New blog post: Yes, We Want Cryptographic Protection for Email https://sequoia-pgp.org/blog/2021/06/29/202106-yes-we-want-cryptographic-protection-for-email/
The TL;DR is: email is not going away, and it is being used for some important things. So it would be negligent to give up on protecting email, just because we have Signal.
Despite the Johnny studies, which focus on ordinary users, there is a evidence that people who need protection are able to successfully use OpenPGP. For instance, hundreds of people involved in the Panama Papers correctly and consistently used PGP over the course of a year. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/mcgregor
Our email accounts are our primary online trust anchor. If you forget your password, you can use an account recovery tool to get an email that will let you back in. So can an attacker. Securing email would move the trust anchor to the encryption key.
Phishing results in huge financial loses. If businesses consistently used digital signatures, users would largely be protected without have to think.
Businesses need to communicate with everyone. Email is the common denominator. And even if they did want to use a secure messenger, they probably can't due to compliance requirements like archival. These emails deserve cryptographic protection.
@nwalfield I agree with your thesis & most of what you're saying, but I can't relate to email being the common denominator. Since #MS & #Google have broken email by restricting inbound msgs on the basis of IP, I can no longer email most people and businesses.
@nwalfield i can receive email, but I can't send it.. unless I dance for them and conform to relaying my mail through a 3rd party & needlessly expose metadata, and also give up the ability to see if the receiving servers accepts the msg.
@nwalfield when small companies DNSBL firewall their inbound mail, it's an overreaction to spam. When big corps do it, it's to monopolize under the veil of anti-spam. Either way, two-way email is dead to me.
@resist1984 @nwalfield I disagree. For about a decade my personal e-mail account has been (and continues to be) hosted with the Warsaw Hackerspace, who self-host their e-mail system. Never had any major problems with mail delivery to third-parties, including GMail and MS infrastructure.
A few months ago I also set-up my own self-hosted e-mail system using @yunohost, which makes it easy to have DMARC and SPF. It works well. No delivery problems so far either.
@resist1984 @nwalfield @yunohost and even *with* DNSBL and spam issues, e-mail is STILL more open and self-hostable than WhatsApp and Signal, and the like.
Yes, it's a bit of a chore (although it got easier with Yunohost), and no I would not expect a non-techie to host.
But even a fantastic techie would not be able to "self-host" Signal or WhatsApp to stay in touch with their users. The very thought is absurd, because these are walled-gardens.
@rysiek @yunohost @nwalfield You've simply gotten lucky with your IP address. Or if it's not luck, you paid extra for a static IP / business account. Most residential IPs from the US are blocked, and in Europe most ISPs block egress port 25 packets so you can't even attempt to send your own self-served mail.
@resist1984 Residential / DUL space is a lost cause at this point, and quite frankly has been for nearly two decades. Spam took care of that.
Reputation matters, and gateways (whether commercial email providers or well-managed colo / hosting space) are pretty much a requirement.
@dredmorbius @nwalfield @yunohost @rysiek sometimes i get away with sending email directly to a recipient if their ESP is not a #MACFANG one. This proves that it's viable, & that the tech giants have chosen to be anti-competitive under the false claim of anti-spam.
@rysiek @yunohost @nwalfield @dredmorbius So in knowing that it's not really anti-spam (there are ways to counter spam without oppressing legit users), I choose not not email gmail & outlook users in order to avoid supporting the oppressor.
@dredmorbius @nwalfield @yunohost @rysiek sometimes I send them a fax & add "this came by fax because your email provider is blocking". The fax likey still goes through gmail/outlook on their end, but I think it's less prone to mass snooping as MS & Google would have to OCR it, and even then the metadata is harder to parse.
@resist1984 @dredmorbius @nwalfield @yunohost @rysiek actually gg and ms are far from being reluctant with other email providers. They just follow several public rules which most self hosted tools such #mailinabox #younohost or #mailu makes automated. Your statement about IP address is not really relevant. I understand there exist rules for email. And its fairly easy to selfhost today for few dollar a month.
@parisni @rysiek @dredmorbius @nwalfield @yunohost the rules are written in an RFC, which exists for the purpose of interoperability. When Google & MS refuse to accept RFC-compliant email, they are breaking the rules & breaking email. They've made their own profit-driven rules that they force others to comply with. Playing by #GAFAM rules supports them.
@resist1984 @rysiek @dredmorbius @nwalfield @yunohost spreading information that email is blocked by #gafam is a bad idea because this is wrong. Self hosting emails is simple and almost anyone can do it by simply deploying 100% FOSS solutions which I mentioned earlier in few minutes. The email rules are fair and IP black list is inevitable among dkim, SPF and so on
@parisni @rysiek @dredmorbius @nwalfield @yunohost It's of course accurate to say #GAFAM is blocking email. They block connections discriminating solely on IP address & w/out cause. It's a destructive intentional practice of #GAFAM to do that & that's where the blame goes.
@yunohost @nwalfield @dredmorbius @rysiek @parisni The RFC's rules are fair because the RFC does not impose being able to afford a static IP address. The corporate rules of #Google & #Microsoft are unfair b/c they don't care about access equality, just profits, & they are happy to marginalize anyone not profitable to them.
@yunohost @nwalfield @dredmorbius @rysiek @parisni Poor people can "pay" by giving up privacy in both cases (either by relaying email through a privacy abuser, or by letting the CAPTCHA service collect data on them). But that's unfair b/c they don't have the luxery of buying higher levels of service. It's a break from #netneutrality principles.
@resist1984 @yunohost @nwalfield @dredmorbius @rysiek hosting jami, matrix or anything is not available for poor people too.
@parisni @rysiek @dredmorbius @nwalfield @yunohost how is Jami blocking poor ppl?
@resist1984 @rysiek @dredmorbius @nwalfield @yunohost because without self hosted async server (if exist) Jami is NOT reliable. I mean turn out your phone and conversation is broken. This is not praticable. Even with love to Foss and p2p you never want such chaotic conversation app
@parisni @rysiek @dredmorbius @nwalfield @yunohost It's actually a #netneutrality problem for MS & Google to block on the basis of IP address, because that policy creates access inequality. It's comparable to what #Cloudflare is doing to Indians & Serbians, whereby they force users of cheap ISPs (which use CGNAT) to solve #CAPTCHA. Those users must pay a fee to get the privs of IPv4 or IPv6.