One of the great failures of the Internet era has been giving up on end-to-end encryption. PGP dates back to 1991, 22 years ago. It gave us the technical means to have truly secure email between two people. But it was very difficult to use. And in 22 years no one has ever meaningfully made email encryption really usable.

A big part of the problem is the architecture of Internet services. Most of us host our email on a third party server like Gmail or Lavabit or whatever. That makes true end-to-end encryption very difficult. Instead we have to trust our hosting service with access to our email, and as we find the government can compel them to rat you out (or simply break in).

We do have SSL/HTTPS, the only real end-to-end encryption most of us use daily. But the key distribution is hopelessly centralized, authority rooted in 40+ certificates. At least 4 of those certs have been compromised by blackhat hackers in the past few years. How many more have been subverted by government agencies? I believe the SSL Observatory is the only way we’d know.

The cypherpunks movement foresaw all of this surveillance risk. It outlined principles and technologies to protect individuals from both evil hackers and overreaching governments. It failed to actually implement it.

originally a Metafilter comment
techbad
  2013-08-20 15:59 Z