An illusion of perfect privacy is far more dangerous than no privacy at all.
Agreed. I'm also reminded of the cliche, "don't let the perfect be the enemy of the good." Errrr... don't let perfect privacy be the enemy of Pretty Good Privacy (I feel like you set me up for that one!).
In the WP PGP Encrypted Emails plugin, and the Facebook OpenPGP implementation, there are multiple places to apprise the user of the imperfectness of the privacy. Both require adding a public key to one's profile. In the case of FB, once the key is entered, a PGP encrypted email confirmation message is sent to verify the key is accurate (on FB's end and the user's end) before messages are encrypted. A prompt to the user about limitations could be provided in the UI and/or that confirmation email.
I share concerns about JS browser encryption. ProtonMail has the benefit of native open-source iOS and Android apps which circumvent this issue for those uncomfortable with browser encryption. Since Discourse is pure webapp, it's a different challenge.
The older conversation above implicitly shifts across multiple perspectives. It would seem important to make these explicit.
- Big Brother: NSA, CIA, FBI, Snowden revelations, Vault7 (and all below)
- Hosting company, server, admins, attacks on Discourse
- Big Data: User email providers (Gmail, Yahoo!, Microsoft, etc.). Transactional email providers (Mandrill, etc.). Attacks on email in transmission or at rest.
- Full End-to-End: intra-Discourse (PMs, etc.) and extra-Discourse (notifications).
- Intra-Discourse only
- Extra-Discourse (notifications) only
It may simply be that OpenPGP.js is fundamentally unable to perfectly solve Threat Models 1 and 2. It's also my understanding that PGP is cumbersome and not designed for Messaging Models 1 and 2 (though it could probably be imposed to some effect).
Extending Discourse app to support PGP would seem to perfectly answer Threat Model 3 and Messaging Model 3. This is how Facebook's OpenPGP system and the WP plugin function. Facebook's implementation does not rely at all on JS (the WP plugin may, I don't recall).
I suspect there are good reasons Facebook uses Signal Protocol for encrypted messaging and PGP for notifications.
In my preferred realistic scenario, Discourse would implement Messaging Model 1 and protect to Threat Model 2. But I think this scenario requires implementing PGP and something like Signal Protocol. In terms of my priorities for my Discourse install, I'd be super happy with a PGP solution for Threat Model 3 and Messaging Model 3.
What I have instituted thus far is a Group and Category which automatically adds anyone signing up with a ProtonMail domain, or our custom domain (which uses ProtonMail). From there, we can discuss the ins and outs of these questions with a self-selected group of encryption-aware users. That could be one other way for admins to avoid instilling a false sense of perfect privacy.
Of course, I don't have much to say on the practicality of implementing any of this, and we don't have a budget to underwrite a plugin, so...