← Back to context

Comment by throwaway77384

3 years ago

This is baseless speculation, but I'm assuming Jabber is being targeted as it's famously used on darknet markets for drug trades (or other illicit activity). Goes to show that you should never just trust "it's encrypted, bro". You need to PGP your messages at the very least. Is PGP crackable by quantum computers? Will there be hardening against those kinds of attacks in the future? Since, if the messages have been hoovered up in encrypted form, it's just a matter of time until they get decrypted. And this appears to be done for just about all web traffic they can get their hands on... see https://en.wikipedia.org/wiki/Utah_Data_Center

Jabber/XMPP has had e2e encryption for at least like 10-15 years. I used to use it with even my normie friends back when Facebook/Google Talk supported XMPP and you could use pidgin, kopete, etc.

Obviously securely exchanging keys with an anonymous drug dealer over the Internet is error-prone though...

A second layer of encryption would help, but I don't recommend PGP in particular.

If you haven't heard, it has lots of problems and a lot of people recommend avoiding it (for example https://news.ycombinator.com/item?id=20455780)

  • "The PGP Problem" is generally misleading and is straight out wrong in some places. I ended up writing an article to save time:

    * https://articles.59.ca/doku.php?id=pgpfan:tpp

    PGP certainly has its problems, but isn't really special compared to other similar things. The big advantage that PGP has is that it is a stable and well known standard. There is a tendency to imply that it is insecure in some way, but no real evidence seems to exist to that effect.

    • > isn't really special compared to other similar things.

      If you define "similar thing" as "kitchen-sink thing that tries to do everything like PGP does", then this is true, as no full alternatives exist, nor should they.

      But for all practical applications? Pretty much every "other similar thing" that I have tried is _vastly_ more simple and more reliable and easier to debug and infinitely easier to script. For example, "seccure", "minisign", "age", even "ssh-keygen -Y". Especially cool are "seccure" which uses passphrases as private keys (no more private key files ever!) and "ssh-keygen -Y" which uses ssh keys which everyone already has anyway.

      If you are writing a new software and thinking about integrating PGP, do yourself a favor and look for alternatives. If this is something developer-oriented, I recommend using something based on SSH keys, like git does.