Encrypted email (PGP and/or S/MIME). Sounds so secure. But nobody uses it, and it is a security mess! This was illustrated again some weeks ago: A member of the Adobe Security team made a stupid mistake and published the private part of the team’s PGP key on a blog. What it means: With one stupid mistake they gave away the key to decrypt all emails they received in the past! Everything that was ever sent PGP-encrypted to the Adobe Security Team was now compromised. These were security experts!
If even security experts make such mistakes then there is something very wrong. There is a terrible combination of design flaws at work here: There is a lack of usability: Asking people to juggle with cryptographic keys, certificates, copying them, moving them to other devices, sending them to others, is very risky. Using the same key for all emails makes this a game with high stakes.
Sure, some security nerds reading this will say that S/MIME or PGP can work. Indeed in some special settings, with good IT support or with highly-skilled experts, it might work. But in general using S/MIME or PGP for email security is full of risks which are not trivial to address. Sometimes people suggest it is not for everybody? I argue that encrypted email (meaning PGP and S/MIME) is for nobody really, unsuitable for most settings, cumbersome to use, and dangerous in the hands of most users.
Email security
To understand the original attraction to PGP and S/MIME let’s go back to the 90s: Email had just gotten really popular. But its security was a nightmare:
- No privacy of emails: Mail servers exchange emails with other mail servers unencrypted over the internet backbone. People had email software installed on their PC, fetching and sending emails unencrypted over the network connection.
- No authentication of emails: Every email you got was a complete fake. The sender’s email address could be made up, and likewise the displayed name of the sender. Not even the mail servers between them were authenticating or verifying eachother before relaying e-mails.
It was paradise for attackers. Spam and email viruses were abundant. Famous early examples were the ILOVEYOU worm (2000) and the Kournikova virus (2001).
20 years later we have to admit that, inexplicably, email security is still a major issue. Especially in the business world email is still heavily used. And its security flaws are in full display. For a CISO it feels like watching your employees navigate a mine-field every day. Most cyber-attacks on an organization, so-called APTs, et cetera, start with a good-looking e-mail. You know something bad is bound to happen, and that there is only so much you can do to limit the damage. The consequences of one bad email can be dire. And there are so many ways for attackers to get a malicious but good looking email in the inbox of an employee. For a determined attacker spam and phishing filters are not so difficult to bypass.
PGP and S/MIME
In a nutshell the idea of S/MIME and PGP is to encrypt the content of the email, and then send this encrypted blob as a normal email attachment. If you know who has which crypto key, then you know who is sending you emails (via digital signatures), and you know that you are speaking only with them (via encryption). The two major security issues of email that we mentioned above seem solved. PGP uses a grass-roots trust model for linking keys with names, while in S/MIME key distribution is done centrally, hierarchically, by a Certificate Authority.
For a while it seemed a solution. Every self-respecting security professional had his PGP fingerprint on their business card or on their website. Occasionally you still see funny crypto-rituals like PGP key-signing parties. But outside the security community the usage of PGP was always low. The number of keys in the strong set is about 60.000. Whatsapp, by comparison, has1.300.000.000 active users. Whatsapp implements a state-of-the-art end-to-end crypto (the Signal protocol), which is turned on by default and is in many aspects much better than the crypto of PGP.
The main reason for the lack of adoption of PGP is that it is just too difficult to use for normal users, like Johnny. For S/MIME the story is similar: Usability. There may still be some usage in enterprise settings and it can be made to work, but it introduces many problems in terms of functionality, usability and interoperability issues. Forget using S/MIME across organization boundaries. Tools for the few experts, for a handful of emails.
Recently even the security experts stopped using PGP. Bruce Schneier, a well-known expert, says it is more trouble than its worth. Moxie, a leading cryptographer, wrote a nice blog post about the problem with PGP and the people using it. Phil Zimmermann, the inventor of PGP, who admitted that he stopped using PGP. They advocate switching to using tools like Signal. Easier to use. More secure. Filippo Valsorda, another cryptography expert, warns for the security weaknesses of PGP and recommends against using S/MIME and PGP. Matthew Green, a renowned cryptographer, asked for PGP to die.
IT Security problems with PGP and S/MIME
Here is a short summary of the IT security problems with S/MIME and PGP.
1. Same key for all emails: The same long-term key is used to encrypt all the emails. In technical terms one says that the protocol lacks “perfect forward secrecy”. Using one key all the time means that if at any time the key is captured or cracked, all past and future messages can be read too. If your key can be cracked in the future, or if at any time in the future your device is hacked and the key is captured, all your past messages are readable.
2. Juggling and copying keys: The user needs to move keys around and install copies on different devices to be able to read emails not only on the desktop PC, but also on the smartphone, or tablet. Remember that this key is very critical (see point 1). It is already risky that the user has to juggle with keys (see the Adobe Security Team who published its private PGP key on a blog). On top of this there are copies of keys on different devices. Now if just one of these devices is hacked by an attacker, then the attacker can de-rypt all the past messages.
3. Error prone: It is easy to forget to use encryption when sending an email. The best would be to turn it on by default. But this is not an option: S/MIME and PGP are so cumbersome to use and have so many interoperability issues. The conclusion should be that PGP and S/MIME are only safe in the hands of expert with some practical hands-on experience in Operations Security (OPSEC).
4. Leaky: In terms of privacy S/MIME and PGP are really a step back. All the email metadata is still accessible, including the subject line, the sender and received email addresses, the mail servers used, etc! The email subject can be left empty or non-descriptive, but this is cumbersome because with PGP and S/MIME the email is encrypted so you can only find emails via the email subject line.
5. Does not scale: PGP and S/MIME severely hamper the usability of email, especially in an enterprise setting where people receive hundreds of emails per week. Searching for an email becomes impossible, except when there is a good description in the subject line. At the same time however a descriptive email subject will leak valuable information to the attacker, because in PGP and S/MIME the subject line is not encrypted. So PGP and S/MIME will only work at a very small scale, for a small number of messages. Using it by default, for example, is a nightmare.
6. Breaks email scanning at the mail server: A crucial feature of email providers is to scan incoming emails for phishing or malware. It is the only way some of the malicious emails can be blocked. Also in an enterprise setting it is crucial to scan emails and email attachments with a couple of scanners, when they come in at the mail server. Webmail without any malware scanning is much like hosting a website full of malicious links and malware, under a trusted URL. PGP and S/MIME make this malware scanning impossible. So PGP and S/MIME should only be used by a small and closed set of users. Best would be not to distribute the public keys too widely, because that makes it easier for attackers to deliver malware, bypassing the centralized email scanners.
7. Poor interoperability: Interoperability of PGP and S/MIME is terrible. Barring some exceptions, the only people who can get PGP or S/MIME to work are people on a PC with a traditional client-side email software. Most people use webmail. PGP and S/MIME does not really work with webmail (barring some exceptions). There are often interoperability problems with smartphones. This inter-operability problem becomes an IT security risk: You are likely to end up in a scenario where you or your communication counterpart will have to say: “cannot read PGP messages now, please send in clear text”.
We could dive deeper and discuss even more issues. See for more details the funny list of 15 reasons not to start using PGP. It is a refreshing read.
Future of email security
It is easy to see that email is getting replaced by other messaging tools, like social media messaging or apps like Signal and Whatsapp. Usability and security much much better than email. You know for sure who the message came from, and it was delivered in private. Hallelujah. Particularly in the business world, however, we will continue to see some heavy email usage. In the short term email security will remain a very serious problem for most organizations. So let’s conclude by briefly looking at the technologies that are going to improve email security:
- Webmail: Many consumers, SME’s, freelancers and even businesses are now switching to large webmail providers, aka cloud-based email services. This has a number of advantages: Webmail accounts come with a good mail server, HTTPS is always on, 2-factor authentication is often available, emails are filtered for spam and phishing. Even if a customer sets up a local email client, then most things will be configured automatically, securely. So a user with say a GMail email account is not likely to get into much trouble. When they email from their PC or from their smartphone or from a browser, to some friend or colleague with a webmail address, then it is very unlikely that anything bad happens to the email. Their emails will travel to a mail server, encrypted in transit, to be transferred onward to the right destination, again encrypted in transit, until it lands in the inbox of the recipient.
- DMARC: The last couple of years some progress has been made to address the lack of authentication of email senders and email servers. The DMARC initiative/standard combines SPF and DKIM. SPF allows a domain to specify which mail servers are legit for submitting emails for delivery. DKIM allows mail servers to add digital signatures to messages they relay – to make sure an attacker cannot pretend to be a legit mail server.
- Transport Layer Security (TLS): The Snowden revelations about widespread internet backbone sniffing made everyone think twice about the use of SMTP over unencrypted connections. StartTLS is a standard that encrypts connections between mail servers, using the internet’s bread and butter: It is SMTP over TLS. It is being improved continuously. Facebook estimated in 2014 that about 75% of mail servers supported StartTLS, including all the major webmail providers. So the bulk of the email traffic, for the majority of email providers, and the majority of mail servers, is already protected in transit with TLS.
Of course a lot remains to be done. Particularly the uptake of DMARC is still shockingly low. It is not implemented by 90% of Fortune 500 companies. Email will remain an Achilles heel for some time to come. Hard to explain how the entire IT security industry has not managed to secure the (rather simple) use case of opening an email yet. But with StartTLS and DMARC things are moving in the right direction: friction-less, always-on, for all emails. So stop asking for PGP and S/MIME.
Marnix Dekker // 