"Encrypted email is LARP security"

Latacora: Stop Using Encrypted Email

Most email encryption on the Internet is performative, done as a status signal or show of solidarity. Ordinary people don't exchange email messages that any powerful adversary would bother to read, and for those people, encrypted email is LARP security. It doesn't matter whether or not these emails are safe, which is why they're encrypted so shoddily. [...]

Every long term secret will eventually leak. [...] Different tools do better and worse jobs of forward secrecy, but nothing does worse than encrypted Internet email, which not only demands of users that they keep a single long-term key, but begs them to publish those keys in public ledgers. Every new device a user of these systems buys and every backup they take is another opportunity for total compromise. Users are encouraged to rotate their PGP keys in the same way that LARPers are encouraged to sharpen their play swords: not only does nobody do it, but the whole system would probably fall apart if everyone did.

Previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , ,

17 Responses:

  1. Hanan Cohen says:

    Fastmail, my longtime email provider, explain in their blog why they don't offer PGP encryption. Sensible.


  2. tygertgr says:

    I keep a crew of guys out back with warmed up hayabusas to dispatch my handwritten messages sealed in security tape.

  3. Vincent says:

    I have to agree to some degree. Many times friends and I have tried to implement email encryption only to use it to say "hi, did you get this?" to each other and then quickly abandon it after one of us lost a key or changed email clients haha.

  4. Julian Macassey says:

    I use gpg frequently, just to keep the spooks busy.

  5. bob says:

    I've worked with some vendors that provide enterprise level secure email services. For passwords, orders, secure communications required by law, internal distributions that management didn't want others to see...

    PGP encryption in mail clients, while fun the first time as an excercise, doesn't really provide the ease of use, or control that you can just buy (if you have the money and the need)

    • Julian Macassey says:

      If you use Thunderbird for e-mail, enigmail on an Apple is pretty painless.

      Everyone needs security and encryption.

      "If you have done nothing wrong comrade, you have nothing to fear.

      • Michael says:

        You’re confusing someone being prevented from encrypting their email and if it actually makes sense to encrypt the email.

        I am with you that encryption shouldn’t be illegal and available, I am not with you that we all need to encrypt our email.

  6. K3ninho says:

    Jamie, about Signal, one more time..?

    In contrast to your own previously and previouslier, TFA offers:

    "The most popular modern secure messaging tool is Signal, which won the Levchin Prize at Real World Cryptography for its cryptographic privacy design. Signal currently requires phone numbers for all its users. It does this not because Signal wants to collect contact information for its users, but rather because Signal is allergic to it: using phone numbers means Signal can piggyback on the contact lists users already have, rather than storing those lists on its servers. A core design goal of the most important secure messenger is to avoid keeping a record of who’s talking to whom.

    "Not every modern secure messenger is as conscientious as Signal. But they’re all better than Internet email, which doesn’t just collect metadata, but actively broadcasts it."

    I don't know what to think any more. I guess my sense of what's least worst or tolerably terrible is just not calibrated for this timeline.


    • jwz says:

      Though the author is correct about encrypted email, their love of Signal is baffling.

      Signal may well have very good crypto libraries inside it. Probably it does? But we can't know for sure, because it's not truly open source.

      But cryptography doesn't mean shit when the UI design is so atrocious: not only does it broadcast your use of it like a giant-ass KICK ME sign, not only does it probably leak your phone number to people who didn't already have it, but it is, as someone else put it, "the app which, if any activist's unlocked phone is swiped, immediately reveals all collaborators' numbers and thus real world locations and IDs."

      • The author loves Signal --- which is in but is not asking you to love it. Use any modern secure messenger.

        Signal is open source, for what it's worth. But why litigate? The truly important project is to get nerds to stop recommending encrypted email to people with real problems.

        • tobias says:

          spotted the fed

          • NT says:

            A well-known security professional posts a sensible comment under his real name, and you immediately accuse him of trolling. Go back to Twitter.

        • George Dorn says:

          I might be feeding the troll^Wfed, but:

          There is an open source package called Signal that you can go read the source for. You cannot* verify that the app you get from Google is built, unmodified, from the source in the app repo.

          There is an open source repository for the server, you can read that, too. You cannot verify that the code running on the Signal server is the code in the server repo.

          Even if you are 100% sure of both things, Signal leaks metadata; specifically, who is friends with whom can be extracted from the server API without knowing any keys.

          The author of Signal is quite vocal about not letting a third-party, open-source, transparent automated build system (F-Droid) build and distribute the app. The author of Signal is quite vocal about not letting anybody else run the server (and has threatened legal action against those trying to do so).

          * You could decompile it; every single user would need to do so after every update, however, since Google itself can substitute other APKs to specific users.

          • You can't do that with anything you don't build yourself. If your argument is "don't use any clients and servers you didn't build yourself", say that. But if your argument is "Signal isn't open source", what source are you looking for?

            Regardless: use any modern secure messenger, IDGAF. Just don't encrypt email. Email is broken, and LARPsec won't fix it.

  7. rozzin says:

    I wish I could contradict the "PGP e-mail is LARP crypto" assertion.
    Instead I have to agree that I've been frustrated that "LARP crypto" nature for years and years now--and I guess I'm kind of glad that someone finally put a name to it. Though I'm also kind of baffled by much of the description--including how the author completely missed the opportunity to actually show the LARP mindset.

    Someone mentioned Enigmail--that's a great example. What I always wanted from encrypted e-mail was "end-to-end" encryption: it gets encrypted upon transmission from the source MUA, and it gets decryoted upon receipt by the destination MUA.

    But what Enigmail gave me was "up-my-end" encryption, with the continual insistence that `if it was important enough to secure in motion, you must secure it at rest as well!'. Because I'm not allowed to worry about some sysadmin out there somewhere on the net reading my messages unless I also am afraid that someone's going to break into my house, and because it's apparently inconceivable that there might be some other (let alone better) way of securing the data at rest after receipt than to just leave it exactly as sent (and maintain that key forever).

    No. There are lots of things that I actually do want the recipient to be able to receive asynchronously, figure out where to take the secret part and what to do with it without having to decrypt it first, move across security-zones without decrypting, and then decrypt and store long-term. Examples..., I don't know--medical records, business plans or other trade secrets, maybe keys for some server or VPN or something...? (these are all things that also don't fit the `30-minute self-destructing AOL IM' model being espoused in that article).

    And of course the big reason that we can't auto-ratchet our PGP subkeys is because it's so much more "fun", from the LARP perspective, to make everyone guard their holy grail of a decryption key for all time (instead of just letting "secure local storage after receipt" actually be handled by local policy, which would free you from the burden of eternal grail-guarding unless you actually want to manage your local data that way for some reason).

    To be fair to Enigmail, though, they did finally kind-of implement decryption for local storage a few years ago.

    And to be fair to the article author, there does seem to be a disconnect between what he wants vs. what encrypted e-mail has to offer.

  • Previously