What's the matter with PGP?

At one point in this essay, Matt suggests that every successful end-to-end encryption scheme has employed transparent (or &quot;translucent&quot;) key management. What he&#x27;s referring to is the idea behind, say, OTR: two people can use it without the key handshake required by PGP.<p>Matt is wrong about this. He&#x27;s being victimized by a pernicious fallacy.<p>It certainly appears that the most &quot;successful&quot; cryptosystems have transparent keying. But that&#x27;s belied by the fact that, with a very few exceptions (that probably prove the rule), cryptosystems aren&#x27;t directly attacked by most adversaries... except the global adversary.<p>In the absence of routine attacks targeting cryptography, it&#x27;s easy to believe that systems that don&#x27;t annoy their users with identity management are superior to those that do. They do indeed have an advantage in deployability! But they have no security advantage. We&#x27;ll probably find out someday soon, as more disclosures hit the press, that they were a serious liability.<p>There is a lot wrong with PGP! It is reasonable to want it to die. But PGP is the only trustworthy mainstream cryptosystem we have; I mean, literally, I think it might be the only one.

Learning to drive a car is hard. You have to watch the road, coordinate hands and feet, anticipate other drivers&#x27; moves and so on. No one bats an eye about this, because &quot;it&#x27;s a skill you have to learn&quot;. If you don&#x27;t play by the rules of the road, you&#x27;ll end up killing someone, or getting killed.<p>But for some reason (maybe because it&#x27;s generally less life-threatening), people seem to expect deeply complex subjects, like e-mail encryption and identity management, to be easy. &quot;Yeah, if you can just give me a fancy, easy-to-use GUI with forward secrecy, that&#x27;d be great!&quot; Sure, it&#x27;d be great. But it&#x27;s not going to happen. And that&#x27;s not because PGP is broken -- of course, it does have its weak points. It&#x27;s because people are too lazy to bother to learn.<p>What&#x27;s the old addage? You can have quick, cheap and reliable. Pick two? Same here. You can have secure, easy to use, and reliable. Pick two.

I don&#x27;t agree. I use GPGtools on OSX with the openpgp smartcard and it works flawlessly and is truly convenient. Furthermore I can use 4096 bit RSA keys.<p>One thing I have learned watching the crypto forums over the years is that there are well calculated misinformation campaigns trying to dissuade people from using secure methods. I see it again and again and the people on this forum need to think carefully before swallowing this as sincere.<p>I would never never never trust a solution from Google or any large American corporation. They have just been caught lying about prism (Google) and taking bribes (RSA). These companies are now and always will be totally untrustworthy.

Why isn&#x27;t RFC 1751<p><a href="http://www.ietf.org/rfc/rfc1751.txt" rel="nofollow">http:&#x2F;&#x2F;www.ietf.org&#x2F;rfc&#x2F;rfc1751.txt</a><p>used to provide the fingerprints that are readable? Verifying would be much more convenient than now.<p>&quot;For example, the 128-bit key of:<p><pre><code> CCAC 2AED 5910 56BE 4F90 FD44 1C53 4766 </code></pre> would become<p><pre><code> RASH BUSH MILK LOOK BAD BRIM AVID GAFF BAIT ROT POD LOVE </code></pre> Likewise, a user should be able to type in<p><pre><code> TROD MUTE TAIL WARM CHAR KONG HAAG CITY BORE O TEAL AWL </code></pre> as a key, and the machine should make the translation to:<p><pre><code> EFF8 1F9B FBC6 5350 920C DD74 16DE 8009&quot;</code></pre>

In my opinion, mail crypto needs to become mainstream usable. E.g. even trivial contents should be encrypted by default and this should be usable by default. Currently, S&#x2F;MIME does a better job than PGP.<p>While the CA-model seems to be broken in most X.509 use cases, like TLS&#x2F;SSL, where a duplicate certifcate can be used to do a man-in-the-middle-attack, this does not really affect S&#x2F;MIME, especially after both parties started a &quot;conversion&quot;. People that need to communicate &quot;really&quot; secure, should therefore be able to ignore all &quot;CA-Trust&quot; and white-list certificates on a per user basis (e.g. like PGP).<p>Ordinary communication still can by default fall-back to the existing CA-model to keep it usable (but not secure).<p>Some steps:<p>1. We need more love by the MUA-vendors, who mostly support S&#x2F;MIME but it&#x27;s still a PITA to use. Google e.g. still does not support S&#x2F;MIME on android, see <a href="https://code.google.com/p/android/issues/detail?id=34374" rel="nofollow">https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;android&#x2F;issues&#x2F;detail?id=34374</a><p>2. We need CAs that are usable. StartSSL is nice and free, but it&#x27;s not easy to use. Lower the entry barrier for getting and renewing&#x2F;recreation of certificates<p>3. (most important) Make it easy to manage local CA-trust. On each new system, the user should be able to select a &quot;trust no CA&#x2F;whitelist only&quot; approach and then be responsible for trusting other parties. No vendor (Microsoft, Apple, Google, Mozilla) should silently distribute and trust new CAs without users consent.

&gt; If the NSA is your adversary just forget about PGP.<p>Why? Last I heard, breaking PGP was equivalent to being able to factor large integers into a product of prime numbers. So, NSA is able to do that, and no one else can, no one in the public heard about it, no university research mathematician published about it, NSA has mathematicians who figured out how to do that but their major profs back in grad school don&#x27;t know how, no one got a Fields Medal for it, etc.? I don&#x27;t believe that.<p>What&#x27;s going on here?<p>He means I need a Faraday cage? Okay, tell the NSA I have one; put it in place this afternoon.<p>He means the NSA has trained cockroaches that can wiggle into my hard drives while I sleep and steal all my data? If so, then fine. I&#x27;ll spray bug killer.<p>Otherwise, why should I believe that the NSA could crack my PGP encrypted e-mail?

Yes, usability is the problem. But none of these proposed solutions manage to actually solve the usability problem without throwing out the security.<p>We really <i>do</i> need to let users manage trust, because trust is a rich concept. And humans are actually really good at trust, because we&#x27;ve been thriving and competing with each other in complex social situations for a long time.<p>The trick is finding ways to recruit people&#x27;s evolved trust behaviors into an electronic context. That is, can we build meaningful webs of trust through repeated social interactions, just like in real life?<p>So it&#x27;s not the mail client vendors who are best positioned to solve the problem, it&#x27;s the social networks.<p>(Whether they <i>want</i> to solve the problem is a separate question.)

I&#x27;m using TextSecure on my Android phone as a Messaging replacement and it is great. However it appears to me that the service is not decentralised in any way. Is that assumption correct?<p>I like the email model such that anyone can install and run an email server. I&#x27;d actively push friends, family and colleagues to use a decentralised email replacement that was as easy to use and secure as TextSecure.

The user needs to control the encryption, not Google or Yahoo. Surely Google is not proposing a system that prevents them from reading your email and serving you ads? Until we have something that actually prevents Google and Yahoo from getting the plaintext, none of the other problems matter that much.<p>The NSA isn&#x27;t my concern, Google etc. are. I don&#x27;t want to bother going to the lengths necessary to secure myself from the NSA since that just isn&#x27;t practical. But it would be nice if google and its employees didn&#x27;t have access to the plaintext of my email. If I send an email to anyone using gmail and they decrypt it in a way that lets google see my text when they reply, all of my own security steps are worthless.

Just a random thought - maybe there is a way to nail hard the point that &quot;you cannot have security if you&#x27;re lazy&quot;? The society expects people to do driving licenses before getting behind the wheel. Why not expect people to put some amount of effort to be able to get mortgage or interact with court, etc.? Sure, many people will screw this up, but maybe this will be enough to secure majority.<p>&lt;&#x2F;dream&gt;<p>(confession: I myself am too lazy to use PGP)

PGP is about identity and privacy. We are not going to get that from Email. Email isn&#x27;t worth fixing. Its time to move on.<p>In the last few years we have seen IM and SMS merge into an almost seamless experience. Surely we could engineer a UI that also copes with larger bodies of text at the same time?<p>We need clients or servers that are multi-protocol. That way we can experiment with new ways of communicating.

Good article. However if your adversary is a three or four letter agency then by all accounts it seems that PGP&#x2F;GPG still does work. Snowden and Greenwald used it, apparently successfully after some tuition.<p>The article also doesn&#x27;t mention Bitmessage, which addresses a lot of the concerns. Bitmessage isn&#x27;t forward secret though.

Here is a good criticism of PGP from 1999 that explains why it isn&#x27;t usable by ordinary folks - <a href="http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf" rel="nofollow">http:&#x2F;&#x2F;www.cs.berkeley.edu&#x2F;~tygar&#x2F;papers&#x2F;Why_Johnny_Cant_Enc...</a>

Here&#x27;s a handy guide which addresses a couple of these problems:<p><a href="https://help.riseup.net/en/security/message-security/openpgp/best-practices" rel="nofollow">https:&#x2F;&#x2F;help.riseup.net&#x2F;en&#x2F;security&#x2F;message-security&#x2F;openpgp...</a>

Not mainstream ≠ suck.<p>Also, about “terrible mail client implementations”, — the problem is, to not be terrible for many is to be built-in to GMail (and work transparently there). The consequences of that are obvious I hope. So no, thanks.

This could perhaps be made easier to use if you had a UI like this: You phone pops up a message saying: &quot;Hey, I notice you seem to be in the same room with Bob! We can increase security of Bob&#x27;s messages to you my exchanging a fingerprint. Do this now? (Yes&#x2F;No&#x2F;Woah, Bob isn&#x27;t here!)<p>If you click yes, you then exchange fingerprints using eg QR codes, and the authenticity of messages from Bob are <i>retrospecively checked</i><p>Problem is, it&#x27;s not obvious this can be done without compromising privacy of location.

&gt; Adding forward secrecy to asynchronous offline email is a much bigger challenge, but fundamentally it&#x27;s at least possible to some degree.<p>Is it really fundamentally possible? The author asserts this without really backing it with anything. I can understand how OTR-like systems can work between a static pair of clients, but it is not entirely clear if it is possible at all to extend such scheme to work in scenarios where message delivery is async and I might be using a set of clients&#x2F;devices for messaging.

PGP needs to onboard themselves with Elliptic Curve Crypto... significantly smaller makes them more distributable which solves a few of the problems mentioned.

These are largely problems with email, not PGP - which btw is not just by email, in fact I almost never use it with email.<p>SMTP is not meant to be secure. You insist in communicating through an insecure channel-protocol and making it secure as an afterthought, and it&#x27;s always going to be inconvenient or otherwise suck. I say PGP is pretty good at what it does, and it&#x27;s nice in that it doesn&#x27;t promise what it doesn&#x27;t do.

&gt; Now let&#x27;s ignore the fact that you&#x27;ve just leaked your key request to an untrusted server via HTTP. This is a public Key, so secrecy it&#x27;s not needed here, also he is providing the Fingerprint on another location, so if there was a MITM attack, it should happen on both twitter (HTTPS) and pgp.mit.edu

Can forward secrecy even work for emails, where you don&#x27;t have a bidirectional communication channel? (Maybe the answer is &quot;You have to build that bidirectional communication channel&quot;, but that means such a system can&#x27;t simply use mail, it has to use mail plus X).

keybase.io and the mailvelope browser plugin both do fine work in making PGP simple to use.<p>It isn&#x27;t about being NSA-proof, its about having the volume of &quot;Enveloped&quot;&#x2F;PGP encrypted emails be so high that it isn&#x27;t possible to directly target everyone.

No perfect forward secrecy. If someone gets your PGP key, they get all of your messages (past &#x2F; present &#x2F; future) and you might not even know your key was compromised.

<a href="http://www.theregister.co.uk/2014/08/14/pgp_viability/" rel="nofollow">http:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2014&#x2F;08&#x2F;14&#x2F;pgp_viability&#x2F;</a>

I think <a href="https://lavaboom.com/en/" rel="nofollow">https:&#x2F;&#x2F;lavaboom.com&#x2F;en&#x2F;</a> addresses most of the issues mentioned. Just because pushing for privacy (an abstract idea, difficult to measure the worth of - especially on the Internet) is hard doesn&#x27;t mean we shouldn&#x27;t do it. Encryption is one of the fews things we can rely on and we should be using it. PGP isn&#x27;t a lost cause, we just need to make it easy use - this includes automating (to some degree) the key exchange. &#x2F;I&#x27;m one of the founders of Lavaboom, happy to answer any questions&#x2F;

I just hope that however google and yahoo implement PGP into their mail offerings, they do it in a way that cannot be intercepted by governments&#x2F;bad guys.

&gt; <i>even modern elliptic curve implementations still produce surprisingly large keys.</i><p>&gt; <i>Modern EC public keys are tiny.</i><p>Well, which is it?

I&#x27;m kind of sad the author didn&#x27;t touch on key signing at all. The trust levels are basically meaningless. What does it mean to trust someone more than someone else? If doing a request to get someone&#x27;s key exposes your social network, imagine what publicly signing someone&#x27;s key does. Just some food for thought :)

&gt; Except maybe not: if you happen to do this with GnuPG 2.0.18 -- one version off from the very latest GnuPG -- the client won&#x27;t actually bother to check the fingerprint of the received key.<p>Even in it&#x27;s long form, it&#x27;s relatively easy to generate different keys that have the same fingerprint.

Yeah really, it&#x27;s actually Pretty Good if you think about it.

Problem:<p>PGP is complicated (VERY complicated, to the average user), resulting in next to zero adoption.<p>Suggestion:<p>Simplify the goals in a way that can be upgraded at at some later date.<p>I think we need a browser plugin (All browsers. Other non-browser tools too, ideally, but the browser is important) that lets you securely <i>SIGN</i> posts locally in a style more or less like GPG&#x27;s --clearsign option. Ideally, this should <i>literally be</i> --clearsign for compatibility, with the plugin hiding the &quot;---- BEGIN PGP SIGNED MESSAGE ----&quot; headers&#x2F;footers, though these details are less important.<p>The key should be automagically generated, and stored locally in a secure way. (Bonus points for leting you use the keyrings in ~&#x2F;.gnupg&#x2F; as an advanced, optional feature). The UI goal is to simply let people post things and click a <i>sign this</i> button next to a &lt;textarea&gt; or similar. Ideally, later on, this could become sign-by-default.<p>On the other side, the browser plugin should notice signed blocks of text and authenticate them. Pubkeys are saved locally (key pinning). What this provides is 1) verification that posts are actually by the same author, and 2) it proves that someone is the same author <i>cross-domain</i> (or as different accounts&#x2F;usernames).<p>No attempt is made to tie the key to some external identity (though this would be somewhat easy for to prove). The idea is to remove the authentication problem (keyservers&#x2F;pki) entirely. This can be man-in-the-middled, but the MitM would have to be working 100% of the time or the change in key will be noticed.<p>No attempt is made regarding encryption (hiding the message). This should also greatly simplify the interface.<p>The goal here is to get people using proper (LOCAL STORE <i>ONLY</i>) public&#x2F;private keys. The UI should be little more than a [sign this] button that handles everything, and a &lt;sig ok!&gt; icon on the reading side. It should be possible to get the average user to understand and use such a tool.<p><i>Later</i>, when the idea of signing your posts has become more widespread and <i>many people have a valid public&#x2F;private key pair already in use</i>, other features can be added back in. As those &quot;2nd generation&quot; tools have a large pool of keys to draw from, it should be easier to start some variant of Web Of Trust. Even if that never happens, getting signing widespread <i>is</i> useful on its own.<p>I realize this doesn&#x27;t protect against a large number of well-known attacks, and only offers mild protection against MitM. This is intentional, as the goal is getting people to actually <i>use</i> some minimal subset of PGP&#x2F;GPG-like tools, possibly as an educational exercise. The rest of the stuff can be addressed later.

This article fails my smell test. The adolescent vocabulary doesn&#x27;t correlate with the otherwise polished writing style and the technical merits fall far short of the proposed remediations. It is therefore likely to have been funded or otherwise inspired by the NSA in an attempt to smear PGP, still the most effective cryptography available to the average person.