Pretty Good Privacy (PGP), the popular email privacy and authentication software is fundamentally broken and it’s time for it to “die,” says Matthew Green, a respected cryptographer and research professor at Johns Hopkins University.
Green, who has been involved in the recent TrueCrypt audit, published a blog post after Yahoo announced its intention to follow on Google’s footsteps and implement end-to-end email encryption.
“As transparent and user-friendly as the new email extensions are, they’re fundamentally just re-implementations of OpenPGP — and non-legacy-compatible ones, too. The problem with this is that, for all the good PGP has done in the past, it’s a model of email encryption that’s fundamentally broken,” the researcher wrote in a blog post. “It’s time for PGP to die.”
First of all, he believes PGP keys, even ones produced by modern elliptic curve implementations, are too large and difficult to handle.
“Since PGP keys aren’t designed for humans, you need to move them electronically. But of course humans still need to verify the authenticity of received keys, as accepting an attacker-provided public key can be catastrophic,” Green said. “PGP addresses this with a hodgepodge of key servers and public key fingerprints. These components respectively provide (untrustworthy) data transfer and a short token that human beings can manually verify. While in theory this is sound, in practice it adds complexity, which is always the enemy of security.”
According to the cryptographer, another issue is with manual PGP key management and the lack of transparency. However, he believes this issue isn’t unfixable, one positive example being the experimental system Keybase.io, which ties keys to the identity of users. Green says modern encryption tools are like islands that are not connected to the mainland, and connecting them represents one of the biggest challenges.
The lack of forward secrecy, old cryptography and “bad” defaults have also been named as problematic by the expert. But the worst part of the PGP ecosystem, according to Green, are mail client implementations.
“Many PGP-enabled mail clients make it ridiculously easy to send confidential messages with encryption turned off, to send unimportant messages with encryption turned on, to accidentally send to the wrong person’s key (or the wrong subkey within a given person’s key),” Green said. “They demand you encrypt your key with a passphrase, but routinely bug you to enter that passphrase in order to sign outgoing mail — exposing your decryption keys in memory even when you’re not reading secure email.”
Some agree with Green’s views, but others, like Thomas H. Ptacek, a security researcher with Matasano Security, noted that while there is a lot wrong with PGP, it’s currently the only trustworthy mainstream cryptosystem.
“The flaw is that many systems are old and not up-to-date and thus use poorly implemented or outdated versions of the standards,” Morten Landrock, managing director at Denmark-based security solutions provider Cryptomathic Ltd., told SecurityWeek.
Landrock says that while users should be concerned about such issues, this isn’t exactly front-page news.
Yan Zhu, a former EFF technologist who recently joined Yahoo, published a blog post to describe how she believes centralized PGP key management could be “sane.”
“IMO, if we’re trying to improve email security for as many people as possible, the best solution minimizes the extent to which the authenticity of a conversation depends on user actions,” said Zhu, who is the first member of a new privacy engineering team that will focus on usable end-to-end encryption for Yahoo mail. “Key management should be invisible to the average user, but it should still be auditable by paranoid folks. (Not just Paranoid! folks, haha).”
