NEW BLOG POST!

In this article soberly entitled "The world's most interesting contact form", we'll learn about OpenPGP, what it is and how it works, then use OpenPGPjs, a Javascript implementation of it to send an end-to-end encrypted email, with the help of a little Rust Axum backend.

The second part of the article talks about Proton Mail, their promises, what they entail, and how we can verify them. At the very end, there's also a quick word about the Chat Control, the EU's latest mass surveillance project.

Check it out! https://zoug.fr/world-most-interesting-contact-form/

#openpgp #pgp #openpgpjs #rust #axum #chatcontrol #proton #protonmail #e2ee #encryption #privacy

No to poprawcie mnie, jeżeli się mylę, co do aktualnego stanu #OpenPGP.

Po pierwsze, jest dawne #RFC4880bis, aktualnie przepychane jako "#LibrePGP", używane przez #GnuPG (i #rnp?), z formatem kluczy "v5" — i zdaje się, że każdy inny projekt spogląda na to z politowaniem.

Po drugie, jest #RFC9580 z formatem kluczy "v6", używany przez #OpenPGPjs, #SequoiaPGP (i inne narzędzia), ale odrzucony przez GnuPG. I wygląda na to, że jest przepychane z założeniem, że GnuPG ugnie się pod presją.

Więc mamy dwa niezgodne ze sobą standardy, ze "wspólnym mianownikiem" w postaci zabytkowego #RFC4880; jedne narzędzia przepychają jeden standard i ignorują drugi, a inne decydują się wspierać oba, by pomóc swoim użytkownikom. A #Gentoo ostatecznie utknie z tym, co wspierać będzie GnuPG, bo potrzebujemy kryptografii, która działa na wszystkich wspieranych platformach, a nie tylko tam, gdzie Rust.

https://bugs.gentoo.org/963069

Okay, so please correct me if I'm wrong about the state of #OpenPGP right now.

So first there's the former #RFC4880bis which is now pursued as "#LibrePGP", used by #GnuPG (and #rnp?), with a "v5" key format, that everyone else seem to looks "politely" at.

Then there's #RFC9580 with a "v6" key format, used by #OpenPGPjs, #SequoiaPGP (and more) but explicitly rejected by GnuPG. However, it seems to be pushed forward under the assumption that GnuPG will yield to pressure.

So we effectively have two incompatible standards, with a "common denominator" of ancient #RFC4880, some tools pursuing one of them with disregard for the other, and a few supporting both for the sake of the users. And #Gentoo is effectively stuck with whatever GnuPG supports, because we need working crypto on all supported platforms, not just the "Rust subset".

https://bugs.gentoo.org/963069

"CVE-2025-47934 – Spoofing OpenPGP.js signature verification"

https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/

#security #cybersecurity #infosec #openpgp #openpgpjs

Spoofing OpenPGP.js signature verification

https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/

#HackerNews #Spoofing #OpenPGP.js #signature #verification #OpenPGPjs #CVE2025 #cybersecurity #research

The German Sovereign Tech Fund supports the development, improvement and maintenance of open digital infrastructure.
The following projects will receive funding starting October 2022:
#OpenMLS, #curl, #OpenBGPd, #Bundler/ #RubyGems, #WireGuard, #OpenPGPjs/ #GopenPGP, #OpenSSH

Strengthening Digital Infrastructure and Open Source Ecosystems
in the Public Interest
https://sovereigntechfund.de/en.html

#SovereignTechFund #FreeSoftware

https://mailvelope.com and http://openpgpjs.org/ is where the future of email encryption lies.

Compatible providers (amongst many others):
protonmail.ch
mailbox.org
posteo.de
and, of course,
https://riseup.net/en/security/resources/radical-servers

Also, if you upload your pgp key to https://keys.mailvelope.com/ui.html and verify it, Mailvelope will fetch it autmatically without further user interaction ¯\_(ツ)_/¯¯\_(ツ)_/¯¯\_(ツ)_/¯

#pgp #gpg #openpgpjs #mailvelope