15 reasons not to start using PGP (2024)

• 1. Downgrade Attack: The risk of using it wrong.
• 2. The OpenPGP Format: You might aswell run around the city naked.
• 3. Transaction Data: Mallory knows who you are talking to.
• 4. No Forward Secrecy: It makes sense to collect it all.
• 5. Cryptogeddon: Time to upgrade cryptography itself?
• 6. Federation: Get off the inter-server super-highway.
• 7. Discovery: A Web of Trust you can't trust.
• 8. PGP conflates non-repudiation and authentication.
• 9. Statistical Analysis: Guessing on the size of messages.
• 10. Workflow: Group messaging with PGP is impractical.
• 11. Complexity: Storing a draft in clear text on the server
• 12. Overhead: DNS and X.509 require so much work.
• 13. Targeted attacks against PGP key ids are possible
• 14. TL;DR: I don't care. I've got nothing to hide.
• 15. The Bootstrap Fallacy: But my friends already have e-mail!

With e-mail the risk always remains that somebody will send you sensitiveinformation in cleartext - simply because they can, because itis easier, because they don't have your public key yet and don'tbother to find out about it, or just by mistake.Maybe even because they know they can make you angrythat way – and excuse themselves pretending incompetence.Some people even manage to reply unencrypted to an encryptedmessage, although PGP software should keep them from doing so.

The way you can simply not use encryption is also the numberone problem withOTR,the off-the-record cryptography method for instant messaging.

This opens up for a great possibility for attack: It's enough to flip abit in the communication between sender and recipient and they willexperience decryption or verification errors. How high are the chancesthey will start to exchange the data in the clear rather than tryingto hunt down the man in the middle?

The mere existence of an e-mail address in the process is a problem.Next generation cryptographic communication tools simply do not providemeans to exchange messages without encryption, so if something goeswrong at least there is no doubt it could be you doing it wrong --and giving up on privacy becomes at least a very conscious choice.

Update: And it's not like it's a problem only for the less carefulor less tech-savvy. A notable cryptographer recently sent outconfidential mail unencrypted. People told him, but he didn'tbelieve it. He wrote himself encrypted mail and indeed, thereit was, the mail in the clear. Turned out that one specificversion of enigmail was in some strange way incompatible witha specific version of Thunderbird, sufficiently to pretend acompletely normal user experience, yet the mails would go outunencrypted, leaving just a remark somewhere in the messages log.There was no way even for the most experienced user to protecthimself from a software attack of this kind. This can happen toyou, too. Anytime you upgrade your operating system. But onlywith encryption-on-top systems like PGP.

Thanks to its easily detectableOpenPGP Message Formatit is an easy exercise for any manufacturer ofDeep Packet Inspectionhardware to offer a detection capability for PGP-encrypted messagesanywhere in the flow of Internet communications, not only within SMTP.So by using PGP you are making yourself visible.Stf has been suggesting to use a non-detectable wrapping format.

Update: Gregory mentions that by using the –hidden-recipientflag you can tell PGP to, at least, hide who you are talking to.Hardly anyone does that: "PGP easily undoes the privacy that ananonymity network like Tor can provide" (byincluding the recipient's public key in the message).

Update 2015: Several new crypto systems for e-mail such as opmsghave surfaced since writing of this document. They address justthis and a few other problems with PGP but still suffer from all other problems given by SMTP.

Should Mallory notpossess the private keysto your mail provider's TLS connection yet, he can simplyintercept the communication by means of aman-in-the-middle attack, using a valid fakecertificate that he can make for himself on the fly.It's a bull run, you know?

Side note: Did you ever see a mail returned to you because of aninvalid TLS certificate? And you can bet the net isfull of invalid certificates.In most cases the mail will be delivered anyway, so Mallorydoesn't even have to fake a valid certificate.He can use an invalid one, too.

Even if you employ PGP, Mallory can trace who you are talking to,when and how long. He can guess at what you are talkingabout, especially since some of you will put something meaningfulin the unencrypted Subject header. PGP offers a means to encrypt the Subject line by now, but have you seen anyone use it?

Should Mallory have been distracted, he can still recover yourmails by visiting your provider's server. Something to dowith a PRISM, I heard.On top of that, TLS itself is being recklesslydeployed without forward secrecy most of the time.

Update: This so-called metadata about who is talking to whomis of constitutional importance. It is a founding requirement ofdemocracy to be able to share critical thinking and organize asa political group outside the view of government and not giveanyone the power to influence, manipulate or keep a new democraticmovement from growing and developing its potential. See theupdate below for more on this kind of reasoning.

As Eddie has told us, Mallory is keeping a complete collection of allPGP mails being sent over the Internet, just in case the necessary privatekeys may one day fall into his hands. This makes sense because PGP lacksforward secrecy. Thecharacteristic by which encryption keys are frequently refreshed, thusthe private key matching the message is soon destroyed. Technically PGPis capable of refreshing subkeys, but it is so tedious, it is not beingpracticed – let alone being practiced the way it should be: at least daily.

Update 2015: At least two new crypto schemes over SMTP have been inventedthat implement forward secrecy but aren't PGP-compatible.One is called opmsg. The other one I forgot. They don't address most otherproblems mentioned here.

Mallory may also be awaiting the day when RSA cryptography will be crackedand all encrypted messages will be retroactively readable. Anyone whor*corded as much PGP traffic as possible will one day gain strategicadvantages out of that. According to Mr Alex Stamos that day may becloser than PGP advocates think asRSA cryptography may soon be cracked.

This might be true, or it may be counter-intelligence toscare people away from RSA into the arms of elleptic curve cryptography (ECC).A motivation to do so would have been to get people to use thecurves recommended by the NIST, as they were created using magicnumbers chosen without explanation by the NSA.No surprise they are suspectedto be corrupted.

With both of these developments in mind, the alertcryptography activist scene seems now to converge on Curve25519, a variant of ECCwhose parameters where elaborated mathematically."They are the smallest numbers that satisfyall mathematical criteria that were set forth"explains Christian Grothoff of GNUnet.

ECC also happens to be a faster and more compact encryptiontechnique, which you should take as an incentive to increasethe size of your encryption keys.

Unfortunately, thanks toRFC 6637GnuPG now supportsECC with both Curve25519 and the suspicious NIST curves, but you canonly activate those in ultra expert mode.

Nadia Heninger tells us some more on the topic, and concludes that there is no proof that mathematical discoveries cannot cause a cryptographic meltdown anytime: "Just because nothing has happened for two decades doesn't mean that something cannot happen." It is up to you to worry if it's more likely that RSA or ECC could be cracked in future. Should a mathematical breakthrough drop from the sky, probably both would be affected.

As a side note, OpenPGP requires the use of SHA1 for its fingerprinting. That means the waymost people are authenticated in PGP may someday fall apart.

NSA officials have been reported saying that NSA does not keeptrack of all the peer-to-peer traffic as it is just large amountsof mostly irrelevant copyright infringement. It is thus a verygood idea to develop a communications tool that embeds its ECC-encrypted information into plenty of P2P cover traffic.

Although this information is only given by hearsay, it is a reasonableconsideration to make. By travelling the well-established andsurveilled paths of e-mail, PGP is unnecessarily superexposed.Would be much better, if the same PGP was being handed fromcomputer to computer directly. Maybe even embedded into a picture,movie or piece of music using steganography.

Also, there are several issues about Federation itself…if all the people run their own servers instead of developingdistributed serverless solutions, this is a guarantee that the cloud industry will always be several steps ahead.

Mike Perry has made a nice collection of reasons why thePGP Web of Trust is suboptimal.It is in many ways specific to the PGP approach and notapplicable to other social graphs like secushare's.Let's summarize: The PGP WoT

1. is publicly available for data mining,
2. has many single points of failure (social hubs with compromised keys) and
3. doesn't scale well to global use.

So these are actually three more reasons not to use PGP,but since you can use PGP without WoT we'll count them as one.

Update: Just found out that when you look up a key your amazingPGP client will by default do a cleartext HTTP request to thekey server, so anyone can see who your conversation partnersare.

"I send Bob an encrypted message that we should meet to discuss thesuppression of free speech in our country. Bob obviously wants to besure that the message is coming from me, but maybe Bob is a spy …and with PGP the only way the message can easily be authenticated asbeing from me is if I cryptographically sign the message, creatingpersistent evidence of my words not just to Bob but to Everyone!"(Thanks, Gregory, for providing this one ;-)).

OTR has introduceddeniable authenticationto address this problem and many next generation tools have adopted that concept.OTR cryptographically allows two people to be sure who they aretalking to, yet they cannot prove it to anybody else.

Have you tried making a mailing list with people sharing privatemessages? It's a cumbersome configuration procedure and inefficientsince each copy is re-encrypted. You can alternatively all sharethe same key, but that's a different cumbersome configurationprocedure.

Next generation communication tools automate the creation anddistribution of group session keys so you don't need to worry.You just open up a working group and invite the people to work with.It's so simple, people worry it may not be happening.

Update: These days mail tools are too complicated. Here comeenigmail that is in charge of encrypting mails before they leaveThunderbird. But wait, didn't Thunderbird just store a draft?Yes, and since I happen to have IMAP configured it stored thedraft to my server. Did it bother that I had checked the flagthat I intend to encrypt the mail? No, the draft is on theserver in the clear. I look around and find out thatClaws has been having the same bug.I'm not surprised, after all it's the most natural way of doingthings. One person implements IMAP, another implements PGPsupport, and they never bump into each other and realise thatthe default behaviour of a mail agent that supports both isto do what it should in no way ever do: send the unencryptedmail to the server. This makes the entire effort to use PGP useless.I looked around for warnings, but even thebest manualsfor doing PGP correctlyare aware of a lot of problems, but not this one.I am only on day three of really using PGP, and Ialready discovered a security flaw that no-one has talkedabout much ever before. Is this normal?I have Thunderbird 17.0.8 and you?

P.S. I recommend you to turn off saving mail drafts to the server.

This may seem unrelated, but PGP builds upon e-mail, and e-mailunnecessarily enforces a dependency on DNS andX.509 on us (the TLS and HTTPScertification standard that makes us need certificates, signedby an authority, and then can be fooled and broken anyway).Both cost money to participate in and have to be meticulouslyadministered. Anyone who tried to do it, knows: Mail (and alsoJabber) server administration is annoying and expensive.

Next generation alternatives are either based on DHTtechnology, social graph discovery,byzantine consensus (aka blockchain)or opportunistic broadcast.All of them are powered by the mere fact that you are usingthe software. Frequently there will be sponsored serversproviding for faster service, as it has become the standard forTor, but the administration of such servers is trivial: Justunpack the software and run it (exit nodes are a special casewhich are only relevant if you care to access thelegacy broken Internet).

Why are you accepting being enslaved by e-mail?

PGP has a bad habit of using truncated fingerprints askey ids, organizing keys in its database by short key id anddealing keys with the same short key id as probably being the same,although it isn't so hard to make a new key pair thatresolves to the same key id as an existing one.This seems to be a problem even withlong key ids.Now people say you should use the full fingerprint, but I remember a timewhen it was said that the purpose of fingerprints is just for simplifyingthe comparison of keys among human beings.Computers should always ensure the identity of a public key bycomparing nothing less than the complete public key.By using short ids for maintaining keys the PGP software implementationsare doing it wrong.

One possible consequence of this is that users could betricked into accepting a false replacement key from a key server orin some other way confuse their key management to the point of corruptinga communication path that used to be safe and allowing a man in the middleinto the game. People who have just their short key id printed on their businesscard could suffer targeted man in the middle attacks: The MITM just needsto intercept the keyserver look-up, which as we know is unencrypted by default,and produce the false recipient data. The MITM must then also interceptin- and outgoing SMTP traffic in order to re-encrypt the mail conversation onthe fly to the actual key the recipient expects and vice versa. This can infact be automated to undermine the PGP infrastructure on a large scale, butit would not go unnoticed whereas a targeted attack most likely would.

You can make the attack slightly more difficult by using encrypted keyserver look-ups (= learn to configure gpg to use sane defaults), butsince the key servers do not use PGP to authenticate themselves you canstill suffer a MITM attack on the TLS certification level (see X.509 above).And of course there is also the possibility of the key server itself beingused in a targeted operation against you.In practice the only currently secure way to communicate a key on a businesscard is to print its entire fingerprint along with the look-up id – andnot forget to actually check it (happened to me, so I bet it happens to you).

Update: Apparently this problem has been addressed in GnuPG 2.1. Users that refuse to publish their keys to a keyserver in a desperate attempt to protect their metadata may however still be subject to confusion by an imposter that posts a key with the same long id.

So you think PGP is enough for you since you aren't sayinganything reeaally confidential? Nobody actually careshow much you like to lie to yourself statingyou have nothing to hide. If that was the case, why don'tyou do it on the street, as John Lennon used to ask?

It's not about you, it's about your civic duty not tobe a member of a predictable populace. If somebody isable to know all your preferences, habits and politicalviews, you are causing damage to democratic society.That's why it is not enough that you are covering naughtyparts of yourself with a bit of PGP, if all the rest of itis still in the nude. Start feeling guilty. Now.

It's also about your entire social environment. Your friends,your family deserves better than to end up in XKEYSCORE. Youhave no right to waive away their privacy. Each time youlog in into Facebook or Whatsapp you are committing a felonyagainst them.

Update: Read about the fallacy of transparency.

But everyone I know already has e-mail, so it is mucheasier to teach them to use PGP. Why would I want to teachthem a new software!?

That's a fallacy. Truth is, all people that want to startimproving their privacy have to install new software. Be iton top of super-surveilled e-mail or safely independent from it.In any case you will have to make asafe exchange of the public keys,and e-mail won't be very helpful at that. In fact you makeit easy for Mallory to connect your identity to your public keyfor all future times.

So installing a brand new software that only provides for safeencrypted communications is actually a less complicated change ofhabits than trying to fix the e-mail system, then learning how to use PGP without messing it up.

If you really think your e-mail consumption set-up isso amazing and you absolutely don't want to start all overwith a completely different kind of software, look out fortools that let you use mail clients on top - not the otherway around. Bitmessage has an IMAP emulation for example.

There is no one magic bullet you can learn about.

Thank you, PGP.

Thank you Mr Zimmermann for bringing encryption technologyto the simple people, back in 1991. It has been an invaluabletool for twenty years, we will never forget. But it isoverdue to move on.

What's the threat model here?

Is this about PGP or rather about e-mail?

It's more about SMTP, but I don't think it makes much difference forthe end user whether SMTP federation or actual PGP is failingthem.

What about S/MIME?

"S/MIME unfortunately suffers from many of the same issues as OpenPGP, and then some more."I don't find S/MIME worth mentioning anymore.It is based on X.509 which has so failed us.

We need a new open standard first!

Why don't we fix all of these problems with PGP and e-mail?