First and foremost I have to pay respect to PGP, it was an important weapon in the first cryptowar. It has helped many whistleblowers and dissidents. It is software with quite interesting history, if all the cryptograms could tell... PGP is also deeply misunderstood, it is a highly successful political tool. It was essential in getting crypto out to the people. In my view PGP is not dead, it's just old and misunderstood and needs to be retired in honor.
However the world has changed from the internet happy times of the '90s, from a passive adversary to many active ones - with cheap commercially available malware as turn-key-solutions, intrusive apps, malware, NSLs, gag orders, etc.
Today it is cheap for a random spy agency to archive all encrypted messages for later decryption - if necessary. A few years ago in the spy files of Wikileaks there was Finfly ISP (PDF) - a proxy that infected binaries during download at the ISP. Since then the hacking team leak got us an in-depth look at who is buying this kind of mass spy gear. While Data Retention is repealed in the EU by the court in Strasbourg, many countries still practice this, in addition to taps by domestic intelligence agencies which can easily filter out PGP messages. Deploying some malware on persons of interests to recover their secret keys and the password is a cheap operation that can be executed even after minimal training.
What discussion about PGP's obsoleteness lacks, is something that is very much required in cryptographic discourse: the adversary model, a set of actions the adversary can perform. Those cryptographic adversary models however, might be a bit too deep mathematics for many end-users, for them I came up with the quite populist 4c model, there's only four generic adversaries classes:
- Country-level actors
Is PGP a reasonable tool to protect against other citizens? Probably yes, unless your kid or wife's PI installs a remote access trojan (aka is an active adversary). Is it good against criminals? Probably, but only because it's not economical for criminals to extract value from your cryptograms. Does it protect against corporations? Probably as long as they stay within the law and don't siphon down everything they find anyway (i.e. smartphone apps). Does it protect against country level actors? Most probably not.
Consider your average investigative journalist or whistleblower, with windows or a mac, that they haven't updated because then their kids favorite game doesn't run anymore or they simply don't want windows 10. An encrypted message archiving adversary is able to read your mails using a simple active malware attack, copying your secret key and logging your password for it. After this is captured, the malware can and should remove itself.
In "first" world countries like France where there's now a "state of emergency" or the UK with their snoopers charter or the dutch who just passed another dystopian dragnet surveillance bill, this directly affects climate activists as much as labor unions or journalists. The case is probably even worse in Turkey or any of the Eastern Bloc states. This makes forward secrecy a mandatory requirement, as this implies that the malware has to be constantly active and thus also enhances chances of detection and mitigation, and also requires much better trained personal to operate.
Here's a good example of using PGP: a doctor and his patients could use PGP to secure their communication, it seems most pharmaceutical companies are still shying away from getting patient data by hacking into doctors offices (although I expect that to be quite easy, and I ignore here software developed by pharma for doctors offices). The law seems like a reasonable and natural defense-in-depth in this case. However metadata that you sent a mail to a doctor might still be interesting to your insurance company regardless of contents of the mail.
Another good example is signatures, they have not aged as badly as encryption. It's mostly ok to use PGP to sign software packages, git commits, SSL certs and even contracts, but even in those cases it is worth taking extra care with your keys if you sign something that can be used as an attack vector like some software source code or a TLS certificate.
Let's say the adversary is only passive, it still can learn a lot about you, there are actors who "kill based on metadata". The often heard defense that TLS encrypts SMTP anyway, ignores a reality where self-signed certificates are very common and mail servers are configured in a tolerant way, to let other legitimate users with badly configured (e.g. earthlink), self-signed or mitmed boxes still send and receive mails.
Archiving - data-at-rest not in-motion
The argument that forward secrecy (FS) gets in the way of reading old emails neglects the possibility to store the messages in a different way. And even without FS reading old emails can fail, some examples how PGP similarly fails without FS:
- you will lose your ability to read your mails when you loose your key.
- When using manual FS using quickly rotating keys, you still can not read your old emails.
- HW tokens can break and then again, you will have no access to the mails.
I firmly believe that the archived mails should be re-encrypted with something more appropriate than the cipher the sender choose - and riseup seems to agree. A solution would be something like tahoe-lafs, or some double scheme, with backup key being split into shares. And a possibility to decrypt a message without compromising the confidentiality of the other messages. Additionally all archived mails should also be privately indexable/searchable/retrievable. This might be an interesting research project if anyone is looking for something to chew on (add it to tom ritters wishlist if you want).
App ≠ Procotol
Another issue is that secure messaging is nowadays equated with PGP encrypted email or using Signal on a smartphone. The most important is that Signal (the app) is not equal the Signal Protocol. Just as much as I don't recommend using PGP in many cases, I also do not recommend using a centralized service that keeps your keys on a smartphone. However I warmly recommend using the Signal Protocol whenever messaging is to be done. Signal can be a direct replacement for PGP someone just has to code up the whole thing (time to flesh out signal-cli).
Indeed there are other tools developed that are quite promising, opmsg is the most advanced and mature of the ones I looked at, and I would recommend opmsg any day over basic gpg. Conceptually another interesting approach is codecrypt which uses post-quantum algorithms for signing and encryption, pond introduces a whole bunch of new concepts for messaging, coniks addresses many aspects of the key management issues that pgp neglects, safeslinger is also an exciting protocol - if you ignore that it runs on a smartphone.
The essential paper, if you are into securing messaging, which sums up most of the issues mentioned in this post and introduces examples of how to fix these and many more, is: "SoK: Secure Messaging. By N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, M. Smith". This paper gives a granular analysis of various aspects of messaging and shows which tools or protocols go beyond what PGP is providing as a baseline. Listing all of those aspects is a bit too much, but to whet your appetite, the main four aspects and their categories:
- key-exchange: security, usability, adoption
- conversation: security, deniability, usability
- transport: privacy, usability, adoption
- group conversations
The tables in this post are taken from the paper.
PGP for encryption as in RFC4880 should be retired, some sunk-cost-biases to be coped with, but we all should rejoice that the last 3-4 years had so much innovation in this field, that rfc4880 is being rewritten with many of the above in mind and that hopefully there'll be more and better tools. After all, it's an arms race, not trench warfare.
About the Author
stef has done lots of research on PGP in the past: GitHub repos (1, 2, 3, 4, 5) and blog posts (1, 2, 3, 4) in the archives. stef has for many years advocated and used PGP himself, he trained journalists, NGOs, activists - on his own, and in cooperation with organizations like Tactical Technology Collective. You could say he has extensive field and theoretical knowledge. But he's also been cautioning against PGP for a few years now, he likes to believe to be one of the inspirations behind the secushare/pgp post. He even went to the GnuPG developers conf and gave a talk about OpenPGP as such needing upgrades in many aspects.