Let PGP Die: Why We Need a New Standard for Email Encryption
Since publishing the secure email guide, I’ve had some interesting exchanges with Tutanota staff about encrypted email and their unique solution to the challenges involved. In order to further clarify Tutanota’s rationale for going PGP-free, Matthias Pfau, cofounder of Tutanota, wrote this article exclusively for Net Todays readers.
3 Reasons Why PGP Must Die1. PGP was invented almost 30 years ago by Phil Zimmermann. However, even Phil Zimmermann, the inventor of PGP, doesn’t use it. The reason: It is too complicated to install PGP plugins for all your email applications: desktop clients, web clients, mobile clients. While you might still be able to use PGP on desktops and in web clients, the mobile world remains inaccessible to most people. This was also what stopped Phil Zimmermann. Today he mainly uses email on his phone – where PGP encryption is really hard to get. 2. Cryptography experts like Bruce Schneier understand that the most secure system can only be used securely if the user is capable of using it without making any mistakes. Unfortunately, this is not the case with PGP. In many email clients it is very easy for the user to send confidential emails with encryption turned off, so send unimportant emails with encryption turned on, or to accidentally send an encrypted email with the wrong key. Security expert Bruce Schneier concludes:
I have long believed PGP to be more trouble than it is worth. It’s hard to use correctly, and easy to get wrong. More generally, e-mail is inherently difficult to secure because of all the different things we ask of it and use it for.Filippo Valsorda gives a very good explanation for PGP’s usability weakness:
I haven’t done a formal study, but I’m almost positive that everyone that used PGP to contact me has, or would have done (if asked), one of the following:
- pulled the best-looking key from a keyserver, most likely not even over TLS
- used a different key if replied with “this is my new key”
- re-sent the e-mail unencrypted if provided an excuse like I’m traveling.”
PGP used to be greatPGP was a great invention, and it is still great for people who are capable of using it correctly. And while the technology of PGP has evolved, user-friendliness has not. The biggest problem with PGP to this day is its complexity. “It’s a real pain,” says cryptography expert Matthew Green. “There’s key management – you have to use it in your existing email client, and then you have to download keys, and then there’s this whole third issue of making sure they’re the right keys.”
PGP is not fit for the futureOn top of that, however, PGP has some inherent security weaknesses, which can not easily be fixed:
1. PGP does not support forward secrecy (PFS).Without forward secrecy, a breach potentially opens up all your past communication (unless you change your keys regularly). It’s rumored that the NSA stockpiles encrypted messages in the hope of gaining access to the keys at a later date. This risk is exactly why Valsorda is giving up on PGP: “A long-term key is as secure as the minimum common denominator of your security practices over its lifetime. It’s the weak link.” Adding forward secrecy to asynchronous offline email is a huge challenge that is unlikely to happen because it would require breaking changes to the PGP protocol and to clients.
2. PGP does not encrypt the subject.There is no possibility to add the option to encrypt or hide the metadata (sent from, sent to, date) with the PGP protocol.
3. PGP is not always compatible with PGP.There are so many implementations of PGP that interoperability is not always a given. In addition, if you update your PGP key e.g. from RSA 2048 to RSA 4096, you need to decrypt your entire data with your old private key and re-encrypt it with your new private key.
4. PGP can only be used for email communication.The encryption method can not be transferred to other systems like encrypted notes, chat, calendar.
EFfail and what comes nextIn 2018 researchers from Munster University of Applied Sciences published the EFail vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails. The exploit uses a piece of HTML code to trick certain email clients, including Apple Mail, Outlook 2007 and Thunderbird, into revealing encrypted messages. While the issue is not with the PGP protocol itself, but with the way it has been implemented, this still shows the inherent complexity of doing security right. While email – and PGP for that matter – are praised for being universally interoperable, EFail shows that this also poses a severe security threat. While one person in a conversation may be using a non-affected implementation of PGP, the other person might not. Even though, vulnerabilities are found and patched – usually rather quickly – there is no knowing that your counterpart is using the updated, patched software or an old, outdated version. All of this does not help in convincing people to start using end-to-end encryption for emails. What we need in the future is an easy-to-use version of end-to-end encryption, a solution that does not put the user at risk due to its complexity, but something that takes care of the security for the user – no matter where, when or with whom one is communicating. The new approach must be as easy as it is already implemented in lots of messaging apps like Signal and even WhatsApp.
Future requirements for email encryptionTo keep email encryption easy and secure for everybody, the model of the future can not depend on PGP for several reasons:
- Key management must me automated.
- It must be possible to automatically update encryption algorithms (e.g. to make the encryption resistant against quantum computers) without the need of involving the user.
- Backward compatibility must be stopped. Instead, all systems must update within a very short time-frame.
- Forward secrecy must be added to the protocol.
- Metadata must be encrypted or at least hidden.
- Tutanota already encrypts subject lines. We plan to also hide the metadata in the future.
- Key management and key authentication is automated in Tutanota, which makes it very easy to use.
- Tutanota encrypts and decrypts the users’ private key with the help of the users’ password. This enables the user to access their encrypted mailbox and to send encrypted emails on any device. Whether people use their encrypted mailbox with the web client, with the open source apps or with the secure desktop clients, Tutanota makes sure that all data is always stored encrypted.
- Encryption algorithms can be updated in Tutanota. We plan to update the algorithms used to quantum secure ones in the near future.
- We plan to add Forward secrecy to Tutanota.
- The encryption algorithms used in Tutanota can be applied to all kinds of data. The Tutanota mailbox already encrypts all data stored there, including the entire address book. We plan to add an encrypted calendar, encrypted notes, encrypted drive – all secured with the same algorithms.