William Woodruff, founder of Yossarian.net, joins the discussion to dismantle the myths surrounding encrypted email, especially PGP. He reveals a significant bug in an OpenPGP library, arguing that email was never designed for encryption. The conversation dives into operational security, criticizing outmoded methods like PGP and S/MIME. They explore the risks of metadata leaks and the limitations of federated systems, advocating for modern secure messaging alternatives like Signal over traditional email. Woodruff emphasizes the need for better understanding of digital threat models.
01:11:07
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
insights INSIGHT
PGP Packet Format Is Fragile
OpenPGP's packet grammar is deeply complex and historically brittle, causing many parsing and security headaches.
The OpenPGP.js bug let attackers append packets and expose unsigned data, showing format fragility.
question_answer ANECDOTE
Keyserver Parsing Bugs Caused DoS
William recalled past keyserver DOS and quadratic parsing attacks that crippled the keyserver network.
Those historical parser attacks underline how PGP's format facilitated real operational failures.
volunteer_activism ADVICE
Don't Recommend Encrypted Email
Avoid recommending encrypted email as a go-to for sensitive communication because it routinely fails in practice.
Use modern secure messengers (Signal/WhatsApp/Matrix) instead of PGP email for real security needs.
Get the Snipd Podcast app to discover more snips from this episode
There was a bug in an OpenPGP library which finally gave us an excuse to tear encrypted email via PGP to shreds. Our special guest William Woodruff joined us to help explain the vuln and indulge our gnashing of teeth on why email was never meant to be encrypted and how other modern tools do the job much, much better.
Watch on YouTube: https://www.youtube.com/watch?v=IoL3LfIozJo
Security Cryptography Whatever