FRESH

Hacker News

Home

Poor Johnny still won't encrypt

87 points by zdw

by laserbeam

8 subcomments

Someone needs to design a super dumb and robust system where I can safely store all my keys on all devices I use an account. The fact that whatsapp, signal and other platforms tend to have a primary device for keys is bonkers to me. A primary device that can randomly die, get stolen or fall in a lake.
I have lost chat histories more times than I can remember, and I have to be extra diligent about this these days.
I don’t even want to think about pgp when I have to manually take care of this problem. Not because of my own skills, but because I could never make it reliable for my family and friends on their side.

by pcthrowaway

4 subcomments

> Proton is a notable exception.
Proton doesn't provide public APIs for retrieving the public GPG keys associated with their users' accounts, nor do they provide a way to send encrypted mail to their users' accounts without using their official apps.
Ergo, Proton is not really working to further the state of cryptography for email, they're only working to compel users to use their proprietary software (and ultimately their paid services).
If services which do automated sending of emails to their subscribers/users have no way to encrypt those emails for its users who are on proton mail, I don't understand how Proton can claim to care about encryption.

by StellarScience

0 subcomment

The US federal government issues its employees smart cards (Common Access Cards) that contain digital certs. Government employees can use these to send and receive S/MIME encrypted emails. That's a couple million users!
Our small company has been encrypting all emails by default with S/MIME for 15-20 years. A company can generate its own certs for free from a company root cert, use a provider like Sectigo for $20/year, or get US Government ECA certs for about $100/year.
You can read encrypted emails on company-managed mobile devices that have Knox chips to secure access to the certificate. We're careful to back up all our old keys so we can always read old emails.
Some drawbacks are:
- Email "search" features only see the subjects, not the contents, of encrypted emails.
- You can't read encrypted emails via web email.
- Few others have S/MIME certs. Most major government contractors seem confused when we ask about encrypting emails with them...
Johnny may not encrypt, but every business really can.

by yardstick

2 subcomments

I’ve got hundreds of emails from the early 2010s between a couple of coworkers and myself that I can no longer read because they were S/MIME encrypted and I’ve got no idea what happened to my keys or even if my current client supports it anymore.
I wish the client stored it decrypted once received.

by bradley13

3 subcomments

It's weird. Almost all web traffic is now https - even though very little of it is sensitive. Email, on the other hand, is quite often sensitive, and yet...no one cares.
Why?

by tptacek

1 subcomments

Yeah, at some point people are going to work out that the problem isn't Johnny, it's email. Email is distinctively hostile to secure messaging. No matter what software Johnny uses, "secure" email will always be inferior to alternative options.
https://www.latacora.com/blog/2020/02/19/stop-using-encrypte...

by xeonmc

2 subcomments

If you want encrypted communication over email, there's DeltaChat.

by xyzsparetimexyz

2 subcomments

It's email. 90% of the emails I get are marketing spam or GitHub notifications. Nobody I know uses email to chat with friends

by hulitu

0 subcomment

> Poor Johnny still won't encrypt
As long as Google, Apple or Microsoft controls your device, all bets are off. You can "encrypt"mails in Outlook but, Microsoft also has your key.

by _dain_

0 subcomment

>Auditors obsess over encryption at rest—from laptop FDE to databases’ security theaterish at-rest encryption—and over encryption in transit, usually meaning TLS.
Very hard to parse sentence. The monospace font means the em-dash isnt emmy enough, so I couldn't tell it apart from the hyphen on first, second, and third attempt. I wish people would put spaces around it, and to hell with what the style guide says.

by steve1977

0 subcomment

"To encrypt email in 1998 you’d run GnuPG from a terminal"
In 1998, you'd probably run PGP.
While GnuPG saw it's first 0.x releases from the end of 1997, 1.0 was only released in 1999 and commercial PGP was still very popular IIRC.

by tomlockwood

0 subcomment

I thought this title was a reference to this David Bowie/NIN song: https://www.youtube.com/watch?v=LT3cERVRoQo

by erelong

1 subcomments

Issue 1: Establishing lots of reasons why people should encrypt
Issue 2: Making it easy to encrypt
Issue 3: Popularizing encryption or getting more people to do it

by zkmon

1 subcomments

Maybe Johnny doesn't have a need to encrypt. The post card in India was just a card with message written on both sides, fully visible in plain text. It's very common that a postman would read out the letter to recipients sometimes, when they deliver it. Privacy is not an universal need.
Poor are those people who are forced to hide their message in encrypted formats,

by sorbusherra

0 subcomment

I consider e-mails to be digital versions of postcards. Both are obsolete but have some usage scenarios. There is no need to use private communication in obsolete postcard type messaging, so there is no need for encryption. For private communications there are other better(easier) means which people use.

0 subcomment

by jmclnx

1 subcomments

>In 2025, it’s pretty much the same. In some respects, it’s worse:
Well not quite, if you use mutt, it is easy to encrypt emails with gpg. The setup could be a bit hard for new people, but if they have good reading comprehension it is easy.
Thunderbird has its own gpg-like based internal encryption. I really do not like it, I wish they built it on gnupg like the old plugin did.
All you need to do is get your key to the people you want to send encrypted email to and you need to get theirs. There are key servers or you can mail the public key to them.
To me, if on Cell Phones, all bets are off. I would never use email on Cell Phones.