๐ Every unencrypted email is readable by 10+ entities and stored forever.
Uncategorized
46
Posts
12
Posters
83
Views
-
@nicfab @Blort we know there is an IETF doc about wkd. Delta is probably one of the most standards based messengers out there https://github.com/chatmail/core/blob/main/standards.md
But that doesn't mean any IETF standard is unconditionally a good idea for resilient decentralized messaging. -
@thedarktangent @yawnbox This article is not about email security but about WKD. I have already written about email security and will likely revisit the topic in the near future.
@nicfab @yawnbox I have lived through essentially the same issues with PGP keys in DNS, hashes of SMime keys in DNS, MTA-STS, DANE for SMTP, automatic SMIME using SMILE, etc.
I hope WKD does better! But I fear that without a solution to local email search it will be a victim of its own success, or you will have to put so much information in the subject line to remind you what is in the encrypted body that some privacy is lost.
-
-
@nicfab @yawnbox I have lived through essentially the same issues with PGP keys in DNS, hashes of SMime keys in DNS, MTA-STS, DANE for SMTP, automatic SMIME using SMILE, etc.
I hope WKD does better! But I fear that without a solution to local email search it will be a victim of its own success, or you will have to put so much information in the subject line to remind you what is in the encrypted body that some privacy is lost.
@thedarktangent @yawnbox I share your concern โ past attempts (PGP in DNS, DANE, SMILE, etc.) struggled with adoption. WKD isnโt a complete solution, but itโs worth setting up: it removes a key barrier and makes encrypted mail more usable, even if challenges like local search and subject-line leaks remain.
-
-
๐ Every unencrypted email is readable by 10+ entities and stored forever.
Web Key Directory (WKD) changes this: automatic encryption using your domain name. No manual keys. No central servers. Just cryptographic certainty.
WKD makes encrypted email as simple as HTTPS made web browsing secure.
https://www.nicfab.eu/en/posts/wkd2/
#WebKeyDirectory #WKD #EmailEncryption #Privacy #InfoSec #Cryptography #OpenPGP
@nicfab
Reading the article, I can't see how this works out in a hybrid situation - where not all your email recipients are using WKD. Am I missing something?
You mention the strength of email being its own prison - we need something that would encrypt where possible, and fall back to plaintext where not (with warning). HTTPS was not implemented across the board overnight. -
@nicfab
Reading the article, I can't see how this works out in a hybrid situation - where not all your email recipients are using WKD. Am I missing something?
You mention the strength of email being its own prison - we need something that would encrypt where possible, and fall back to plaintext where not (with warning). HTTPS was not implemented across the board overnight.@grant_h 1/2 You're right โ WKD alone doesn't handle the hybrid scenario. It's just key discovery, not the complete solution.
For opportunistic encryption, you need WKD plus smart clients: Thunderbird, DeltaChat, and others already do this โ they check for keys via WKD/Autocrypt, encrypt when possible, and fall back to plaintext with warnings. -
@nicfab
Reading the article, I can't see how this works out in a hybrid situation - where not all your email recipients are using WKD. Am I missing something?
You mention the strength of email being its own prison - we need something that would encrypt where possible, and fall back to plaintext where not (with warning). HTTPS was not implemented across the board overnight.@grant_h 2/2 - Think of it like HTTPS adoption:
- WKD = certificate infrastructure (like Let's Encrypt)
- Autocrypt/client logic = protocol negotiation
- Warnings = mixed content alertsSo yes, the ecosystem supports "encrypt when possible" โ WKD makes finding keys automatic. The clients handle the graceful degradation you're looking for.
-
@grant_h 2/2 - Think of it like HTTPS adoption:
- WKD = certificate infrastructure (like Let's Encrypt)
- Autocrypt/client logic = protocol negotiation
- Warnings = mixed content alertsSo yes, the ecosystem supports "encrypt when possible" โ WKD makes finding keys automatic. The clients handle the graceful degradation you're looking for.
@nicfab My use case is a school. Teachers and students. Particularly the counselling staff. It has to be easy and seamless, and resetable by our admins.
Unfortunately, the big companies have no incentive to make our email private, and every incentive to make it easy to join. The precise opposite of so many FOSS projects. We will persevere! -
@nicfab My use case is a school. Teachers and students. Particularly the counselling staff. It has to be easy and seamless, and resetable by our admins.
Unfortunately, the big companies have no incentive to make our email private, and every incentive to make it easy to join. The precise opposite of so many FOSS projects. We will persevere!@grant_h Go ahead!
-
๐ Every unencrypted email is readable by 10+ entities and stored forever.
Web Key Directory (WKD) changes this: automatic encryption using your domain name. No manual keys. No central servers. Just cryptographic certainty.
WKD makes encrypted email as simple as HTTPS made web browsing secure.
https://www.nicfab.eu/en/posts/wkd2/
#WebKeyDirectory #WKD #EmailEncryption #Privacy #InfoSec #Cryptography #OpenPGP
@nicfab @Fr333k Just an observation: that's a long blog post, with a lot of words and with a lot of computer commands and that somewhat contradicts the sentence "WKD makes encrypted email as simple as HTTPS made web browsing secure."
Nothing is simple with OpenPGP and email and that's broadly documented in academia and annecdotes. WKD does not change that.
If you absolutely positively must use email for sending sensitive info, use S/MIME.
-
@nicfab @Fr333k Just an observation: that's a long blog post, with a lot of words and with a lot of computer commands and that somewhat contradicts the sentence "WKD makes encrypted email as simple as HTTPS made web browsing secure."
Nothing is simple with OpenPGP and email and that's broadly documented in academia and annecdotes. WKD does not change that.
If you absolutely positively must use email for sending sensitive info, use S/MIME.
@seecurity @Fr333k Youโre right that nothing in email crypto is ever โsimpleโ โ WKD doesnโt change the complexity of OpenPGP itself. However, it does solve a particular problem that has long blocked adoption: key discovery.
That doesnโt contradict the analogy with HTTPS โ itโs about lowering friction, not erasing complexity.
And yes, S/MIME can be smoother in some contexts, but WKD gives domains a way to make OpenPGP more usable in practice. -
@seecurity @Fr333k Youโre right that nothing in email crypto is ever โsimpleโ โ WKD doesnโt change the complexity of OpenPGP itself. However, it does solve a particular problem that has long blocked adoption: key discovery.
That doesnโt contradict the analogy with HTTPS โ itโs about lowering friction, not erasing complexity.
And yes, S/MIME can be smoother in some contexts, but WKD gives domains a way to make OpenPGP more usable in practice.@nicfab @Fr333k Email crypto is extremely complex and because of this, has plenty of attack surface. We published close to 10 papers in the last seven years attacking email and email encryption with OpenPGP and S/MIME.
I am at the point where I find recommending email encryption to be actively harmful. Metadata leaks all over the place, crypto from the '90s, plaintext fallbacks everywhere, user hate it, in particular the gnupg devs are very toxic, mail client developers lack time and (too often) expertise to implement it properly.
Just use Signal. If you got budget, build an app on top of Signal. Heck, just use WhatsApp. Just don't even try to send sensitive information with email encryption.
-
@nicfab @Fr333k Email crypto is extremely complex and because of this, has plenty of attack surface. We published close to 10 papers in the last seven years attacking email and email encryption with OpenPGP and S/MIME.
I am at the point where I find recommending email encryption to be actively harmful. Metadata leaks all over the place, crypto from the '90s, plaintext fallbacks everywhere, user hate it, in particular the gnupg devs are very toxic, mail client developers lack time and (too often) expertise to implement it properly.
Just use Signal. If you got budget, build an app on top of Signal. Heck, just use WhatsApp. Just don't even try to send sensitive information with email encryption.
Itโs true: email crypto has flaws and decades of technical debt. But saying โjust use Signal or WhatsAppโ trades one problem for another โ centralized silos controlled by single entities, which is even worse for long-term resilience, governance, and privacy.
WKD wonโt magically fix email, but it removes real barriers and raises the baseline. Abandoning open, federated protocols entirely in favor of walled gardens is not a sustainable path.
-
๐ Every unencrypted email is readable by 10+ entities and stored forever.
Web Key Directory (WKD) changes this: automatic encryption using your domain name. No manual keys. No central servers. Just cryptographic certainty.
WKD makes encrypted email as simple as HTTPS made web browsing secure.
https://www.nicfab.eu/en/posts/wkd2/
#WebKeyDirectory #WKD #EmailEncryption #Privacy #InfoSec #Cryptography #OpenPGP
@nicfab I already have a webserver for my website using my own domain name, do I need a second one or is it possible to combine this somehow?
Really interesting, first I hear of it. Thanks for sharing it!
-
@nicfab I already have a webserver for my website using my own domain name, do I need a second one or is it possible to combine this somehow?
Really interesting, first I hear of it. Thanks for sharing it!
@chiefbongo WKD is for a single domain name only. They cannot be combined, but you can have multiple WKD configurations for numerous domain names on the server.
-
@thedarktangent @yawnbox I share your concern โ past attempts (PGP in DNS, DANE, SMILE, etc.) struggled with adoption. WKD isnโt a complete solution, but itโs worth setting up: it removes a key barrier and makes encrypted mail more usable, even if challenges like local search and subject-line leaks remain.
-
@thedarktangent @yawnbox I don't know.
Gli ultimi otto messaggi ricevuti dalla Federazione
-
-
@Gianlu
Il tetto di una palestra. ๐คท
-
Cos'รจ quel tendone enorme?
-
Par๐ฎ๐นle nยฐ1455 3/6
โฌ๐ฉ๐จ๐จโฌ
๐จ๐ฉโฌโฌ๐ฉ
๐ฉ๐ฉ๐ฉ๐ฉ๐ฉUn po' cool, un po' intuito...
-
-
#pastpuzzle en-207
๐ฉ๐จ๐ฅ๐จ (+96)
๐ฉ๐ฅ๐ฉ๐ฉ (+200)
๐ฉ๐ฉ๐ฉ๐ฉ (0)
โช๏ธโช๏ธโช๏ธโช๏ธ3/4 ๐ฅ
https://www.pastpuzzle.deA caso, veramente...
-
@oblomov La nuova serie su una storia antica
@Yaku @GustavinoBevilacqua
-
@nuintari Because while you can understand that they're stupid, stupid people will never understand that you aren't. So it's a waste of time and, worse, it will only reinforce their (stupid) beliefs.
