A trenchant summary of frequent criticisms towards PGP

The aim of this article is very clear right from the start: to convince the readers not to use PGP. To do so, the authors enumerate a long list of criticisms that are not new. Reading this offers a argumentative recap of established criticisms of PGP. In this article, PGP refers both to the IETF standard and its implementations (although the authors only mention GnuPG). I just quote some points the authors address, without making a stand (not my role):

  • "Designed in the 1990s": "No competent crypto engineer would design a system that looked like PGP today, nor tolerate most of its defects in any other design."
  • "Absurd complexity"
  • "Swiss Army Knife Design": basically, you can do many things, but none of these things work well.
  • "Mired In Backwards Compatibility": PGP still support obsolete functions and algorithms.
  • "Obnoxious UX": the usability is very poor.
  • "Long-Term Secrets"
  • "Broken Authentication" (since the 2000s)
  • "Incoherent Identity": "PGP is an application. It's a set of integrations with other applications. It's a file format. It's also a social network, and a subculture." They also criticize the web of trust and key distribution mechanisms.
  • "Leaks Metadata"
  • "No Forward Secrecy"
  • "Clumsy Keys" (because of the many possibilities)
  • "Negotiation": "If we've learned 3 important things about cryptography design in the last 20 years, at least 2 of them are that negotiation and compatibility are evil."
  • "Janky Code": harsch criticisms towards GnuPG, the "de facto implementation of PGP". Many CVEs, bugs and so on.

Some of these points are really not new. Long-term secrets and forward secrecy were for instance addressed in 2004 in a publication that present OTR as a counterpoint of PGP. In addition, Matthew Green and Moxie Marlinspike also mentionned similar criticisms about forward secrecy, and most importantly complexity in respectively 2013 and 2015. Common controversies about one of theses issues (especially about difficulties to correctly use GnuPG and to choose the right algorithms among different communities like the GnuPG-users mailing list).


Analytic (Question)





Creative Commons Licence