Moxie Marlinspike: GPG Has Run Its Course

An anonymous reader writes: Security researcher Moxie Marlinspike has an interesting post about the state of GPG-encrypted communications. After using GPG for much of its lifetime, he says he now dreads getting a GPG-encrypted email in his inbox. "Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible. It's up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish. The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words. Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the "strong set," and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today's standards, that's a shockingly small user base for a month of activity, much less 20 years." Marlinspike concludes, "I think of GPG as a glorious experiment that has run its course. ... GPG isn't the thing that's going to take us to ubiquitous end to end encryption, and if it were, it'd be kind of a shame to finally get there with 1990's cryptography."

Same error, repeated

I suspect some of the cruft is due to its PGP heritage, but really, all the options aren't the problem. The length of the manpage, neither. Here you have a decently documented piece of software and you complain about the volume? Psah. No, that really isn't the issue. Nor is the ability to have multiple algorithms, as the state of the art keeps on advancing and so you need to replace algorithms now and then.*

The issue is that the interface, the way it packs up crypto for ease of use, is something only a crypto-nerd could love. The basic principles aren't hard to explain to an intelligent lay(wo)man, but understanding how the web of trust works, nevermind make intelligent decisions that make sense, that even crypto-using nerds usually don't manage. And that's just the model; the implementation is clunky to the point that even programs employ intermediate libraries that then barely work for this or that ill-conceived reason.** And then there's the interface as ment for humans. Again, it's nerd-only.

That nerd-only-ness is an obstacle to uptake, and that again is a problem. We desperately need crypto in email, but what bank even publishes GPG and S/MIME keys for securing email? I know of one, and it's a central bank so mere mortals cannot open accounts.

So for a long time GPG has only been supported by a single person, props to him, who evidently doesn't know much about usable user interfaces, not even CLI ones. Yet I'm not blaming just him for it, either. Look at openssl: Again a bit of crypto software that turns out to be pretty damn important, and there's only a few boobs holding down the fort. That is actually poorer documented and even clunkier to use. The code, starting from the APIs, isn't so hot either. No wonder it came crashing down spectacularly. But that too is a problem.

So we have a couple real problems, yet this security expert managed to pin only non-problems. And that itself is again a problem.

* One thing that is a problem is the headers inserted on top of the message that really ought to've been encoded in the signature, since they belong there and moreover there's no real need to put them anywhere else. In fact, the current practice causes transport problems making the format more brittle than it needs to be.
** Work out why gpgme doesn't work so well on 64-bit windows, especially where the individual programs may or may not actually be fully 64bit. It literally doesn't work because some maintainer disabled the workaround that made it work because that somehow "does not make sense" to him.

Re:Same error, repeated

[AmiMoJo]

I know quite a few people who have started using GPG via the Enigmail plug-in for Thunderbird lately. The length of the man page is irrelevant and they never publish their keys so are effectively invisible to the statistics. That doesn't mean that it isn't an extremely useful, valuable piece of software though.

Now more than ever we need GPG, and I bet adoption has gone up a lot in the last year.

I use GnuPG

[AndyCanfield]

My GnuPG public key is on my web site (www.andycanfield.com). It is not on any "KeyServer"; I don't believe in key servers, that's just another layer that the hackers can break and the NSA can subvert.

I use Thunderbird; the interconnection between that and encryption is clumsy [ e.g. if you haven't got a key for somebody, don't encrypt the message, dummy!]. But it works. As long as it's smarter than Keith Alexander and Vladimir Putin, I'm satisfied. The important thing is that PGP is a ***standard***. Any idiot can come up with something better, but he can't make it a standard, so my correspondant on the other end of the wire can't use it.

Oh, and my e-mail address is on Yandex, which is in Moscow.

Moxie's security advice to me:

[Burz]

I simply asked him -- in a private email -- if there was a signature for Convergence someplace because I didn't see any online.

He accused me of being "inflammatory" and stated it was necessary to "take a leap of faith" (i.e. download and run it without verification). This was back in 2012, mind you. He appeared to be oddly anti-PGP back then, too.

Frankly, after that I had no appetite for any more of his, erm, style and forgot about Convergence. Years later, I had to abandon DoNotTrackMe (by a Moxie-run company, Abine) nee 'Blur' for Ghostery instead when the former got an update that kept hogging the CPU. An email to Abine just yielded a response to keep updating Blur, but the problem never went away.

Re:Another bad omen for privacy and security

[Kjella]

Crypto is hard to get right. It's hard for the average person to know what ciphers or tools to use and which are just snake oil. It's hard to implement correctly so that it is secure. New ciphers are written by people who have a lot of experience in breaking the old ones. As the old guard ages out, I don't see the same depth of interest in the next generation. With crypto, there's no quick fix, and the new hotness doesn't come overnight.

Crypto is easy. Ciphers are easy. Here's a key you can use it to sign and verify messages, open and seal envelopes.

Using crypto is hard. People lose keys, forget passwords, don't transmit keys in a secure way, don't store keys in a secure way, revoking keys, checking for revocation, using third party services like webmail and so on. Strong crypto is like losing your house key and being told that sucks, but since it's an impenetrable bunker with an unpickable lock there's nothing you can do but start from scratch.

People want recovery options. If my house burns down to the ground and I escape with no passport, no driver's license, no identification of any kind the government will get me a new one. Work will find a way to get me a new access badge and key fob. That's why all those ways to recover your account exist, they're not necessary per se and you don't have to answer the security questions seriously. But when you have fucked up big and the answer is just gibberish you're pretty screwed. That's why people answer those with actual facts.

Re:People are dumb, and don't care

[ledow]

That's not the problem with GPG.

The problem with it is that I could never be bothered to use it, not because of privacy (it would be incredibly convenient to send, say, a password required in an emergency via a verifiably-encrypted email) - but because it's such a faff. And it interferes with everything (searching, archiving, re-enveloping etc.). And to do so is all bolt-on-and-bodge-job methods. None of the major email clients offered anything like proper encryption by default.

And as soon as you get into using plugins, most people just won't bother. There are plugins for PFS for all your instant messenger programs, etc. - I had one installed for about 5 years, the only other person I know with one installed has a different, incompatible one. Now I don't use IM much any more anyway, so it's dead in the water.

And all email encryption is a ton of messing about with publishing keys in the right places, and having to verify against those places, etc. It's ugly.

The only place I've seen anything like GPG working is in package signing for third-party software. And there you have to download the package, download the key (either from the same website as the package - WOOP WOOP - or independently crowd-source a verified key), and then check it works. I've only ever bothered for Slackware, for which I believe the ISO images are signed with the official Slackware key.

GPG is just a pain in the butt and not automated at all. It's easier to compose and encrypt the message ENTIRELY OFFLINE and then send the encrypted text, and that shows you what kind of automation is missing, and what kind of trust system is actually in place.

Sure, there are plugins, helpers, hacks, extensions and all sorts. But none of them ever progressed to being "in" the software. Not even software designed to do nothing else but send email.

Re:Cock Chuggin'

[phayes]

As an AC, you're a more probable expert on what NSA cock tastes like, so why don't you tell us?

Moxie has been in the trenches breaking drm to free our devices and thus has a good idea of what works & what doesn't.

Much like the "Real programmers" that bemoaned the death of really using the machines when we stopped programming directly in machine code, some will miss PGP, but not anyone who wants encryption to become widespread. PGP is convoluted and a poor base on which to build. We need to move on.

Re:Let me explain.... :-)

I've always thought the post office would be a great place to get your keys signed.

Re:GPG is another TrueCrypt?

[Martin+Blank]

Not remotely. He's encouraging good encryption, but calling for some updates (it hasn't significantly changed since the mid-'90s) and a better wrapper. GPG is still largely by geeks, for geeks. I couldn't get my parents to use GPG because they'd dismiss it as too hard, even if one of them is happy to stick it to the man. The suggested minimum settings vary based on where you look and when they were posted.

Example: An RSA key size of 2048 bits is largely considered secure, but NIST recommends 3072 bits for anything that one would want to keep secure into the 2030s. People still often see their e-mail as their private papers and may be concerned over who can read them well past the 2030s. But does that mean they use 3072, or go with the random crypto weblog guy who says to always go with 4096? And why can't I create 8192- or 16384-bit keys like that software claims to over there?

And what to hash to use? Plenty of sites still say MD5, but they were written years ago. Some have updated to SHA1, but others point out weaknesses there. OK, SHA2, then. But then there's SHA256, which must be better, right? (I know SHA256 is a subset of the SHA2 family, but those unfamiliar with crypto will not.)

Until GPG-style crypto becomes relatively automated, it won't be embraced by more than a handful of people. HTTPS is widely used because people don't have to think much about it. This has some downsides for poorly-configured servers and Superfish/Comodo-style backdoors, but browsers and other software help take up the slack by rejecting poor configurations. PGP/GPG were designed to reach near-perfect levels of encryption, but that bar is clearly too high for significant uptake. We should instead be looking for something that encourages end-to-end encryption that is good enough. We can build on if the underlying structure is properly designed, and as people get more accustomed to crypto in their lives, they'll be able to adjust to improvements.

When the majority of communications are relatively well-secured, it makes it far more difficult for a surveillance state to conduct its operations. Perfect security can still be a long-term goal, but we need more realistic goals to encourage uptake in the meantime.