> About two years ago, Thunderbird decided to integrate Enigmail into Thunderbird and simultaneously replace GnuPG with RNP. That Thunderbird has selected RNP is not only an endorsement of RNP, but it means that RNP became perhaps the most used OpenPGP implementation for mail encryption.
Firefox is sorta doing this too, baking in the functionality of addons so we don't have to install addons and keep them updated (which is also a security risk since addon authors are usually tempted to change the ownership of the codebase and introduce bad actors). You can run firefox now with their HTTPS-Only mode, aswell as block tracking attempts with 'strict mode'. You can even spoof the useragent with the `resistFingerprinting` flag which is awesome.
I'm pleased to read that Octopus has "gpg integration", but regardless of which OpenPGP implementation Thunderbird uses, I hope that there can be more convergence with the Autocrypt standard.
The differences seem to be mostly philosophical right now[0], so maybe someone will come up with a UX for opportunistic encryption that the Thunderbird team is comfortable with, and/or future versions of Autocrypt will support modes of operation that overlap with Thunderbird's approach.
I really wish that the article did not use the old EFAIL thing. Is that really the worst aspect of the GnuPG API? From that one might get the impression that the API must be pretty awesome if everyone keeps bringing up something that is, after all, a legitimate difference of opinion.
The article is clear about deferring fully to GnuPG on this difference of opinion:
“gpg signaled an error; the applications didn’t adhere to the API contract. I have to agree with the GnuPG developers, …”
yet making the additional point that if your API leaves room for a difference of opinion to result in a serious security vulnerability, your API might have room for improvement:
“… and add: gpg’s interface was (and remains) a disaster waiting to happen, because it doesn’t guide the user to do the right thing.”
Firefox is sorta doing this too, baking in the functionality of addons so we don't have to install addons and keep them updated (which is also a security risk since addon authors are usually tempted to change the ownership of the codebase and introduce bad actors). You can run firefox now with their HTTPS-Only mode, aswell as block tracking attempts with 'strict mode'. You can even spoof the useragent with the `resistFingerprinting` flag which is awesome.