The defense of GnuPG

For several years, there has been an uprasing against GPG. Every now and then someone writes up a blog post and condemn OpenPGP and it’s implementations for being too hard to use or too easy to mess up. The GPG side is mostly silent. So, this article is in defence of GPG.

Main points made against GPG can be listed like this:

  1. GPG is too complicated for “normal” users
  2. Because GPG is too complicated, it’s userbase is minuscule
  3. Email is inherently impossible to secure so don’t even bother encrypting it. Just abandon GPG
  4. Nobody bothers to read emails of “normal” people so don’t encrypt
  5. TLS has done much more for email security than GPG
  6. GPG is error prone and security wise it is dangerous for people to use it when actual security is needed
  7. For various reasons, only cryptonerds use it and take pride on GPG so it is lame
  8. GPG’s trust model (web of trust) is broken and only cryptonerds are keeping it alive
  9. GPG is old
  10. There are better [insert anything involving app like crypto tool] why bother with GPG
  11. GPG crypto has [Insert any long term RSA based cryptography’s short comings and trust problems] why not use modern crypto

During these discussion, these point are mostly assumed to be true;

  1. People are stupid and lazy so are the users of encryption tools
  2. Since users are stupid and lazy tools should be designed keeping that in mind
  3. Designing for stupid and lazy requires stripping people from anything than needed(i.e freedom)
  4. If security is not absolute it is worthless
  5. If privacy is not absolute, anonymity is worthless
  6. If your adversary cannot compromise of your security then there is no need for GPG even for privacy

What’s The Problem

We name periods of human history by their defining property. That property is mainly what drives human society and culture at that current age. The iron age was shaped by the superiority of iron as a material for weapons and agricultural tools. Today’s digitally shaped age is called digital feudalism and it governs our lives. Just like regular feudalism the resources of society is controlled by few, generated by many and the feudal lords of ours claim their right to their thrones through their infrastructure.

We as users are fueling the rise of the digital technologies but handful of companies are controlling and profiting from it. Just like peasants of the middle ages, you are seen as basic people who cannot understand the complex life that only a few selected elites can. It is what you are asusmed to be: simple people who wants simple things, like “apps” that will give you what you assumed to need and nothing more. It is the same old condescending view of serfs, now given to you by companies, ignorant and arrogant developers and overall by capitalism.

Today saying “what do I understand about computers” is equivalent to saying “I don’t know how to light a fire” in stone age! Just because someone might be feeding you back in those days did not mean that you could survive on your own. The same applies to current digital age. Just because someone is doing stuff for you does not ensure your digital survival. There was no easy way to light a fire back then and there will be no “press this button” easy way to take back the power in the digital age. Whoever claims people want or need only simple stupid apps and whoever denies the fact that we are living in digital feudalism are building a dystopian future where few elite unprecedentedly controls the future. Self determination is never given by anyone but can only be taken by everyone!

This ideology that “people are stupid” and “people want easy(read:stupid)” things dominates today’s end user software development. Good UX does not equal to simple. The real meaning in these expressions is: “you are too stupid to take responsibility for your self and to understand what’s going on, so we as technological elites will take care of you”. This is what’s the base of almost all GPG related criticism. GPG is too hard for people!

PGP, the preceder of GPG, was conceived in 1991 and this era was shaped by hackers. Not the hackers that main stream media shows in black hoods and authorities around the world paint as people with no moral boundaries. Hackers are the people who playfully expanded what is available to what is possible. This attitude brought general public; personal computers, GNU/Linux operating system that are now powering almost every backbone in the world, 3D printers etc. PGP was shaped by the empowerment of that era, not the “there is an app for that” era of today which is shaped by multi-billion dollar cooperation built upon the cultural and technological accumulation of hackers.

That brings us to the point: GPG is hard for people, but so were the general purpose computers around 20 years ago. Everything requires individual dedication and determination to learn and maintain. What happened with computers is that some people capitalised on the opportunity, poured money into devices and after hundreds of hours long R&D those computers became “easy”. The outcome of that process was loss of the right to fix, more enclosed and restricted user environments and computers that works against us! So those who invested in computers can profit from their investment.

The same problem also exists for encryption. There was no real incentive for capitalists to invest in publicly accessible encryption. Solid encryption would make reaching data possible only for the user who owns it and this would be counter intuitive to the interest of capitalism. But today there is an incentive: people are afraid of what our digital world has become. They are afraid of their government’s abuse of power, they are afraid of companies taking advantage of their lives, they are afraid that their involment in democracy will be lost. People are afraid and there is no better time to sell something. That’s why Apple is now selling privacy as a product and that is why every communication service regardless their privacy invasive tendencies are promoting encryption. What is missing is that people are still an object in this case. Whoever holds the key holds the future and there is no alternative to GPG that gives the user the best self determination!

So, how is GPG doing while the craze to own next killer encryption app continiue? Werner Koch, is the single person maintaining GPG. He was almost about to give up on GPG for economic reasons when the Snowden incident has chanced his decision. The world’s whole server infrastructure security and personal freedom rests on his shoulder and he had to ask for help. It is a huge difference in investment/impact ratio when compared to every other encryption tool. GPG exist by determination and not through capital pressure.

In every “GPG is dead” cry almost always includes some killer new technology that makes more sense than GPG. Let’s talk about them for a while.

Signal

A big hit in secure instant messaging. Signal is build upon proprietary software Textsecure and RedPhone that had been once developed by Moxie Merlinspike and his co-founder Stuart Anderson. Signal Protocol utilizing double ratchet encryption is a game changer for modern connectivity and implemented in several applications. Signal applications and server code is free software but their developers and business model is not. It is yet another walled garden with no federation and claiming GPG is dead.

Matrix Protocol

Matrix protocol is an open standard for general communication needs. Like XMPP -Extensible Messaging and Presence Protocol- it is designed to be implemented widely and serve various modern needs of communication. End-to-end encryption is falling behind and there are still implementation problems but if everything goes well Matrix Protocol could be a modern free future for communication. The only problem is that Matrix Protocol is still an instant communication system and the cryptography behind it is specialized only for that purpose.

[Insert Any App or Protocol]

Almost all have some of these short comings:

Modern messaging softwares do have merits that are desirable such as forward secrecy, recent algorithms with shorter keys(read: not necessarily more secure) and more frictionless key management(which heavily depends on central key servers and personal data). All these merits are, to some degree, desireable for GPG too but those tool’s have different design requirements than GPG. GPG can and will become better at most points. When the case is single person against a multi-billion dollar industry, this should not count as a fair trial.

What GPG is offering in exchange is freedom, not just another “app” that walls it’s users in and here is why:

GPG giving you the TOTAL control of your key and identity

This primary point is so important, the rest seems moot. GPG is the most liberating piece of software EVER. What GPG is capable of and how it is implemented almost always secondary to the fact that you as the user in need of cryptography control the key. You can export it, expand it, change it, renew it, print it on paper, revoke it. The fact that you own and control your key actually makes it possible for you to build your identity around that key. This is almost like being your own certificate authority and issuing your certificates as you please.

This comes with the trust problem of cryptopgraphy. If anyone can generate a key with any metadata, then who is deciding on a particular key belong to an individual. The answer is no one and everyone. Web of trust is an answer to this question for most part. You basically sign keys of people who you know and the people who trust you, trusts your friends.

This implementation is considered broken by a lot of people and there is a natural down side of making your social network public. That being said building trust around a key is not easy and nothing is easy if you want to be in charge. Keybase is building a suplemental key trust model by social media accounts and devices, Openpgp keyservers implement stricter rules for key acceptance but it is not open to federation.

Most people thinks a company or a government should be in charge of the identity of people but that maliciously failed many times and cannot be considered an ultimate solution. Even if a new solution comes and makes it relatively easy to trust a key, Web of trust will still be the most liberal way of trust in the light of a hostile digital world when people become diligent enough.

GPG is so adaptive and comprehensive one can use it almost any way required.

Since GPG is adaptive, with a single key one can manage a lot of applications. You can encrypt files, encrypt emails, encrypt your incoming mails, encrypt your backups, sign your code, SSH into servers, prove your identitiy, prove your statements authenticity, store your passwords, encrypt your Facebook notifications and even encrypt your instant messages.

All these functions have been added in recent years and more are probably on the way. You can even encrypt your message and SMS or mail it if all Internet connectivity has been cut off!

GPG is single source of concern

Being in control of your key also enables you to use and tie wide array of possible uses to your key. You can use it for SSH, sign your code, use it as a trust source for your actions, use it to encrypt anything and store them anywhere without the fear of loosing your access to the data. While utilising this wide range of options you don’t have to deal with multiple softwares and keys. One key backed up safely will handle EVERYTHING! The size of that key or what other marginally safer algorithm does not matter much.

You only have to keep one key file that is basically your identity and need only worry about that. Every dedicated app will generate a purpose built key for their functions and if you are not willing to take care of it either your key will be uploaded to a server in the name of “user friendliness” or you will loose your data if you ever loose your devices. A GPG key on a Yubikey or a smartcard will manage all your identity and encryption needs. It is just convenient.

One of the basic criticisms of GPG is around it’s use of long term keys and lack of forward secrecy. This is actually a feature not a bug. One can be certain that a GPG key will decrypt a data that has been encrypted with it in the future. Most of the given practical examples to support this critisim are around how NSA stores every ciphertext and if ONE DAY a key is compromised then the whole communication will be too. This way of thinking misses one fundamental point. Not everyone is an active target of NSA and just because something is possible it does not mean that it will happen. Suggesting to abandon GPG because a compromised key will lead to decryption of all past ciphertext is like deleting every email the moment it has been read since loosing your password to you email account will compromise every email of yours. Anyone who needs a NSA level of security will probably know how to handle keys or can find more suitable tool for their need. There are 8 billion other people on this planet who need daily protection from less capable adversaries such as corperations, employers, governments etc.

GPG is not platform bound

GPG is not an “app” that you download and use as it allow. Even conceived as an email encryption tool, GPG is not exclusively build for that purpose. You can simply use GPG as you please on any platform that is capable of transmitting text and data. The use of GPG is not bound to email so the privacy and security problems associated with email is not directly GPG’s problem. GPG can and is mitigating a lot of problems email posses, not creating new ones. Not encrypting email does not make email any safer or private to use and there are no alternatives yet.

This fact is also under heavy criticism. The main suggestion is that one can advise someone to install just “x” and it would simply work but with GPG there are a lot of confusing options or GPG’s UI is bad. Openkeychain has changed most of that UI shaming and became the most user friendly GPG client and Kleopatra as an GUI is crossplatform and quite easy to use (it is even accepted as secure by Germany). They are relatively easy to use compared to other options. Comparing a walled garden encryption service with GPG and finding GPG not user friendly is improper because the main goal is totally different.

GPG email is not dead

GPG is still one of the most used cryptographic tool on Earth. GPG is seamlessly securing package management of GNU/Linux distros which secures almost all Internet servers. Protonmail, a secure e-mail startup implemented OpenPGP in their system which boosted GPG usage for e-mail to another level even though their key management is centralized. Thunderbird and Enigmail have plans to merge and create an almost seamless encrypted e-mail client. Even strong set of GPG keys on keyservers are grown

This is why GPG is one of the most liberating piece of software that has ever existed in digital age. You and only you get to choose how you are going to use it and nobody, not the server, not the owner of the “app” and not the government have any say in it.

GPG is not a definitive or an end-of-all encryption tool. It does fill a good portion of security needs and identity problems of people and priotize freedom of the users. People may not seem to care about their freedom much today, yet anytime someone restricts their access to a function of an app or to the app itself, they realise they do not own the tools that they need to survive this digital age. To stop people from using GPG there is no way; no server to ban, no coorperation to pressure, no single medium to outlaw. GPG survived the first Cryptowars and it will be there when the one thousandth “app” bites the dust because behind GPG there is an idea and ideas are bulletproof.

03.04.2020

Further reading

https://signal.org/blog/the-ecosystem-is-moving/
https://matrix.org/blog/2020/01/02/on-privacy-versus-freedom/

https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html
https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/
https://blog.filippo.io/giving-up-on-long-term-pgp/
https://blog.gtank.cc/modern-alternatives-to-pgp/
https://www.swalladge.net/archives/2020/02/19/goodbye-pgp/
https://www.ctrlc.hu/~stef/blog/posts/on_pgp.html

https://web.archive.org/web/20190301083529/https://blog.whiteout.io/2015/02/25/pgp-theres-life-in-the-old-dog-yet/
https://protonmail.com/blog/pgp-vulnerability-efail/
https://web.archive.org/web/20131009142806/https://www.rubygems-openpgp-ca.org/blog/theres-trust-and-then-theres-trust-and-then-theres-trust.html


More articles you may like