Trusting others
How can we trust each other? I really mean that. Also, how much can we trust each other? Both in the physical world, and in the internet, the fundamental issues are similar.
TOFU (trust on first use)
In the physical world, we assume identities of others are valid (for restricted purposes). As long as two individuals don't claim to be the same one, we don't usually question that.
When a new individual comes to us claiming to be someone we know, but is clearly a different individual, we would doubt it. Of course, we would ask more proof about it, and contrast that with the individual we know.
Web of trust
In some cases, we have other people we know in common, and we can consult them too, to verify identities.
Rarely do we go to the authorities to verify identities, as there's little that they can provide. They can provide a name, but they can't tell you if the new individual Bob is really Alice's friend or not, which is what we usually want to know.
Consistency
Neither TOFU nor a web of trust are infallible. If we trust anyone who identifies themselves with an identity that we don't know, we may easily end up trusting a spy. We also don't trust a friend of a friend of a friend as much as we would trust a friend.
We use a combination of both. Moreover, we need consistency. Others should behave in a consistent manner across a long period of time when interacting with us, and also when we observe them interact with others.
Usually, one needs a long period of time to observe such consistency.
Special situations
Some situations significantly change the level of trust that we assign to an individual without requiring long periods of consistency. An example can be if someone saved us risking themselves.
Context
We may trust someone very much for keeping some secret, but may not trust them for holding our money. Or we may trust them for holding our money, but not for keeping some secret. It all depends on the context in which we've known them.
Bootstrapping trust
When you don't know anyone, getting to trust or be trusted by someone is difficult. Imagine you escape your country, and suddenly arrive at a new country where you know no-one. The only way you can get to bootstrap trust is to interact with others.
Sooner or later, being consistent will get you bootstrapped. Luck is also key, since it will generate special situations which will make you trust certain people faster than others.
The internet
There's no magic in the internet. All the principles from above also hold in the internet.
PGP
The identity of an individual in the internet is defined by their private key. As long as one keeps strong security measures to keep their private key as, well, private, their identity can be authentified.
That doesn't assign them trust. The only thing that such an identity provides is a guarantee that all actions (signatures) belong to the same identity, whoever it belongs to.
You can match a physical identity with an internet identity if someone persents you physically with their PGP key fingerprint. But usually, there's no need to match physical individuals with their internet identities, and it's just fine to know someone by their PGP key only.
HTTPS
HTTPS is like asking someone to show their ID card to you. Would you suddenly trust someone just because they showed a valid ID card? What does it give if someone is legally called John Smith, or John Doe? I wouldn't trust someone who identifies as John Smith to hold my money, or to keep my secrets.
And if you already trust someone, do you need to see their ID to know their legal name? I don't know the full legal name of most of my friends.
Also, if the government or a resourceful malicious actor forges a valid ID card that identifies someone as your friend, would you trust it to be your friend? Of course not. Similarly, you shouldn't trust a server to belong to your internet friend just because the server provides a valid certificate from a CA.
Another vulnerability is that a thief could steal the ID card of your friend, or their TLS certificate, or your friend could forget them in a public place.
Every now and then, there appear new applications that claim to provide privacy and authenticity to your communications.
In the worst case, and this is the most likely case, they are just lying in your face. They will implement some backdoor to steal your communications, and sell their contents, or provide them to a government.
In the best case, they're just reimplementing the wheel, and chances are that they'll make a mistake that will provide an accidental backdoor.
Good old email already provides private and authentic communications. You only need to encrypt and/or sign your email with your PGP key. You only need to find a client (MUA) that allows you to do that. The simpler and older the client, the less chances that it'll have a backdoor.
SSH
To authenticate yourself to access servers, you use an SSH key. If those servers are yours, there's no problem. If the servers are from others, you should either use your PGP key as an authentication key (but this is non-trivial), or sign your SSH key with your PGP key.
Passwords
A password is a shared secret between you and other party, to authenticate yourself (very much like an SSH key). You don't need a third party to know your passwords. (A third party could impersonate you, or lock you out.) Instead, you keep them yourself encrypted.