Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] 10 reasons not to start using PGP

Gregory Maxwell greg at
Fri Oct 11 10:52:44 PDT 2013

On Fri, Oct 11, 2013 at 10:24 AM, Tempest <tempest at> wrote:
> Gregory Maxwell:
>> My other big technical complaint about PGP is (3) in the post, that
>> every encrypted message discloses what key you're communicating with.
>> PGP easily _undoes_ the privacy that an anonymity network like tor can
>> provide.  It's possible to use --hidden-recipient but almost no one
>> does.
> i am often a bit confused as to why people take issue with the fact that
> gpg/pgp isn't anonymous. i don't recall the technology ever being
> proposed as such. rather, effort was made to have mechanisms to verify
> the identity of a sender. however, if one creates an identity and
> keypair that as only been used over tor, what's the problem? creating
> and maintaining anonymity is an entirely different subject that gpg/pgp
> was not created to address.

Security is a complicated subject. The exact properties you need to be
secure depend on your threat model.

You add encryption via PGP because you know you need encryption in
order to be secure against your threat model.  But without it being
very obvious PGP has written a long term identity fingerprint encoded
in the opaque base64 data which distinguishes your messages by

This long term identity key can _increase_ your vulnerability to
traffic analysis over using nothing at all. It does so invisibly to
many users. It may be a very bad thing for your threat model.

I think communications security tools ought to avoid increasing
vulnerability to any common threats to the greatest extent that they
can, and when they must compromise they should make it obvious.

Both for non-repudiation and resistance to traffic analysis PGP
dramatically reduces user security and does so in a way which is not
obvious to any except the most advanced users. Both of these could be
fixed with basically no user impact: Make hidden-recipient the default
and allow optional clear-text recipient list on ascii armored output;
add an "authentication" mode which is used by default instead of
signing for encrypted messages that uses ring signatures (and don't
allow unauthenticated encryption, geesh).

> effort was made to have mechanisms to verify the identity of a sender

PGP actually has no mechanism for that. Thats authentication. Instead
PGP substitutes non-repudiation for that purpose, which is a superset
of authentication which reduces security in many situations.  PGP
provides basically no way for me to convince you that I'm the author
of a message without also making it possible for you to prove it to
the whole world. Sometimes you want this— for contracts and such— but
usually you just want authentication.

> "if one creates an identity and keypair that as only been used over tor"

Say you are a famous anonymous developer that creates software for
dissidents to help them connect to tor.  You have a nice anonymous key
that is well known to belong to you.

Do you think any of your users should want to send you email to
anonymous one time use tech support mailboxes using that key, provably
showing they were communicating to you to anyone who can monitor their
email?  Do you think your users will even realize that sending you
messages will expose them?

More information about the liberationtech mailing list