Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A random key is used to encrypt the email, then that random key is asymmetrically encrypted using the recipient's public RSA key. You do not use your own key to encrypt mails to someone else. Indeed, you can send encrypted emails without even having a key of your own.


So I actually re-read and followed links (I mean whats wrong with lazy assumptions anymore)

tptacek's "why email is insecure" post is here: https://news.ycombinator.com/item?id=16088386

And yes thats what he says in the original latacora post.

I read the article '''invariably CC the quoted plaintext of your encrypted message to someone else (we don’t know a PGP email user who hasn’t seen this happen)'''

So I made the (incorrect) leap to pgp using the long term key to encrypt files. My bad.

But this does not fix the original point it seems - email is not going to be "secure" any time soon. But you can send encrypted files over email to people.


> So I made the (incorrect) leap to pgp using the long term key to encrypt files. My bad.

It does. Which is why PGP has no forward secrecy and if I steal your key I can decrypt all your past and future mails.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: