Conversation

Notices

1. Embed this notice
   Soatok Dreamseeker (soatok@furry.engineer)'s status on Monday, 05-Jan-2026 07:03:01 JST Soatok Dreamseeker

   Everything You Need to Know About Email Encryption in 2026

   If you think about emails as if they're anything but the digital equivalent of a postcard--that is to say, they provide zero confidentiality--then someone lied to you and I'm sorry you had to find out from a furry blog that sometimes talks about applied cryptography. CMYKat At the end of 2025, at the 39th Chaos Communications Congress in Hamburg, Germany, a team of security researchers posted some devastating…

   http://soatok.blog/2026/01/04/everything-you-need-to-know-about-email-encryption-in-2026/

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Monday, 05-Jan-2026 07:14:03 JST Soatok Dreamseeker

     in reply to

     • :awesome:🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉

     @nemo Thanks!

   • Embed this notice
     :awesome:🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉 (nemo@mas.to)'s status on Monday, 05-Jan-2026 07:14:04 JST :awesome:🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉

     in reply to

     @soatok great article thank you :)

     Here is a typo I think: " (tthe year following the Snowden leaks)" "tthe".

     Sincerely

   • Embed this notice
     Jernej Simončič � (jernej__s@infosec.exchange)'s status on Monday, 05-Jan-2026 07:15:29 JST Jernej Simončič �

     in reply to

     @soatok I'm running a few mail servers, and I had to set up explicit TLS for some destinations (basically, refuse unencrypted connections when delivering to specific domains; apparently that's deemed secure enough in some circles).
     Had a funny anecdote, too – Let's Encrypt switched to ec certificates, which caused postfix to automatically disable some older encryption types, and suddenly one of those servers couldn't deliver to my client any more, because they were still running Exchange 2016 which does not support TLS 1.3…

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Monday, 05-Jan-2026 07:15:48 JST Soatok Dreamseeker

     in reply to

     • Jernej Simončič �

     @jernej__s Everyone I know that deals with email professionally has horror stories associated with "trying to improve things somewhat" lol

   • Embed this notice
     Simon Michalke (simon_m@infosec.exchange)'s status on Monday, 05-Jan-2026 07:27:55 JST Simon Michalke

     in reply to

     @soatok

     That is a good article to bookmark and send to others as a reference.

     Whenever I talk with someone about Email, my standard sentence is always: "It's broken. No, I cannot fix it. No one can"

   • Embed this notice
     Adam Caudill (adam_caudill@infosec.exchange)'s status on Monday, 05-Jan-2026 10:01:43 JST Adam Caudill

     in reply to

     @soatok I really wish that this story was different, that after years of effort by so many, that we could be celebrating a major improvement - it’s where we should have been by now. Instead, we’re looking at a burning wreck that’s no longer worth the effort to fix.

     Really is sad, it could have been so different.

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Monday, 05-Jan-2026 10:02:42 JST Soatok Dreamseeker

     in reply to

     • Jeremy

     @mischif Thanks

   • Embed this notice
     Jeremy (mischif@fedi.mischivous.com)'s status on Monday, 05-Jan-2026 10:02:47 JST Jeremy

     in reply to
     @soatok Typo: “Why Johnny Can’ Encrypt” is missing a t
   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Monday, 05-Jan-2026 12:38:01 JST Soatok Dreamseeker

     in reply to

     • vvelox

     @vvelox

     It is not a question of political will, but available dev time.

     Who allocates dev time?

   • Embed this notice
     vvelox (vvelox@goatdaddy.net)'s status on Monday, 05-Jan-2026 12:38:06 JST vvelox

     in reply to

     @soatok I think you are missing part of the problem when it comes to email. Lots of moving parts and the need to get every one on bored. SMIMP like lots of other ideas when it comes to email(even ones not related to privacy in the lease) are basically DOA as the person proposing them suggests something and then meanders on off.

     Getting something to work requires lots of support at all levels of the stack.

     It is not a question of political will, but available dev time. Sure, you can write a system and tell the major ones to fuck on off and refuse to talk to them, but the big thing is finding enough dev time to all the fixes across the entire stack, which is not likely to happen sadly.

     Also telling major providers to fuck off unless they are willing to play ball is not exactly with out presidence as well.

     So would not exactly say a political problem, but one of dev time.

     And frankly not one that is fixable as it requires a team that has a damn good understanding of C, C++, Perl, and PHP to even begin making a small dent and inroads.

     And not once has any one ever said "Hey, lets fix this."... it is usually "Hey ass holes I have an idea and you should implement it while I fuck off".

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Monday, 05-Jan-2026 13:09:33 JST Soatok Dreamseeker

     in reply to

     @vvelox Are you implying that @adam_caudill wasn't willing to build on his idea with SMIMP in 2014?

   • Embed this notice
     vvelox (vvelox@goatdaddy.net)'s status on Monday, 05-Jan-2026 13:09:34 JST vvelox

     in reply to

     • vvelox

     @soatok Like anything thing opensource... corp, gov, or self. It is a question getting enough parties interested that they can can through the dev time needed at something.

     But you are missing the point of my post. Some one throwing out a idea and fucking off is basically the same as doing nothing. It requires a willingness to build on that idea as well.

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Monday, 05-Jan-2026 13:48:09 JST Soatok Dreamseeker

     in reply to

     • vvelox

     @vvelox You're absolutely right.

     That's why I write open source software in languages that are accessible to a large number of developers (JavaScript, PHP) rather than the ones cryptographers traditionally considered good (C, C++, C#, and recently Rust and Go).

     If you don't meet people where they are, there's a 0% chance anyone will want to build on it.

     Email became, for lack of a better word, gentrified by corporations. If you want adoption by the same players, you have to play their game. If you want them to fuck off, you have to outplay them.

     Both are tall orders. But not impossible.

   • Embed this notice
     vvelox (vvelox@goatdaddy.net)'s status on Monday, 05-Jan-2026 13:48:10 JST vvelox

     in reply to

     • vvelox

     @soatok Also true but honestly with how you meandered into totally unreleated stuff in your blog post it was not clear if you actually understood that or not.

     If that is what you mean by political, then sure, but it was not the fucky gov/corp stuff you mentioned. Telling that group to fuck off is totally doable and has happened before in this realm.

     You never touched on this in that post and this frankly is the biggest stumbling block, be it changing anything with email or writing a replacement.

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Monday, 05-Jan-2026 13:48:11 JST Soatok Dreamseeker

     in reply to

     • vvelox

     @vvelox Like, if your rebuttal to "this is a political problem" is "no it's only solvable by organizing stakeholders and labor to build and utilize the tools needed to solve the desired problem while benefiting in their own ways" and don't realize you just described politics, I'm not sure how to do better at explaining myself.

   • Embed this notice
     Zip (zip@furry.engineer)'s status on Monday, 05-Jan-2026 18:31:20 JST Zip

     in reply to

     @soatok S-tier first paragraph

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 06-Jan-2026 09:31:47 JST Soatok Dreamseeker

     in reply to

     • Jon Yoder

     @jonyoder I am intrigued and wish to learn more

   • Embed this notice
     Jon Yoder (jonyoder@mstdn.social)'s status on Tuesday, 06-Jan-2026 09:31:49 JST Jon Yoder

     in reply to

     @soatok This post is 100% spot on and probably a little too kind.

     Shameless plug, but I hope you guys don't mind... dealing with this exact set of problems has become my life's goal. I've been working on an open source E2EE replacement for not just email, but email and Exchange.

     Not quite ready for a demo, but hoping for a first alpha release later this year.

     https://mensago.org

   • Embed this notice
     ティージェーグレェ (teajaygrey@snac.bsd.cafe)'s status on Tuesday, 06-Jan-2026 10:32:45 JST ティージェーグレェ

     in reply to
     Once upon a time, there was some article with an interview with Robert Morris (former NSA and Bell Labs d00d, author of UNIX crypt among other things, also: the guy who fathered Robert Tappan Morris, of Morris worm infamy) where he said something like: "email can never be secured" alas, I can't remember the quote verbatim and trying to search for anything in 2026 is a fool's errand because A"I" bros broke web crawling with slop.
     
     Similarly, I remember the feelings of cringe I had in Berlin circa 2014 where they had key signing parties, and seemed oblivious that Phil Zimmermann gave up on PGP (also used to be easier to cite, no longer).
     
     There were the "Why Johnny Can't Encrypt" (2005, PDF: https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf) and "Why Johnny Still Can't Encrypt" (2011, PDF: https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf) papers.
     
     There were the private, HILARIOUS conversations I had with coworkers at iSEC Partners circa 2011 particularly after we got acquired by NCC Group (which used PGP Keyserver, which AMAZINGLY sometimes would only function to decrypt messages after I ... sigh "did things" to reuse old keys, because as their IT Admin: I needed to make things function more than I needed to pretend that their overpaid bullshit was anything more than bullshit).
     
     Alas, that kind of humor, is reserved for a very limited audience. Such lulz though!
     
     Anyway, folks still need reminders I guess!
     
     I wouldn't mention Signal in such reminders, it is its own can of worms and not in good standing.
     
     That said, I miss the days when the S in SMTP was acknowledged as Simple.
     
     The oligopoly of spam havens (e.g. Gmail, Hotmail, Yahoo!, etc.), keeps fucking things up and over-complicating it. SPF, DKIM, DMARC, etc. are just making it worse (if you want an eyeful: https://www.jwz.org/blog/2025/12/today-in-google-broke-email-2/#comments)