An old lock.

Security Shouldn’t Be This Hard

I really like the idea of being very secure. I like crypto. I like PGP keys. I like to sign and encrypt e-mails.

I’ve had my PGP key published on this site for a long time now. I can count on one hand with fingers to spare how many people I’ve actually communicated with using it—either both of us signing e-mails or, gasp, actually encrypting with it.

On the desktop, Thunderbird + the Enigmail extension does a fine job. There used to be a Firefox extension that made using PGP with webmail relatively easy. Still, even today, Google has a Chrome extension, but is still extremely alpha.1 After trying it out, well, there still isn’t a smooth way to use PGP with Gmail outside of Thunderbird that I’ve seen.

I’ve heard of ProtonMail, but both the seemingly inability to use my own domain and their recent DDoS attack make me hesitant.2

There are notable issues with encrypting everything—search becomes incredibly harder. Searching through encrypted messages via Gmail is literally impossible, unless the subjects are that descriptive or your send to yourself indexing terms threaded to the message.

Keybase has been called the “GitHub of PGP”, but I haven’t seen large scale adoption yet—and still limited to manually encrypting/decrypting messages.

What is needed to move the needle?

Standards: There needs to be (or have implemented) some standard of PGP built into browsers with a standard web API for interacting with sites to encrypt/decrypt.

Education: What would help convince others to try it out and find it valuable? This I have no idea besides appealing to the part of us who wishes we were James Bond. I want to be a secret agent, but need other people to play spy with me.

What else? Why do we trust so much of our existence on such an open platform so difficult paths to making it stronger?


  1. To use it, you need to install ant via homebrew and the JDK. Then git clone their repo, then run a script to install dependencies, then a script to build it. Then, you need to enable Dev Mode for Chrome’s extensions, take a guess that build/extension is the right folder and presto! Even then, it’s pretty damn rough. 
  2. Custom domain support is coming “mid/late 2015” as a premium feature. 

Comments

Leave a Reply