I get it :: You have PGP
by Volker Weber
The new Gmail has this useful feature where you see file attachments right in the message list. You can click on them to view them right away. And then you have the odd person who is using a PGP plugin that "signs" all his messages. That is what you see under their messages:
Now would be a great time to disable this feature. It looks very spammy. I trust that nobody altered you message. If I have any doubt, I will ask. I also never ever receive any encrypted mails. If you want a secure channel, use iMessage or Signal. You have my number.
Comments
I would say, Google needs to fix that. As these are not attachments but digital signatures, Google should display the result of the signature. Then it would not look spammy ;-)
Michael, while you are technically right, it probably doesn't occur often enough for Google to bother.
vowe, does it occur that often in your inbox or is it rather the designer in you that is disturbed?
There was a time / platform, where an agent composed of of simple actions would have easily taken care of such issues... :-) Soon Microsoft Flow could be powerful enough to do as well, but of course not in GMail.
Technically you are both right. Apple shows there is an attachment, but then hides it from you. In any case, it is about as useful as a disclaimer asking you not to use your printer.
Whilst I find Gmail's presentation annoying, too, I sign all my outgoing messages using S/MIME. This is useful because the signature contains the key and the other party can start sharing encrypted messages with me right away.
And yes - it is also a gentle nudge to make people start using encrypted email.
I think its Gmail's presentation at fault here. Theres no need to show the S/MIME attachments in the user interface.
Outlook 2016 gets this right IMO. A simple indicator as to whether message is signed/encrypted and easy to respond encrypted. I get lots of these messages, mostly from large enterprises with Email PKI in place.
Daniel, I did that as well for a couple of years, while I was a Thawte notary. It did not change a thing. Today I am not distributing a public key, because it would only put a burden on me to safeguard my private key on multiple devices. If you need encryption, just use Signal or iMessage.
From what I can observe, large organizations do not promote Signal or iMessage as secure messaging solutions that should be on every employee's iPhone.
That is a very broad assertion.
A large organization like Apple (>> 100,000 employess) does, and also does for the hundreds of millions of iPhones they sell. Since iPhones are pretty popular in business I can reach pretty much everybody I need to reach with secure iMessage.
Notable exception: banks. They only allow messaging they can trace. If they cannot record the conversation, it is ”not promoted”, read forbidden. For the same reason they do not promote PGP as a secure messaging solution that should be on every employee's iPhone.
That is where private devices come in. And if that is not an iPhone, there is still Signal. (Google does not promote secure messaging solutions on Android. They are going with unencrypted RCS now.)
Compliance explains why some companies in or outside of the financial sector would not want these apps on staff phones. What interests me is why companies do not see the value in getting such apps into everyone's hands so that they can be used when the situation calls for it.
If Google really wants to push mail encryption they just could start to support it. If the big providers would care and make it easier to use it, then more and more people would start using it. Maybe they just have an interest not to support it ;-)
It's in Google's interest to make PGP email look unattractive and annoying.
Encrypted email (that they don't control the keys for) is directly against their business model.
I know this is difficult to understand, but users don't give a sh!t about email encryption.
Agree. But I think, one of the main reasons is that it is far too difficult to use for "normal" users ...
Am i missing something here? Initially the mails where signed. And I think this in itself has value. Tons of spam mails reach recipients all over the world with my very own mail address as the faked sender. I think signing gives and additional hint to mail gateways whether a sender really is the legit owner of the address used. In general I think its problematic to rant about a useful feature just because Google does not (want to!) get it right. (Leaving Facebook und using Gmail at the same time is something we should talk about separately…)
And yes - if you really want secure messaging don't use mail at all.
