I hate PGP, too. However, I’ve spent money on five YubiKeys and several months of tinkering to make them somewhat work on Linux and WSL. I use them to sign my commits and Debian packages I build.
If your goal is to convince me to throw *all of this* away and sink another shitload of money into an alternative and re-do months of tinkering to make it actually work, then being deliberately blunt and condescending is not going to help your case.
Now, I believe you article is not totally futile, as it's not. But....
I would definitely drop the condescending to, give example with details as why with comparison. If you did, I did not get there, again, because of the tone.
Condescending people saying "it sucks shit, I'm 10x smarter than the author of PGP" usually say that the UX of PGP is hard, which makes it prone to errors.
I have security keys and I use PGP. Unless someone can teach me why it's not good enough for me (and "it's too hard to use" doesn't convince me, given that I actually use it fine), I won't spend hours learning how to use the new cool tools of those condescending people, just for the sake of it.
What. is. your. threat. model?
If I use e.g. Signal, I can of course build it from sources I trust, or download it from the Play Store and trust that Google won't send me a modified version of it (at least it seems less likely and harder to pull).
Am I wrong in considering that web-based clients cannot really be considered secure?
This is what’s phasing out RSA, for example— it is possible to use RSA in a completely secure way, but it’s very easy to get it wrong and it can fail catastrophically when you do. PGP has the same problem: yes, it can be used securely, but that’s not sufficient in 2024.
Does that justify saying "it sucks shit", though? Especially considering that it was written in 1991, and not in 2024?
I feel like I don't regularly read blog posts from aerospace engineers that sound like "The Apollo mission sucked shit. Those morons had no idea what they were doing. We younger aerospace engineers who have not had a fraction of the impact Apollo did have been saying it for years: use our new stuff because we are the smart ones".
The author wrote this in 1991 and humbly called it "pretty good privacy". 30 years later, kids say "it sucks shit" and call their stuff "actually good encryption", hinting that they believe they are so much better than the PGP author more than 3 decades ago.
I don't know, can we show some respect, or is it too much to ask?
What we have today is a mess of legacy cruft that is still heavily evangelized by people that don't know better.
Enough with tradition. Enough with reverence for the past. What matters more is what's the better solution. If we continue to insist on this veneer of "respect", it will just make the PGP evangelists think they're in the right.
I understand that. But the tone does feel very condescending to me. And this article is not isolated in that sense.
Let me just give one example from another article of this blog:
> But before I do, a quick reminder that me criticizing XMPP+OMEMO isn’t an endorsement of weird or stupid alternatives, like using PGP.
I don't know, if I was the PGP author, it would not make me feel good.
You don't need a phone number or a phone for https://haven.xx.network and there are others.
If nothing is recommended, fine, but it's simplistic to not recommend or even consider the 3-4 apps that don't have those limitations. If you didn't have time to investigate or couldn't find anything else, say so.
You could've ended your sentence there.
Just because other apps don't have those limitations doesn't mean they also offer comparable cryptographic security.
Haven appears to be a blockchain project, built with Next.js, and doesn't appear to implement any cryptography.
If it isn't end-to-end encrypted, it's not in the same league.
