Since publishing the secure email guide, I’ve had some interesting exchanges with Tutanota staff about encrypted email and their unique solution to the challenges involved. In order to further clarify Tutanota’s rationale for going PGP-free, Matthias Pfau, cofounder of Tutanota, wrote this article exclusively for Restore Privacy readers.
PGP – the most widely used email encryption software – is still only a niche product: Only a fraction of the billions of emails sent every day are secured with PGP encryption. While security experts around the world have done their best to add PGP support to all kinds of email applications for decades, it is time to realize that PGP is simply too complex for mainstream adoption.
3 Reasons Why PGP Must Die
1. PGP was invented almost 30 years ago by Phil Zimmermann. However, even Phil Zimmermann, the inventor of PGP, doesn’t use it. The reason: It is too complicated to install PGP plugins for all your email applications: desktop clients, web clients, mobile clients. While you might still be able to use PGP on desktops and in web clients, the mobile world remains inaccessible to most people. This was also what stopped Phil Zimmermann. Today he mainly uses email on his phone – where PGP encryption is really hard to get.
2. Cryptography experts like Bruce Schneier understand that the most secure system can only be used securely if the user is capable of using it without making any mistakes. Unfortunately, this is not the case with PGP. In many email clients it is very easy for the user to send confidential emails with encryption turned off, so send unimportant emails with encryption turned on, or to accidentally send an encrypted email with the wrong key. Security expert Bruce Schneier concludes:
I have long believed PGP to be more trouble than it is worth. It’s hard to use correctly, and easy to get wrong. More generally, e-mail is inherently difficult to secure because of all the different things we ask of it and use it for.
Filippo Valsorda gives a very good explanation for PGP’s usability weakness:
I haven’t done a formal study, but I’m almost positive that everyone that used PGP to contact me has, or would have done (if asked), one of the following:
- pulled the best-looking key from a keyserver, most likely not even over TLS
- used a different key if replied with “this is my new key”
- re-sent the e-mail unencrypted if provided an excuse like I’m traveling.”
3. OpenPGP projects (Gmail, Yahoo) were doomed and are now dead
A couple of years ago, Gmail tried to hop on the privacy-friendly bandwaggon – and Yahoo later joined in – by developing a Chrome plugin that was supposed to automatically encrypt emails between Gmail – and Yahoo – users with PGP. Soon after, Google stopped this end-to-end encryption project for Gmail.
PGP used to be great
PGP was a great invention, and it is still great for people who are capable of using it correctly. And while the technology of PGP has evolved, user-friendliness has not.
The biggest problem with PGP to this day is its complexity. “It’s a real pain,” says cryptography expert Matthew Green. “There’s key management – you have to use it in your existing email client, and then you have to download keys, and then there’s this whole third issue of making sure they’re the right keys.”
PGP is not fit for the future
On top of that, however, PGP has some inherent security weaknesses, which can not easily be fixed:
1. PGP does not support forward secrecy (PFS).
Without forward secrecy, a breach potentially opens up all your past communication (unless you change your keys regularly). It’s rumored that the NSA stockpiles encrypted messages in the hope of gaining access to the keys at a later date.
This risk is exactly why Valsorda is giving up on PGP: “A long-term key is as secure as the minimum common denominator of your security practices over its lifetime. It’s the weak link.”
Adding forward secrecy to asynchronous offline email is a huge challenge that is unlikely to happen because it would require breaking changes to the PGP protocol and to clients.
2. PGP does not encrypt the subject.
There is no possibility to add the option to encrypt or hide the metadata (sent from, sent to, date) with the PGP protocol.
3. PGP is not always compatible with PGP.
There are so many implementations of PGP that interoperability is not always a given. In addition, if you update your PGP key e.g. from RSA 2048 to RSA 4096, you need to decrypt your entire data with your old private key and re-encrypt it with your new private key.
4. PGP can only be used for email communication.
The encryption method can not be transferred to other systems like encrypted notes, chat, calendar.
EFfail and what comes next
In 2018 researchers from Munster University of Applied Sciences published the EFail vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails. The exploit uses a piece of HTML code to trick certain email clients, including Apple Mail, Outlook 2007 and Thunderbird, into revealing encrypted messages.
While the issue is not with the PGP protocol itself, but with the way it has been implemented, this still shows the inherent complexity of doing security right. While email – and PGP for that matter – are praised for being universally interoperable, EFail shows that this also poses a severe security threat. While one person in a conversation may be using a non-affected implementation of PGP, the other person might not.
Even though, vulnerabilities are found and patched – usually rather quickly – there is no knowing that your counterpart is using the updated, patched software or an old, outdated version.
All of this does not help in convincing people to start using end-to-end encryption for emails. What we need in the future is an easy-to-use version of end-to-end encryption, a solution that does not put the user at risk due to its complexity, but something that takes care of the security for the user – no matter where, when or with whom one is communicating.
The new approach must be as easy as it is already implemented in lots of messaging apps like Signal and even WhatsApp.
Future requirements for email encryption
To keep email encryption easy and secure for everybody, the model of the future can not depend on PGP for several reasons:
- Key management must me automated.
- It must be possible to automatically update encryption algorithms (e.g. to make the encryption resistant against quantum computers) without the need of involving the user.
- Backward compatibility must be stopped. Instead, all systems must update within a very short time-frame.
- Forward secrecy must be added to the protocol.
- Metadata must be encrypted or at least hidden.
This is what we at Tutanota have been working on these last couple of years: An easy-to-use email client that has baked encryption into the software and that lets users easily encrypt any email end-to-end.
When we started building Tutanota, we deliberately opted against using PGP. We chose a subset of the PGP’s algorithms – AES 128 and RSA 2048 – but with our own open sourced implementation. This allows us to encrypt subject lines, upgrade the algorithms, and add Forward secrecy. This gives us the great advantage that we can fix – and have in parts already – fixed the described weaknesses in PGP.
- Tutanota already encrypts subject lines. We plan to also hide the metadata in the future.
- Key management and key authentication is automated in Tutanota, which makes it very easy to use.
- Tutanota encrypts and decrypts the users’ private key with the help of the users’ password. This enables the user to access their encrypted mailbox and to send encrypted emails on any device. Whether people use their encrypted mailbox with the web client, with the open source apps or with the secure desktop clients, Tutanota makes sure that all data is always stored encrypted.
- Encryption algorithms can be updated in Tutanota. We plan to update the algorithms used to quantum secure ones in the near future.
- We plan to add Forward secrecy to Tutanota.
- The encryption algorithms used in Tutanota can be applied to all kinds of data. The Tutanota mailbox already encrypts all data stored there, including the entire address book. We plan to add an encrypted calendar, encrypted notes, encrypted drive – all secured with the same algorithms.
Easy email encryption is already available. Now we must spread the word so that everybody understands that it is no longer necessary to allow Google, Yahoo and others to harvest our data. We can simply use encrypted emails so that nobody can spy on our private data.
We’d be happy to hear your feedback on Tutanota and what you would like to see included in an encrypted email client.
The first P stands for Pretty, not Perfect 🙂
There’s a lot here that scares me. Keeping Keys encrypted on a server, as well as ‘secure’ desktop apps. In the past, Hushmail was required by court order to put a backdoor into their desktop encryption applet. Rolling your own encryption is likewise dangerous and should be vetted.
While I always welcome a new standard, If people truly have a need for strong security, they should take the time learn how to use PGP correctly.
-JS
I use PGP to sign things, mostly git-commits, source tarballs and packages. While there were some incidents (I wasn’t able to find them, sorry), signing with PGP still seems pretty robust. For signing I want my key to live a long time. Of course automated systems for building and distributing software-packages could probably update the signing key often or use some complicated protocol like messengers are using, I can’t see the benefit of that, but that is just me not knowing enough about these protocols. I use a hardware crypto device, it has many modules and it seems that OpenPGP is the easiest to use and the widest spread: git supports it, so do github and gitlab and many other git platforms. I can also authenticate with SSH using the OpenPGP module on the device. The name of PGP is definitely wrong, privacy is pretty (very) bad and in combination with email it is catastrophic. The use-casa I described is almost the opposite of privacy.
If I want good encryption and privacy I use signal.
Would you mind sharing what hardware cryptographic device you use? I’m interested in doing this too, thanks.