The only people who agree with you about the need for PGP in serious secure messaging are members of the PGP cheering section. They're an old and venerable social organization dating back to the pre-HMAC CFB-mode cryptography in PGP itself. I have nothing bad to say about their justified and ancient society other than that they are wrong about everything involving cryptography and that they recommend tools that get people hurt.

People who care very deeply about these problems and who have studied them more carefully than almost any message board commenter have evaluated PGP and Signal. Among secure messaging and cryptography engineers, PGP is alternately either amusing or an unfunny hindrance to progress. Signal, on the other hand, won the Levchin Prize at Real World Crypto.

Don't use PGP.

PGP is a protocol, there is nothing wrong with it. If you want to complain about good PGP based apps that is a entirely different argument (and it think that is what you are arguing).

Signal is not a protocol, it is a application. It uses open whisper (or some mutation of it) as its underlying protocol. That being said, you are still relying on trust provided by the signal servers that they properly authenticated your phone number. A phone number is a super weak way to verify identity. Lucky signal does provide a way to verify you are actually talking to who you are via the safety code process (in person or out of band). So the end result is Trust us first, then verify later. While most PGP applications require zero trust until verification by means of key exchange.

After all that there is nothing stopping anybody from making a application that works just as signal does but based of PGP, and being just as secure as Signal using PGP. The problem is people who understand this know that using PGP chained with a week service phone number base validation invalidates using the entire point -- so they don't. I personally think that is a mistake. As PGP is way better in the long run because it can be used for more than text chats, and video calls.

> tools that get people hurt.

People hurt them selves using tools improperly.

Both of those statements are false.

There are clear things wrong with the PGP protocol. PGP predates authenticated encryption (let alone modern AEAD ciphers) and the hacks PGP came up with to authenticate ciphertext resulted both in stripping attacks and, indirectly, in the Efail attack from last year. It was also Signal's linear packet based key format that resulted in the GnuPG/SKS attacks.

Signal is a protocol; in fact, it was "Signal Protocol" that won the Levchin prize. Signal also doesn't verify identities with phone numbers.

These are just basic, fundamental factual problems with your claims. We're not even getting close to serious comparisons between the two systems; we haven't even talked about forward secrecy, compromise repair, modern primitives, complexity, and UX.

> Signal also doesn't verify identities with phone numbers.

In practice, the only allowed implementation does.

It finds your contacts based on phone number, it allows them to use any keypair, and it allows that key to change at any time. It shows a light grey item in the chat when the key changes, just "your safety numbers have changed" and then you continue chatting like nothing happened.

Even if you were paranoid about checking for the light-grey changed safety number message, there's practically no way to avoid it. There's no built-in way to back-up your keypair and then load it onto another phone, so you can't avoid needing to have your friends accept new keys whenever you get a new phone, or factory-reset your phone.

Maybe you want to fork the open-source client and fix some of these glaring security deficiencies ... nope, they don't want your fork connecting to their central servers. Federation is for silly nerds, no thanks.

Further - recent GPG's crypto implementations are not currently compromised, it's disingenuous to conflate the issues with mail client plugins and keyservers and the old constructions used 15 years ago with recent RSA keypairs.

GPG signatures are used to verify authenticity of debian, ubuntu, and arch linux packages, and these systems do not use keyservers. I've used gpg for a scripted system just for coworkers at my office. (We exchange keys and validate fingerprints in person in the office.) It works. It is not vulnerable to any currently known attacks.

You can't do any of that with Signal! Maybe signal's algorithms are the bees knees and will last for decades but it's just not a useful tool. It allows peer keys to change at any time, and encourages or even requires it!

If anything, I'd expect you to be promoting Keybase, it is "modern" and also does a lot to solve the key distribution and continuity problem ("for real users" you might say), that Signal does not do.

It's very frustrating to see you appeal so much to authority and say "my cryptographer friends and I all just laugh at silly geeks who don't trust Apple and Facebook and OpenWhisperSystems" and really not offer anything that could replace GPG as a tool for us "silly geeks" to use for practical purposes. We could chat with each other and feel good that Moxie's modern crypto is being used and not care when keys change, but that doesn't accomplish anything technically useful for us.

> Both of those statements are false. Pop on over to wikipeida, you will how wrong you actually are.

>> "Signal uses standard cellular mobile numbers as identifiers" >> "The applications include mechanisms by which users can independently verify >> the identity of their messaging correspondents and the integrity of the data >> channel."

That is what I described, its trust us first, and maybe verify later if you think of it.

>> "Open Whisper Systems introduced the second version of their TextSecure Protocol >> (now Signal Protocol)"

Looks like it is Open Whisper, just V2 and renamed... Well maybe TextSecure.

> hacks PGP came up with to authenticate ciphertext resulted both in stripping attacks and, indirectly, in the Efail attack from last year.

A quick look at Efail shows clients were at fault and the fix was fix was patching clients. I can assure you my email client had no such issue. So again, you are blaming something on PGP that really just involved PGP. If Signals code has a bug in it too can leak encrypted messages after the client decrypts them.

> key format that resulted in the GnuPG/SKS attacks

Again you are back on keyservers, a method of offline verification to a 3rd party.

> Signal also doesn't verify identities with phone numbers.

Yes it does, unless you do the second step of verification, which is not done by default. Have you used signal before? When I installed it on my phone magically people I knew showed up base off -- what is that? A phone number.

And again Wikipedia - " Signal uses standard cellular mobile numbers as identifiers, "

> These are just basic, fundamental factual problems with your claims.

You keep conflating things with PGP that are not PGP, thus I have to refute insane statements that don't have to do with pgp, but things like email clients, or now how signal actually works. You thus far have just said I am wrong, but yet not described how any of this works. Yet I am here pointing to and describing in great detail how you are wrong. Simply saying I am wrong, and not demonstrating it does not make you right.

> We're not even getting close to serious comparisons between the two systems;

You are right, because you are talking about end to end encryption and I am talking about the importance of verifying who you are talking to. Signal fundamentally solves a different problem that PGP is attempting to solve -- and it does so giving up some very strong benefits that PGP brought to the table. Signal is amazing if you don't want onlookers to see your message, not so good if you want to authenticate the sender (unless you go through the extra steps, in which case it is the same cumbersome process as pgp keys.)

In any case, i don't have any more time to spend on this. If you chose to reply I will read it but I am done because think we are going to come to a agreement.

This is just a series of non-sequiturs.

Imagine feeling like someone's opinions are unassailable because they're knowledgeable about a subject.

As I've mentioned before, AEAD was added to the RFC bis and a number of implementations support it.

If you need ultimate privacy and true end to end encryption , PGP is your tool. You can use over channels you don't trust, e.g. you can easily send PGP messages over Signal or other messenger you can't verify. Only people to discourage use of PGP would be gov reps, as you can choke messenger company to give you a tap to messages, but if someone uses PGP over it, tough luck.

If someone solved the UI/UX problems with gnupg, and came up with a more elegant method of exchanging/validating keys (or even just an alternate keyserver infrastructure with better properties), wouldn't that solve the problem?

Edit: how about a response instead of a downnvote, anonymous detractor?

EDIT: guidelines

As a note, I think there are probably better crypto technologies these days, but none of them do what pgp aimed to do, but rather we have a bunch of smaller tools that do small parts that pgp did. I am not going to send you a singed file over singal, and I think it is silly to have to use a alternative means of sending the file that will either remove the ability for authenticity, or require me to do the authentication dance again with you.

PGP suffers from bad tooling, and further suffers from the relentless onslaught of people who want fancy electron or phone apps that can only do a small % of what pgp would allow.

Final note, I think something better than PGP could exist, but nobody has made it yet. In either case, validating keys will always be a hard problem and any attempt to automate it will result in false sense of security. While end to end encryption will keep on lookers from viewing your communications -- you just might find out one day you are talking directly to the people you were trying to hind your communication from.

First, the guidelines ask you not to talk about downvotes. You can find out more about that by reading the guidelines.

Secondly, Signal sends files just fine, and does so more securely than GPG. If you don't want to use Signal to do that, you can also use Magic Wormhole, which also works better and is more secure than PGP.

> Don't use PGP.

How else do you recommend to independently establish a verifiable identity?