Everyone should use PGP, but it’s kinda terrible
2013-08-29Around the time that Snowden started talking about the United States government’s surveillance activities, I decided it might be a good time to start learning about email encryption. As insecure as email is, encryption is something that everyone should have started doing a long time ago anyway.
Unfortunately, there are reasons that everyone isn’t using it.
It’s hard to set up
I suspect the way most people on Windows will use PGP is by downloading GPG4Win and Enigmail. The fact that this is two separate things to install is a showstopper for a lot of people. Installation of Engimail requires right clicking on a link to save it, then locating the file in Windows Explorer and dragging it into an open Thunderbird window. I can do that and you can do that, but it’s arcane wizardry for a significant portion of the population.
Also, the GPG installer appears to randomly crash under certain circumstances on Windows 8.
That’s just installation. Then you have to get people to generate a key using a password that’s different from the one they use to login to their email server. I suspect most users would have a difficult time using the GPG interface; it’s very reminiscent of desktop Linux applications a decade ago.
Key syncing
I dual boot Windows and Fedora. I have an iPhone and a Nexus 7. I can transfer the key between Windows, Fedora, and Android. I don’t know it’s as easy as it could be. iOS is even more problematic. Giving your private key to a 3rd party is a terrible idea, but what choice do you have? I can’t read encrypted email on my phone. Who puts up with that?
Ideally, if my iPhone was on the same network as my desktop, and I had the mail application open on both of them, they would see each other and the desktop client would offer to copy the key over.
Interacting with people who don’t use PGP is awkward.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEbBAEBAgAGBQJR0mBFAAoJEAKUiUvsYbBppZ8H9Rr8qd4U0iE7rg4W9EiGp2+s
Of3FSiK29rcXAXRPPet/3tkyo3vAiEFyfRiCQslwqyjFpmZdEBwaSNJ/3xjg2FtB
MNChMJYNhTudvbNF3ZfvU279WTukLOG3qDycOWxefVI7M2U21LGIQJhRlz7Cr2Ve
r8Rd2SPuhXh7y256KLRToFPu7YtZDYwS2ayhLd/fnScFpvVwxlfuPdHz51TsipZA
+uLg9v9Psnb7Y49nNGr0+4r0GT17+uxXr6Y5TFj6EmgxiBkdwjiD3svjra+Zg6w3
VBHsCsYYmOzbvPN+4XppUYPQodZ1Tx9bFRxAWxvDRl0Z0n6FcU0sEgW+C54e/A==
=GlYC
-----END PGP SIGNATURE-----
The PGP signature block is, in theory, A Good Thing. Email headers aren’t necessarily very reliable. Clients have gotten a lot better at detecting phishing, but having a definitive way to prove the person who sent the email actually sent it is only a good thing.
The problem is that anyone who doesn’t use PGP will see the huge block of random characters at the bottom of all your emails. Either it’s on every email you send, or you have to make a conscious decision to add/remove it every time you send a message. That’s a poor user experience.
Ideally, your address book should set a “PGP” flag on contacts as your email client learns who uses PGP. People who have it get the signature, everyone else just gets plaintext.
Some things aren’t encrypted
PGP, like most everything else built on top of email, is a little bit of a hack. The subject line isn’t encrypted. The OpenPGP spec maybe should have defined some front matter fields within the encrypted block.
User cognition is a limited resource; we shouldn’t burden it with unnecessarily details just because our solution is a hack.
No formatting
Enigmail turns off HTML formatting when you install it. I suspect that this is because an attacker could assume that common HTML tags appear in the message, making it easier to decrypt. If this is the case, a workaround might be to provide limited formatting via Markdown. It wouldn’t have to be transparent to users, and Markdown’s syntax is more compact.
Everything is terrible
If PGP is to gain serious traction, it will need to be built into email clients. Not as an afterthought, but as an easy-to-use feature integrated in almost every aspect of the client. If the user has to think about it after initial setup, it’s not there yet.
Because right now, it’s just not a good user experience at all. Everyone should use encryption, but it’s very difficult to recommend PGP in its current state.