@arstechnica yes, password-protected zip files are just an illusion of privacy.
In fact, these researchers were not using them for privacy, but as a way of sending malware samples to each-other without being stopped by the malware scanners.
What I don't understand is why so many banks and financial institutions are so fond of them. They keep sending sensitive information via email on password-protected zip files where the password is your ID or your birthday... 🙄
Proper end-to-end encryption has been around for decades. 🤷♂️
"SSH key-based authentication is tried-and-true, but it lacks a true public key infrastructure for key certification, revocation, and expiration. #Monkeysphere is a framework that uses the OpenPGP web of trust for these PKI functions."
Sounds like a cool project, is the monkey still alive? The homepage linked on that page is dead, and the only code I could find doesn't look like it's been touched in a while.
Next to the usual suspects, its OpenPGP applet also supports the Chinese national cryptography standard SM2 algorithm (see https://en.wikipedia.org/wiki/SM9_(cryptography_standard)), and I'm increasingly intrigued where and how OpenPGP is used in Chinese contexts. #China
In case it helps someone else: To change the #OpenPGP smartcard PIN on my #YubiKey, gpg --change-pin does NOT work for some reason. Using gpg --card-edit and putting admin and then passwd into the prompt lets me do it though.
Fedora 38 now has packages for sequoia-octopus-librnp 1.5.0 (the alternativate #OpenPGP backend for #thunderbird (yay for @decathorpe)
This version fixes compatibility with Thunderbird 102.7+.
It also comes with new and improved automatic "acceptance" handling of #OpenPGP keys, based on the Sequoia Web of Trust library.
This improves user experience when delegating trust decisions to CAs (including CAs that are operated with https://openpgp-ca.org/).
Many of the reasons described in the #letsEncrypt forum are true, which does not mean S/MIME is impossible to fix or use.
There is native support for S/MIME in many email clients both desktop and mobile/tablet, including most of the 'stock' clients installed by default in most of the devices, so this is not an issue.
I think the big problems are basically 2:
1.- Having a throwaway key and certificate every 30 days (as we do with Letsencrypt SSL/TLS) is very inconvenient because we would need to keep a long collection of them in order access old messages.
2.- People access their email from multiple devices, so syncing the private key securely across all of them becomes a challenge.
For the tech savvy, both problems are manageable:
1.- You can get a free S/MIME certificate from #Actalis valid for 1 year here:
Please read a very important reply to this post by @duxsco pointing out to the insecurity of the Actalis certificate, and providing a secure but not free alternative.
2.- You can manually add this certificate to all your devices and keep an encrypted/secure repository with all your old keys and certificates in case you need to access your archived email.
I've been doing exactly that for years and it is just fine for signing my email.
IMHO for 'fixing' the whole signing and encryption of emails, #OpenPGP is conceptually closer to be a more consistent solution, and I use it with everyone who understands it, but I have to admit that the ecosystems is far less ready than for S/MIME (you will need to use specialised apps or installed plugins, etc.), Thunderbird being a shining exception.
PGP has several very powerful advantages:
1.- You don't need a CA for the sole purpose of generating your keys.
2.- You can use the same keys for many years.
3.- People who really trust each other can sign each other's keys creating a web-of-trust.
4.- There is a free network of keyservers where you can upload your public keys and make them available to everyone.
5.- Most people these days have their own website, blog or social media account where they can publish their public keys for cases when they distrust the public servers. They can manually exchange them too.
In the long run I believe we should promote the adoption of OpenPGP instead of S/MIME, with more people using it, native support should follow.
I am not an expert though, so I'd love to hear from others too. 😊
#OX (XEP-0373, XEP-0374: #OpenPGP for #XMPP, without security problems of historical XEP-0027) implementation has been merged to #Libervia, thanks to Syndace again, and #NLnet for their funding.
OX doesn't have PFS (https://en.wikipedia.org/wiki/Forward_secrecy) but that means that new devices can access archives, which may be desirable. Also, it can encrypt arbitrary elements.