in Security

PGP: Why isn’t it more widely used?

Preamble: Today was my last day at FSC Internet but I started writing the piece below some time ago. It still needs some work, so it’ll probably get a few more edits as time goes along, but I wanted to post it up here to mark the day I left the field of Internet security. 🙂

Ever since I started working for an Internet security company, I’ve been using PGP (GnuPG) a lot more both in my daily work, and at home. Even though PGP has been around for ages, it hasn’t been widely adopted. Even other secure e-mail technologies like S/MIME have not enjoyed wide acceptance either. I started to ask myself why, and I’ve come up with a number of explanations as to why secure e-mail hasn’t taken off:

  • Insufficient size of critical user base. This is the classic technology adoption problem that faced inventions from the cell phone (who are you going to call if nobody else has one) to the VCR (what are you going to play in your VHS VCR if all the movies are still in BetaMax). With PGP, the problem is compounded by the fact that the trust value of your key is affected by the trust value of the keys of the peers that have signed your key; if nobody signs your key, the trust value of it is very low.
  • No interoperability between competing secure e-mail technologies. In part, we can blame the invention of proprietary
    and closed technologies like that "Secure E-mail Certificate" widget in Microsoft Outlook. PGP has been around for years; why didn’t they just use that? On the other hand, PGP itself has been through many mutually incompatible revisions; PGP 2.x; Network Associates PGP 5.0, PGP 6.0, and finally, GnuPG as an open-source alternative to PGP proper. Such needless forking does nothing to build the image of secure e-mail technology as reliable and robust.
  • Poor GUI frontends to PGP. Before writing this piece I decided to do some investigation as to what frontends were out there, that are still being actively maintained. There certainly aren’t a lot. On this Debian GNU/Linux box I picked out two that appeared worthwhile: gpgp and kgpg. gpgp as I soon discovered was out of date. kgpg core dumped when I tried to retrieve keys from a remote keyserver. Neither of them implements the features that I would want in a front end, namely, easy modification of all parameters of a given key on the keyring, including trust levels, adding and removing signatures, and so on.

Fundamentally, though, these aren’t insurmountable problems. Technical and adoption issues, while irritating, are comparably easy to fix. (Okay, convincing Microsoft to use PGP in Outlook might be more difficult, but even the PGP GUI is a problem waiting to be solved.) It’s my belief that the lack of interest in secure e-mail technologies as a whole is motivated by people’s desire to not only be anonymous on the Internet, but to never be held accountable for anything they say.

Perhaps I’ve been hanging around too many marketing weasels, but there are plenty of folks who don’t want to be held accountable at a later date for some bald statement they made today. I’m sure that the Enron and WorldCom executives wished they hadn’t sent certain e-mails that are now sitting in evidence vaults. Those e-mails would probably carry even more weight (against said executives) if they were digitally signed with the originator’s PGP key.

The lesson to be learned here is one that relates to human nature. Once you have attached a digital signature to something, you can’t take it back. Ever. Particularly if the message is in the public domain, it can come back to haunt you. This is not generally what people want to hear; it makes them feel less secure, not more. This is the critical flaw in secure e-mail technology.