Why not just add a warning? About the issues.
Even we leave it with a warning, then we would have to alter our current requirements, current software has to be maintained, if not, it has to be removed.
We could alter it to make exceptions in case there is no alternative, but we would have to change the requirements officially for that first.
1 Like
Is this some criteria for a tool to be listed on Privacy guides ? Even if the product is sub-par quality.
I mean its not totally wrong for people to use it, if no alternatives are present.
But I feel what is the point in recommending a product when its the only 1 solution it.
It won’t matter if we recommend it or not , if someone needs to use pgp on Android with k9/thunderbird, they only got 1 option to chose.
(Or else just shift to protonmail app or use tuta)
That would make the most sense. Removing the only software that allows sending proper PGP encrypted emails just doesn’t sound right.
Both don’t allow you to send proper E2EE emails unless both recipients use their email service.
1 Like
Untrue for proton as it supports pgp mime , which is interoperable with any other email service which supports pgp.
This would require someone to use Proton though, which not everyone likes.
Do we know if Thunderbird knows about these issues? This is what they officially recommend to use on the Thunderbird Android homepage.
It only works with their webmail which relies on the server dynamically serving JavaScript code to the browser to handle cryptographic operations. A malicious server could target a specific user and send them malicious JavaScript code to steal their encryption key, and it would be extremely hard for the user to ever notice such a thing. Even if the user does notice the attempt to steal their key, it would be incredibly hard to prove that it is the provider trying to do so, because the server can choose to serve different web clients to different users.
You also have to upload your encryption keys to Proton’s servers, while with OpenKeychain you can choose to use it completely offline.
1 Like
I’ve read that Thunderbird and Forward Email are working to implement PGP support in their clients.
1 Like
Yes they mostly likely know about these issues and users have submitted requests to integrating pgp in their app itself. See inbuilt PGP system - Mozilla Connect
But since they haven’t got an alternative built right now so i guess they are still recommending it to users.
While researching for alternatives for using pgp on Android , i came across a project which supports pgp in the client and is opensource.
Though it is primarily targetted for gmail and outlook users but any email provider can be used really. I tried it and basic functionality works including pgp. Haven’t tested it extensively and UI is okayish.
Ofcourse this would have to made in its own tool recommendation request. But mentioning it here for anyone to check it out.
1 Like
It’s not open source, so this would require a change in the criteria