Refuting PGP fud and misinformation

A lot so alleged “security experts” on the internet have written articles on the internet spreading fear, uncertainty, and doubt over the Pretty Good Privacy cryptosystem. Their arguments are often half truths or simply plain misunderstandings of the PGP standard. Here is will dismantle some of the most criticism I’ve seen against PGP.

Just because something is old doesn’t make it bad. It makes it mature. In fact, I’d argue you shouldn’t use something just because it’s newer than another option, as the newer option likely hasn’t been as thoroughly tested yet.

Yeah, ok. But maintaining backwards compatability with the first ever revision of a cryptosystem isn’t something that needs to be done. The argument is often constructed this way like you must implement perfect compatibility with every single previous revision or nothing. Not even TLS (Transport Layer Security) does that. We turn off or compile out support for older ciphers that have been broken as new ones develop. We don’t need to completely start from scratch every time a vulnerability is found in a cipher. The people who go off and make their own tool from this I’d argue are suffering from NIH syndrome (Not Invented Here) https://en.wikipedia.org/wiki/Not_invented_here when that time and effort would have been much better spent simply creating and submitting a patch to GNU Privacy Guard so that everybody can benefit from it and easily integrate those fixes. Instead we have more fragmentation and the issue doesn’t get fixed.

First I should define what Forward Secrecy is in crypto. It basically means that you can only decrypt with a transient key that expires after a short amount of time like days. This is not what you want for PGP. People generally want to view past emails and be able to read their previous file backups. Forward Secrecy does not belong in a tool such as GnuPG. It belongs in the network transport layer such as TLS that encrypts the network connection from the server to the client, or the server to server connections. Not the emails themselves. Otherwise you wouldn’t be able to access the emails in your inbox after you’ve read them or if they get older than a few days.

I think this comes from people perhaps using email wrong and like an instant messenger rather than electronic letters. Use XMPP for instant messaging. It’s a standard much better suited to that use case. You can even use OTR and OMEMO on XMPP clients, which are designed for back and forth instant messaging. Though OMEMO is still experimental, hopefully that could improve in the future as more testing is done.

Yes, something specialized is always going to be better at whatever specific things it’s designed to do then a generic tool, but it’s also more costly to implement and less flexible than a generic solution. PGP doesn’t claim to be the perfect solution to everything. In fact it literally stands for “Pretty Good Privacy”. And that’s what it does. Offers a generic Pretty Good Privacy solution.

This is so vague of a criticism it’s hard to know what exactly they are talking about. I think it’s a complaint about proprietary PGP implementations or PGP on proprietary platforms. In that case, Just use Gnu Privacy Guard. It could not get simpler then gpg –encrypt yourfile.tar and gpg –decrypt yourfile.tar.gpg.

Regarding the difficulty it is for some people to setup GPG on their machines that’s not PGP’s fault.  Blame the manufacturers of monopoly operating system vendors such as Microsoft Windows or Apple OSX for not including GnuPG or a PGP implementation in the base system or default install of the operating system like every other Linux distribution or BSD system. The reason those corporations don’t implement PGP is because they have skin in the game on being able to spy on their users, usually being funded by or partnered with the AdTech or Mass Global Surveillance industry in some way. Microsoft Corporation we know from the Snowden leaks has been a member of the PRISM mass surveillance program since at least September 11th 2007 and Apple Corporation since at least October 2012

It’s not in their business interest for their users to have actual security and privacy. You should not be getting your privacy advice from members of PRISM or advertising agencies such as Google and Yahoo Corporation.
 

So why do people drag PGP under the bus anyways?

Well, Often times if you look into the background of the people spreading FUD about PGP and GNU Privacy Guard they have something they want to sell you. The last time someone came to me and told me fud about it I asked why they think that and who told you that. They told me Moxie Marlinspike. Moxie is a self proclaimed “security expert” who’s got a product to sell you. It’s called Signal. A proprietary, centralized walled garden instant messenger who sends all your chats up to servers you don’t host or have any control over, but Microsoft does. It’s also not federated so there’s  only one client and one server. It auto-updates meaning the code can change at any time and it’s distributed via Google Play Services. Meaning it requires you to install Google spyware on your machine and allow Google to track you, even pushing updates to your specific device.

 

From the GnuPG FAQ page https://gnupg.org/faq/gnupg-faq.html#fraudsters

4.2 How can I spot the charlatans?

First, beware of all absolutes. Almost every question in either the fields of computer security or cryptography can honestly be answered with, “it depends.” Real experts will avoid giving blanket yes-or-no answers except to the simplest and most routine of questions. They will instead hem and haw and explain the several different factors that must be weighed. Hucksters will promise you absolute truth.

Second, the experts really don’t care whether you take their advice. Hucksters often want to be seen as authorities, and if you fail to take their advice they may harangue you about how you’re taking chances with your data, how you’re acting irresponsibly, and so on.

Third, experts genuinely don’t want you to trust them. An expert will instead point to the published literature (usually in a dead-tree edition with the imprimatur of a reputable publishing house) and tell you what the reference books say. They want you to trust the reference books, not them. Hucksters will go on about their extensive personal experience or refer to papers that have only ever been self-published on websites.

Fourth, experts try not to scare people. The world is a scary enough place without it being made moreso. Hucksters will try to scare you, in order to keep you listening to them and dependent on them for information on how to be ‘safe.’

Fifth, experts will quickly admit when they are wrong and give credit to the person bringing the error to their attention. Hucksters tend to take challenges as personal affronts.