January 7, 2026

Inbox Wars: Postcards vs padlocks

Article URL →HN comments →

Everything You Need to Know About Email Encryption in 2026

“Email is a postcard” chaos: Users roast PGP, praise quick hacks, and defend ProtonMail

TLDR: Researchers exposed fresh cracks in popular email encryption tools, and the internet split: some say email can’t be saved, others push workarounds or defend services like ProtonMail. Bottom line: use email like a postcard, not a diary—and expect endless fights over what to trust.

Email encryption just walked into a blender. After researchers at the Chaos Communication Congress dropped new flaws in PGP tools like GnuPG (gpg.fail), the comment sections went full reality TV. The top mood? Exhausted. One user sighed that “email is probably unfixable,” calling it a digital postcard we’re stuck with thanks to politics and network effects, while others joked you’d have better luck securing a carrier pigeon.

But the pragmatists fought back. A lawyer-whisperer bragged they’ve taught attorneys PGP in Thunderbird—“so simple a child could do it”—and use email only to say “get on my private server.” Translation: use email as a doorbell, not a vault. Another commenter pitched a hacky workaround: skip the body, put the real convo in encrypted attachments to dodge the dreaded “Reply All” leak. Cue memes about “subject lines as spoilers” and a typo (“php” vs. PGP) that the crowd gleefully roasted.

Then came the brand drama. A reader claimed the article threw shade at ProtonMail, sparking a defense that Proton stores keys encrypted with your passphrase and supports easy key discovery (WKD). Skeptics shot back: cool story, but who do you trust? The only consensus: Signal good, email bad, and the internet never misses a chance to argue about both.

Key Points

  • Late-2025 disclosures revealed severe vulnerabilities in GnuPG and other PGP software, published at gpg.fail.
  • Email’s core protocols (SMTP/STARTTLS) provide weak transport security and lack end-to-end encryption between inboxes.
  • PGP and S/MIME face long-standing security and usability issues, exemplified by EFAIL and related research.
  • Encrypted email workflows are prone to user errors like unencrypted “Reply All,” which can leak entire quoted message chains.
  • Signal is highlighted as a safer alternative because it lacks a plaintext mode, reducing accidental disclosure risks.

Hottest takes

“email is probably unfixable” — iamnothere
“so simple a child could do it” — Bender
“There's a sneaky jab at ProtonMail” — wasmperson

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.