Yesterday, I read an article, We’re calling it: PGP is dead written by Amit Katwala from Wired magazine. Amit voiced not just his voice, but Matthew D. Green’s voice to let PGP die. I also read the white paper which disclosed three distinct attacks – a direct ex-filtration attack, an attack on S/MIME, and an attack on OpenPGP. The most serious one is the S/MIME because it is widely used by military and governments and its looks that it may not be fixable at the moment, so the media’s fixation on PGP is misplaced since PGP itself is not actually broken.
I did take Matthew Green’s consideration on letting PGP die something to think about. But because email is not dead and it will continue to grow its user base according to The Radicati Group forecasts that the cloud-based business email market will reach US$34.8 billion next year. Yet, demand for email security will not lower so PGP remains to this day, the best way for encrypting emails, and if implemented properly, is both secure and reliable. In the meantime the community is already doing work on patching PGP EFAIL vulnerability and statements have been released.
I want to point out to those concerned about the future of email security that Ladar Levinson and Princess are doing some serious work in the development of the Dark Internet Mail Environment (DIME). They are working in the world’s first end-to-end encrypted coined ‘Email 3.0’ that will secure email like never before. They are working from the ground up creating this new email protocol. (Here is the DIME white paper.)
DIME/Dark Mail is still down the road for a full implementation, but they are closer than ever for it to be implemented for availability to everyone. Nevertheless, DIME is the best alternative for PGP. DIME has several advantages over plain PGP/SMTP or S/MIME. Because thru DIME, the entire email message is encrypted. There is a single clear piece of data that indicates the destination server, the destination mailbox is encrypted against the destination server’s public key, and only the sender and recipient users are able to decrypt anything else in the message. Also DIME hides metadata in an email message making capturing information about the email being sent ——.
I do see down the road that users would still utilize PGP/GPG with the DIME protocol to send securely emails. PGP is not dead.