Stop using PGP

While PGP (proposed as a standard, OpenPGP, in the IETF draft rfc4880) and GnuPG (the most common current implementation) have filled an important historical role in making message encryption software freely available, it really hasn’t aged well.

In fact, I suggest people stop using PGP entirely in favor of better tools like age for encryption and minisign for signing and signature verification.

PGP suffers from a long list of problems, many of which are inherent in its design and unlikely to ever be addressed. More knowledgeable people than me have written about this extensively, for example:


Direct experiences

I happened to be working at StartMail during the time of the 2018 Efail vulnerability. We didn’t receive any advance notice, but found out about the vulnerability when it was publicly disclosed and being picked up by some of the (tech) media.

Feel free to reach out for a chat if you’d like to hear a firsthand account of what it was like to respond to a widely reported security vulnerability in software making up a core part of our product.

I’ve also had some conversations with Phil Zimmermann, the original creator of PGP, during my time there. If it interests you, I’d be happy to share a few anecdotes.

References

Green, Matthew. 2014. “What’s the Matter with PGP?” A Few Thoughts on Cryptographic Engineering (blog). August 13, 2014. https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/.

Latacora. 2019. “The PGP Problem.” July 16, 2019. https://latacora.micro.blog/2019/07/16/the-pgp-problem.html.

———. 2020. “Stop Using Encrypted Email.” February 19, 2020. https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html.

Valsorda, Filippo. 2020. “Cryptography Dispatches: Replace PGP With an HTTPS Form.” July 19, 2020. https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-replace-pgp-with-an-https/.