Again, I’m repeating myself a year later, this author, Soatok, is really frustrating and disappointing.
They’re obviously knowledgeable about privacy and cryptography, and I respect that.
However, the product they always recommend for privacy, Signal, is plain bad. It is tied to phone numbers, it only works with Android/iOS (to use the desktop app, you need to have a phone with Signal), and it depends on proprietary code. I mean the last part is just great for privacy oriented product... (/sarcasm) I know people will suggest forks/alternat…
Again, I’m repeating myself a year later, this author, Soatok, is really frustrating and disappointing.
They’re obviously knowledgeable about privacy and cryptography, and I respect that.
However, the product they always recommend for privacy, Signal, is plain bad. It is tied to phone numbers, it only works with Android/iOS (to use the desktop app, you need to have a phone with Signal), and it depends on proprietary code. I mean the last part is just great for privacy oriented product... (/sarcasm) I know people will suggest forks/alternative clients like molly.im, but other issues still hold. And don’t get me started on the cryptocurrency pump-and-dump I already mentionned last time.
I like emails. I read them whenever I want, they don’t pop in the notification bar of my phone. I can access them with multiple clients depending on my mood, from aerc to thunderbird including K9, and I want privacy in my emails. I do believe that GPG is good enough. Yeah, it’s not the cryptographic marvel that the Noise Protocol is, but I don’t care about forward secrecy, I don’t care about plausible deniability. I just want to be able to send access codes, signed download links and legal documents over emails without my email provider or my recipient’s email provider being able to read them, and with decent overall privacy. GPG does a pretty good job at all of this.
This whole anti-PGP discourse reminds me the cliché anti-MD5 crowd. Let’s say I download a file from my own server, and I want to check there was no transfer errors or disk writing errors, MD5 is fine for that use case, I could have even used crc32. (I know that, nowadays, blake2 is faster and better, but md5 is still fine) Unfortunately, some people see MD5 and their lizard brain go "oh my god!! it’s a broken message authentication primitive!!! You’re doing it wrong!! You should be using scrypt!!" Yeah, but I’m not using it for authentication, I’m just using it for plain checksumming, and it’s a good use case.
It’s all about use cases. GPG is fine.
Also, it’s not like the people developing GPG are idiots. Sometimes, I feel that the anti-PGP crowd are implying that without saying it out loud. I know that Soatok didn’t, but the people that follow them on mastodon is not far from saying it.