

It’s the fact that the protocol kind of. It’s an accepted feature of the protocol, which it will never be an email.

David: That’s not true. Pete Hegsess will use that client, but other than that, no one will use it.

Deirdre: PC small group. Yeah, this is sort of like one plus in the, in the kind of the Moxie. No federate argument that he made and we’re linking to that post in the Show Notes where on the off chance.

David: You’Re listening to this and you don’t know who Moxie is, He is the creator of Signal.

Deirdre: Yeah, he, he’s the, the primary, the primary creator of Tech Secure and oh gosh, I forget the name of the, the calling app that he.

William: That then got merged into the Open Whisper systems.

David: Open Whisper, the original Red Phone was the app, texting app and the company was called Whisper.

Deirdre: Open Whisper, yeah, it was Whisper System. And then there they were involved with Twitter long.

David: They got acquired by Twitter somehow.

Deirdre: Yeah. And then he made the new Open Whisper systems and everything got turned into the Signal app and the Signal service and everything is like GNU licensed and open, but you know, it’s a copy left license. So you talk to. Yeah, well, you can look at it. Yeah, so you could run it if you wanted to. Everything’s there, but you can’t anyway. But because everything is controlled and not federated, they control all the clients, they implement them themselves, are able to update and move the protocol forward because they control all the clients and they’re able to move faster and they were able to make automatic deletion and deleting messages for all the parties, all the clients in a chat, for example, a thing. And that’s so much harder to do when it’s like an open protocol such as something like smtp.

Like you can do it, but do you have the guarantees in practice that that is going to be implemented honestly and correctly when it’s an open protocol? Like okay, yeah, you may have a must in this delete this message packet header or something like that. Delete after, you know, T + 30 days according to your local clock or delete in 24 hours. And like, as I think we all know that like you can put all the musts and must nots in your protocol spec as you want. And like people may do their damnedest and sometimes issues happen and sometimes you fail and sometimes there are bugs and sometimes there are bugs in client software when you control all the clients. But generally it is less likely that you will have implementation skew and bugs between independent interoperable implementations of something like a delete me flag on a message. When you control all the clients and there’s only like three of them in the case of Signal, there’s the iOS, there’s the desktop and there’s the Android clients. That seems like less of a thing that you can do on a protocol like smtp. Although I’m very curious how MLS like protocols will do this, but it just may be more of the same of like try real hard.

David: Interoperate. Aside from the one obvious example. Well, they really want to implement disappearing messages by implementing disappearing messages and they happen to Use MLS with other web experts.

Deirdre: Europe is really incentivizing people to actually make it happen.

William: Yeah, I mean I keep. This is not even a cryptography thing. You can’t cryptographically prove deletion. This is purely a protocol application design.

Thomas: Right, right. Which makes it interesting how intractable this is for email. Right.

It’s not like, it’s not even like there’s a theory issue for it. It’s just like you’ll never get something deployed where you can reliably tell somebody else to delete an email. So.

Deirdre: Yeah.

Thomas: Last argument, last argument, Last argument. You guys ready? I think we’re ready. The last argument. Long term secrets. So eventually any secret you hold will also leak. This is the forward secrecy thing, which is like forward secrecy. If you’re talking to people like I’m imagining, I do a lot of local politics and every once in a while I’ll get asked about secure messaging stuff from people who are not computer people. And I’m trying to imagine explaining forward secrecy to somebody who is not like.

Because it’s not like it’s the, the, it’s the worst term. Right. Because it’s like it’s not about secrecy going forward, it’s about secrecy going backwards. But it’s called forward secrecy. Right.

So it’s just the idea that every solution that we have for secure email is based on static long term secrets. There’s no such thing as an ephemeral, you know, email secret exchange, which means that, you know, everything is kind of tacked down like, whatever. If you’re, you know, having ongoing conversations with people at any point, if that secret leaks, the entire backlog of everything that you’ve ever sent is also going to leak, which is a complete own goal. Right. You don’t have to have that problem in a serious messaging protocol. You could just do, you could fix that with ephemeral key exchanges. So I think that’s also a really big point.

Deirdre: Yeah. And this is fundamentally like both how S MIME and PGP based encryption schemes work is you have a encryption public private key pair. You push the public key onto one of these key servers, these bulletin boards, and then someone will usually encrypt a message encryption key to your asymmetric public key. It’s a symmetric encryption key for something like AES and they encrypt it to you under your public like RSA rec public key encryption scheme. And then you decrypt the key with your private key that goes with the public key. And then you decrypt the message with that Secret, but this is still protected by one key pair that you use over and over and over and over and over again. And so while you have a different key per say, message or whatever it is, it’s still all fundamentally protected by the same key. This is not how it works in Signal or WhatsApp or MLS or possibly MatterMost.

I forget that protocol. This is just not what modern encryption messaging protocols are like. They do a new key establishment for every message and they mix in information from when you set up the session. That kind of, that binds to identities to a little bit. You attest that you are who you say you are and that this is linked to previous messages, but every message is computed differently so that if any of those previous things leaked, the like, if any pieces of these things leak, like you’re safe. Like the previous things are safe, the future things are kind of defunct. And like depending on how the protocol is implemented, it can self heal. If you have an honest protocol and you kick out the, you know, the leak of the adversary or whatever, it can heal and then you can get back to that same security level of independent messages having different key material.

Deirdre: That is just not how it works with bep, email or S. I’m going.

Thomas: To read you something and you’re going to tell me when you know who the author of this thing is. Don’t tell who the author is. I don’t want to. But you’ll tell me. All right, here we go. Forward secrecy is somewhat overrated in end to end encrypted messaging. Most people do not want a truly off the record experience, but instead keep their messages around indefinitely. As long as those old messages exist and are accessible to the user, they’ll be just as accessible to any attacker who gets access to the secret key material.

The signal protocol somewhat excessively provides forward secrecy for each and every message sent. This is sort of pointless while the messages still exist on the screen.

William: I knew after the first sentence that I. You still don’t want me to say who it is or.

Thomas: No, you can, you can in the abstract.

William: Okay, this, this is, this is one of my favorite people on the Internet is who it is. Someone who I’ve talked with many times, or rather I don’t even talk with his. Maybe not the right way to say.

Thomas: I’m exchanged missives with he does a valuable service. Right?

So this is a commenter on Hacker News who is like the designated defender of pgp, right? And like, it’s actually pretty valuable like having like something like this be written because it forces you to kind of refine. Like he has a whole spiel about why authenticated encryption is not always good, which is like it’s. I can’t remember what the argument is. Right. It’s hard to get your head around. Like it’s something about being. It was something about like recovering corrupted messages. Like what most users want is messages where if there’s like a bit flip failure or something like that they can like recover it or something.

And authenticated encryption makes that break down or something. But it’s like having to articulate why of course you need, you know, authenticated encryption everywhere is actually kind of valuable. This is the amount of like back rationalizing you have to do to keep PGP like kind of in the story.

William: Yeah. And he has, he has a couple of. With posts that are not like inherent or. No, they’re not entirely nonsense. Like he has one about like 2048 bit RSA. Like it’s fine. Is I think the point of his argument. And it’s like, you know, is it good? I would say it’s not good to me that I would probably go to a default.

William: Bad, bad no for any rsa. But like is it the worst thing in the world?

Deirdre: No, like there’s, there’s strong arguments within like the, you know, a proper cryptographic community about how much, how big these parameter sets really need to be. Like a lot of them are arguments about symmetric primitives. Like some of the new stuff that’s based on Ketchak if you want to look up too much crypto by JP Elmundson. He makes some nice arguments about the bounds that we need in practice against known adversaries and the best known attacks so that we can arguably get just as much security with smaller parameter sets, blah, blah, blah. I don’t know if that applies to RSA 2048, but there are good faith, well founded debate about other cryptographic primitives and sizes and things like that. Arguing that you just don’t have good forward security or post compromised security just because you don’t really need it. That that’s fundamentally just like giving so much power to a possible attacker of just like again, they only have to be right once and you have to be right over and over and over again. And having these forward forward secrecy and post compromise security protocols make it so that the adversary basically has to.

It gets reset almost every time you send a message practically. It just makes it a lot, lot, lot, lot harder for someone to just, you know, take all the public information you’re sending in these ciphertext and like get a good crack at like the.

David: Whole, well, you assume every. Via Thomas’s I think principle too was that every PGP message ends up getting sent in plain text anyway. Yeah, you don’t need forward secrecy. There is because it will simply leak.

Thomas: So there’s like, there’s a kernel of like a, you know, a useful conversation in that and that argument that he has, right? Which is like, you know, people don’t, People are going to keep their messages around anyways, so what does forward secrecy matter? And it’s like there’s some truth to like, you know, I have an archive of emails going back to like whenever Gmail started apparently, right? Like, and I just, I don’t care. Like, I’d rather have them around then like opsec them out, right? Like when I’m. I just don’t use email for stuff that that would matter for, right? So like the thing that, the thing to note here is like it’s fine to say that email is fine for some kinds of conversations. Like, it’s fine to say that. Like, I’m not saying don’t ever use email. Like use email. That’s fine. I use email for all sorts of things, right? Just don’t use encrypted email.

Don’t like try to send secure emails to people, right? We get in trouble when we try to make this one system that we all like, serve life and death use cases. And if you can’t, like if you can’t articulate a threat model, like if you don’t, first of all, if you don’t know how to articulate a threat model, but if you can’t just rattle off what the different threat models are for people protecting immigrants from ICE versus people chatting with people they met on hacker news or whatever, right? Like, then you shouldn’t be giving people advice, right? And this brings me back to just like digital security guides for activists and things like this where there’s clearly no threat model in this stuff, right? Like, it’s not based on an understanding of who their adversaries are. And what’s really frustrating about that is the real advice is not that complicated. It’s not like this is just not that, like we don’t have the sophistication that we need to give people good advice. It’s just you need people to just be able to say, like, just use signal, right? Forget about all the politics of it. Forget about like whatever you think about Moxie, Marlin, Spec or Federation. Just, just use signal, right? Probably don’t use Firefox, you Know, just things like that. Which again is just like this whole thing right now for me is just my red flags for digital security guides. One of them being anybody talking about pgp.

Deirdre: Yeah. And like number one for me, a lot of people, when you’re making recommendations of like how to stay how, how to achieve digital security, trying to achieve a goal, you’re trying to organize, you’re trying to keep your team secure, you’re trying to serve some community. It needs to be easy to use and easy to get right. It can’t be. Make sure you use super special client. Oh, you know, it might not be available on this phone. Oh, like you have to make sure you tick this box. You have to add this extension, you have to do XYZ to make sure that you use it right.

That’s bound to fail. One, it’s bound to fail because it’s hard to get right and so you might actually get a security failure. Two, it’s a lot of work for people to do. If the other of the alternatives are download signal, we will add you to the chat. That’s so much easier to undo, period. And get right. Because you don’t have to do a bunch of extra steps to get it right and achieve better security. Yeah, I feel like a lot of people are just trying to, they have their values and they’re trying to say, oh, you should do XYZ because this aligns with my values as opposed to people trying to achieve something in the real world.

And if it’s too complicated and it takes too much work to achieve good security, they’re not going to do it. Or if they try to do it, they will fail and they’ll open themselves up to a vulnerability and then what’s the point of the technology in the first place? One thing I kind of wanted to point out is like, oh, if you’ve got an archive of all your messages forever and theoretically your messages will just leak because they’re around forever and you know, so what’s the point of forward security? And like one, it’s a belt and suspenders things. It’s the Swiss Swiss cheese approach of security and systems. It’s not any one thing. It’s if you don’t have forward security, you are more vulnerable to one of these things going wrong. An adversary, you know, poning one of these keys or a key server or whatever it is, one of these keys and then everything falls apart. But if you don’t have a giant message archive, like, you know, the, the blast radius is less bad and like, if you don’t have all this metadata, then, like, the blast radius is less bad. It’s all of these things together are pretty fucking bad.

If any one of these things was less bad, then it would be less bad. If all. Anyone. If any of these things were less bad together, we probably wouldn’t be talking about this at all. But they are all pretty bad together. So the forward security, you know, just. Just don’t try to do encrypted email. Use signal, use WhatsApp.

Like, some people don’t like WhatsApp for reasons. Using WhatsApp is way better than trying to use encrypted email, in my opinion.

David: It’s also, like, the only way to talk to people in Europe.

William: Yeah, I was blown away by that. Every time I go somewhere that is especially, like, southern Europe or in Africa, it’s like people will just message me randomly on WhatsApp and I will have no idea who they are. But better than anything else possible. It’s awesome.

Deirdre: Yeah. Use signal, use WhatsApp. If you need to encrypt files, signal, use Tor. Yeah. If you need to use torture, install the Tor browser, you’re done. It’s a good. It’s based on Firefox. It’s a pretty good browser.

David: Didn’t we just tell people not to use Firefox?

Thomas: Wait, hold on, hold on. Are you gonna respond to this or am I?

Deirdre: Actually, I think Brave also supports.

Thomas: You’re just trying to make my brain pop.

Deirdre: Sorry, but the Tor browser, not ironically, the Tor browser is like, everything’s set up, everything’s good to go. And I think the other options are less. Less tailored. But sorry, yes, I said that.

Thomas: I’m guessing for reasons that you’re probably familiar with Dan Guido’s argument about why the Tor browser bundle is the literally safest browser to use in the world.

William: I definitely heard him make the argument before. I can’t remember off the top of my head.

Thomas: So it’s a combination of things where it’s like, so first of all, you’re using Tor, right? Which, like, from a traffic analytic perspective, you can see that somebody’s using Tor, right, Using Firefox, which is the least secure of the mainstream browsers. And you’re using a fork of Firefox like a tracking fork of Firefox, and you’re collapsing all of the Firefox vulnerabilities down to a very small set of Tor browser bundle targets. So, like, the exploits that you need for that, you, like a serious adversary, needs a battery of exploits for all the different versions Whatever they’re using, but they don’t need that for Tor browser bundle people.

William: Yeah, I’ve definitely heard it make that art before and I find it convincing, especially for, I think it was especially true maybe 10, 12 years ago when the state of Firefox container isolation was really, really bad. It’s been a long time since I looked at browser security and so I.

Deirdre: Would say Firefox has come a long way, especially in terms of sandboxing and a lot of memory safety integration into, into the whole stack. I think arguably Safari is less good than Firefox at this point for some of those reasons. But yes, if you’re, if you’re using, if you’re using Tor browser, you are a little bit sticking out in terms of, you know, fingerprinting and all that sort of stuff. In terms of. I don’t think we’re, we’re really selling people. You should use Tor. We’re mostly doing the meme of use signal, use Tor. And if you, if you want to use Tor, like downloading the Tor browser and just using it is like the easiest, straightforwardest way to do that.

But yeah, just never mind.

Thomas: It’s not a super strongly held opinion of mine. It’s just, it’s an argument I’ve had beaten in for me into Me by Dan Guido and the Gruk.

William: But if you use Spur, you get to use the best named mitigation ever, which is the Giga Cage.

Deirdre: The what?

Thomas: The what?

William: The Giga cage.

Deirdre: Oh, Giga Cage.

William: Yeah.

Thomas: I want to say Ga Cage.

William: This is my favorite mitigation ever added to a browser, which is people kept using Ray Buffer for exploits instead of Safari. And so what they did was they put every, they put the backing store for all of food for Ray buffer into a mmapped 4 gigabyte heap region and then made all offsets 32 bit so you just can’t escape that region.

Thomas: This is a Dan Kaminsky idea from like the mid 2000s. Oh yeah, this is like his big memory, like his big memory safety thing was 64 bits.

William: Yeah.

David: This is also how the V8 sandbox works as well. It’s a little part of it. So like the, the V8 sandbox is a little more than that. But to make the, the memory regions work, they have a variety of slightly larger than 4 gigabyte regions that are only addressed in 32 bits. You can’t get off of. Cool in theory, but like then there’s a bit more to it.

William: There’s always a seal.

Thomas: We’re only going to find out over the next 20 years that Dan Kaminsky was literally right about everything. Just in like subtle ways.

David: If someone has one of those Wall Street Journal dot profile pictures.

Thomas: The stipple painting.

David: Yeah, the stipple painting. You. That just makes you correct about everything.

Thomas: I was wrong to doubt the stipple painting.

Deirdre: R.I.P.

Thomas: R.I.P.

Deirdre: Dan Kaminsky.

Thomas: Yes.

Deirdre: All right, so I think that’s it.

Thomas: I think we covered it.

Deirdre: I’m going to go install some random-ass PGP extension in my browser and I’m just going to start sending the wrap up for this recording with an encrypted email. I hope you love.

Thomas: Make sure you use TOR Browser 48.

David: We will ask the armor the episode notes.

William: Yeah, yeah, I want it with past five, the official Canadian block. So.

David: And apologies to the person who sent me that PGP email on the off chance you’re listening because it’s kind of identifiable.

Thomas: Maybe it was a really mean email.

William: Could have been.

David: Who knows?

Deirdre: All right. Yep. If you can stop using encrypted email and stop, stop telling people to use encrypted email. It’s just not, not good in our opinion.

Thomas: Good note, Deirdre. Security Cryptography, whatever is a something of side project of. Wait, it’s, it’s a side project of.

William: You, me and David.

David: Yeah, exactly. And our editor is Nettie Smith, and we sell merch at merch.securitycryptographywhatever.com. And we thank you for listening and we thank William for coming on this episode with us.

Thomas: William, thank you very much.

Deirdre: Thank you. Bye.

Stop Using Encrypted Email with William Woodruff

Latest Posts

Stop Using Encrypted Email with William Woodruff

Alex Gaynor