this post was submitted on 09 Sep 2024
51 points (96.4% liked)

No Stupid Questions

35882 readers
3697 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS
 

More specifically, if I was to attach my public key to every email — even when the recipient doesn’t use PGP.

My assumption is that “life would carry on” and there would be basically no difference but I’m not entirely sure.

the process of using PGP for encrypting content (text messages for example) is something I’m only just started understanding after some reading and practicing

EDIT

Since a couple of people have mentioned it, my email provider provides E2EE between users but it I want to have E2EE with non-users and via my aliases (SimpleLogin) with custom domains I’ll need PGP

all 15 comments
sorted by: hot top controversial new old
[–] mkwt 73 points 2 months ago* (last edited 2 months ago) (1 children)

---BEGIN PGP SIGNED MESSAGE---

Side effects include all of your contacts calling you freakin nerd.

---END PGP SIGNED MESSAGE---

[–] [email protected] -2 points 2 months ago

Hopefully OP gets some weggies after it too tbh

[–] [email protected] 41 points 2 months ago* (last edited 2 months ago)

People will assume you work on Cybersecurity.

Edit: Also, people will use this method to verify an email is from you.

[–] felbane 19 points 2 months ago (1 children)

Signing every message should have zero effect for people who don't use PGP; they'll just have a cryptic block of text at the bottom of the message you sent.

It's overkill to ship your pubkey with every email. Most people just publish to a trusted keyserver and call it a day since pretty much every client worth its salt can look up your pubkey directly.

[–] [email protected] 5 points 2 months ago (1 children)

Please tell me clients handle everything automatically/on the fly...I recently read a comment making a "joke" about the hassle of needing to manually decrypt/encrypt and the tradeoffs of security...and I can't tell if it was real

[–] [email protected] 5 points 2 months ago

the big, popular clients do

[–] PassingThrough 5 points 2 months ago* (last edited 2 months ago)

One thing I can think of is an overzealous corporate security solution blocking or holding back your email purely for having an attachment, or because it misunderstands/presumes the cipher-looking text file to be an attempt to bypass filtering.

Other than that might be curious questions from curious receivers of the key/file they may not understand, and will not be expecting. (“What’s this for? Is this part of the contract documents? Oh well, I’ll forward it to the client anyway”)

Other than that it’s a public key, go for it. Hard (for me anyway) to decide to post them to public keychains when the bot-nets read them for spam, so this might be the next best thing?

[–] solrize 5 points 2 months ago* (last edited 2 months ago) (1 children)

Your public key block is a cumbersome thing and it's enough to just append its fingerprint, if you consider email to be trusted against forgery but not against eavesdropping. The other person can then use the hash to authenticate your key that they get some other way (or they could just ask you to email it).

Back in the day, lots of nerds would have their PGP key fingerprint (32 hex digits) printed across the bottom of their business cards. So if someone got a card in person, they could use the fingerprint to authenticate a key that they later received by email.

Your post doesn't ask about signing your emails without a good reason, but some commenter seems to think you are asking about that. That can be good, bad, or both, since it means that anyone who gets a copy of the message, including attackers, can now authenticate that the message came from you. Anything that gives attackers capabilities that they didn't already have, must be examined critically. Dan Bernstein came up with an clever authenticator scheme designed to prevent this exact attack, but PGP doesn't implement it and I actually don't know of any software that does.

Finally, at least some of the old-time PGP community now thinks that PGP solved, to some extent, the wrong problem. It not only made no attempt to conceal metadata, but it actually advertised it, in the form of key servers and key signatures connected with keys. Even if the attackers couldn't read the encrypted messages, they could still tell who was talking to who, which is almost as bad. Remailer and broadcatch systems tried to solve this, with mixed success. A quote by cryptographer Silvio Micali has stuck with me for a long time: "a good disguise does not reveal the person's height". I.e. don't just try to conceal the message contents from attackers while letting them collect other information. Rather, don't give them ANY information.

It's possible to get rather "Spy vs Spy" about this type of stuff but it can help you think about security. As always, "Security Engineering" by Ross Anderson is a fantastic book if you're interested in the general topic of how to be paranoid. Or to quote the proverb, it's not paranoia if they really are out to get you ;). The book is here, 1st and 2nd editions downloadable as pdfs: https://www.cl.cam.ac.uk/~rja14/book.html

[–] [email protected] 2 points 2 months ago

Thank you for the very detailed response! I’ll give that book a read, it sounds interesting.

[–] [email protected] 5 points 2 months ago

I don't know if it's still the case, but in my experience (years ago) PGP messed with the proper rendering of HTTP email bodies.

From a security standpoint also, the signature confirming that the email is from your is a double edged sword: Yes, your contacts get to verify that it's you, but you're also losing plausible deniability (privacy).

[–] twistypencil 3 points 2 months ago (1 children)
[–] bhamlin 3 points 2 months ago

Aside from the giant target on your back from governments that have a harder time reading your emails.

[–] [email protected] 3 points 2 months ago

Get an S/MIME certificate and send from an S/MIME compatible email client.