I completely agree with you except for one thing. Tor isn't necessarily for privacy. It has more to do with anonymity by taking steps so people can't see who you are. By using Tormail there is still a chance that you can leak information about yourself and your contacts. Same goes for logging in to sites that carry your personal information.
If someone wants privacy then I would suggest using gpg/openpgp encryption for email/documents/etc., make sure https everywhere plugin is installed on your browser, noscript, adblock, etc. I suppose you get the same type of protection using the Tor Browser, also.
The problem is encryption. For the average user it's a bit a pain to understand and use. Then again, I'm sure if people want it enough they will learn.
Encryption is hard enough for developers and IT people to understand.
You have , for example websites that say "your data is protected by 256 bit encryption!". What does that even mean? Is just encrypted in transit? Is it only stored in an encrypted form on the other end? What is the key and who has to know it?
There is also a pretty big disadvantage to using good crypto, mainly if you lose/forget the key (or password used to derive it) you are completely fucked.
It's not that you have to understand the details of the math of encryption or write your own library, you need to understand the processes required to use it. It's easier figure how to use GPG/PGP than use Mercurial or git.
And almost all users, and most IT folks and developers are too lazy to follow processes. Plus management and shareholders don't want to invest the time and money for training or implementation.
It's a fair point, but I think from a users point of view they should really need to get bogged down with the tchnical details.
It can feel a bit "advanced" for the average user to setup, but if that is the case and they NEED privacy then they could use something like http://www.hushmail.com/ which will encrypt the emails (but only with other users with encryption keys). It's web based to there's the whole use from anywhere thing... Of course, just use Thunderbird and get the whole things for free :)
Don't use PGP! It's cumbersome and difficult to use with other people easily. It doesn't give you forward secrecy or deniability. Use OTR and have it always on, any client that has implemented OTR will turn it on automatically. Use passworded archives to encrypt file sets, it's something most computers and users understand.
Do chat clients fall back to non-OTR when the other client doesn't support it? As I recall there are some chat clients that have an "OTR" feature that really just turns off logging. I imagine it being quite the hassle getting the other person working with it.
If someone wants privacy then I would suggest using gpg/openpgp encryption for email/documents/etc., make sure https everywhere plugin is installed on your browser, noscript, adblock, etc. I suppose you get the same type of protection using the Tor Browser, also.
The problem is encryption. For the average user it's a bit a pain to understand and use. Then again, I'm sure if people want it enough they will learn.