Paul M Furley

Thoughts about decoupling PGP and email clients

Thanks to the Bitmask session at the Internet Freedom Festival 2016 for starting me off thinking about this.

I want to see widespread adoption of end-to-end email encryption. Email is brilliant, it’s not going away, and it’s fast becoming the least-secure part of our Internet lives.

Why can’t I opt in to PGP-encrypted bank statements by email? Why can’t I exchange encrypted emails with my mum?

This post is some ideas about getting non-geek users using PGP. To keep things simple let’s imagine an Apple user who currently uses Apple’s mail clients on the desktop and phone.

I believe if we want to gain mass adoption of end-to-end email encryption, we need to do two things:

  1. Hide encryption from the user.
  2. Stop trying to build PGP into mail clients.

Hide it from the user

The first point has become obvious thanks to services like iMessage and WhatsApp which just went ahead and built end-to-end crypto and barely told anyone about it. They hid the crypto bits rather than making the user understand them. They had the advantage of using a centralized public-key infrastructure, so we have to trust them not to screw us over.

On the second point, ordinary users are not interested in learning about public/private key pairs or verifying key fingerprints. Let’s not make them.

One of the objections I hear about hiding crypto goes along the lines of “then it’s easy to man-in-the-middle those users, so there’s no point doing it”.

Yep, if we automate and hide the hard stuff, those users will have a less secure PGP experience than us geeks, but it’s a lot more secure than what they’re currently doing!.

Let’s stop aiming for perfect. Today everything is broken. Tomorrow, let’s aim for slightly less broken.

Stop trying to build PGP into mail clients

Apple make beautiful mail clients that people like to use. Their mail clients don’t support PGP. Should I really be telling my friends and family to switch to Thunderbird and install this weird plugin called Enigmail?

And what’s the story for mobile? Go and download another unfamiliar application, then get the app that syncs your keys, uhhh…

There are always going to be beautiful mail clients that don’t care to support PGP. The skills required to make a beautiful mail clients are quite different from those required to implement PGP.

Mailpile is a valiant effort to do both - hooray to those folks - but I’ve come to believe that’s the wrong approach.

I think we need to de-couple the mail client and the PGP capability.

Personal PGP Proxies

How about this: every company, family or close organisation gets their own “PGP proxy”. This is a small, publicly routable computer which performs several functions:

For example, I can set up a PGP proxy for my family and reconfigure the SMTP and IMAP settings in my family’s mobiles and desktops to point at the proxy.

When my Dad sends my Mum and email, it goes like this:

Mum’s inbox now receives an encrypted email. This would look bad if she logged into webmail, but that’s OK because her mail client & PGP proxy do a similar dance for receiving the email:

Now Mum sees the exact same email that Dad originally sent. Neither knows that Google didn’t get to read their email on this occasion.

Problems

There are some problems with this scheme:

And probably a load more.