Pretty Good Privacy (PGP) is an encryption method which these days is mostly used for signing software as opposed to its first use as a communication tool. However, today on the dark web PGP is used with much more frequency than the rest of the internet, just as the cypherpunks intended back in the 90s—encrypting email messages.
On the dark web, PGP is a safe way of communicating sensitive information such as a real name and address to a vendor on a marketplace following a purchase.
Lately though, PGP as a security standard has hit a speed bump after security researchers revealed that there may have been a serious security flaw within the system.
It’s a bit of a wake-up call. Nothing is completely safe. It was speculated that using this flaw, a computer could be forced to decrypt previous PGP messages, which would have had a disastrous effect for users who are active on the dark web, while concurrently it may have provided law enforcement with the ability to unlock servers from marketplace seizures full of information encrypted using PGP.
These fears were later dispelled but not without scaring everyone into taking a step back and considering the glass house in which we all reside.
We’ve completed a guide to get you started using PGP if you have a few questions regarding its use.
It’s an important skill worth having if you’re communicating with anyone on the dark web, though it does of course have its limitations.
The Initial Vulnerability Press
Recently, researchers advised that those who use PGP and the email standard S/MIME to send secure emails should cease use and disable the feature until further notice. This sparked interest and sent the Twitter community of information security people into a feeding frenzy.
The researchers decided that they would disclose the full paper quickly, after they had allowed companies that deal with PGP encryption to look inward first. In essence, the flaw was said to reveal in plaintext the encrypted emails of a victim, including all the encrypted emails sent in the past.
This is where the flaw might have done serious damage to anyone using PGP on the dark web, if their emails or messages were sitting dormant on some lost system, or worse, on their own system already seized by law enforcement.
Against this compelling news narrative came a damning vocalization from the creator of PGP, cryptologist Phil Zimmerman, who took aim at the digital rights group the Electronic Frontiers Foundation.
In a letter he co-signed, Zimmerman said that the EFF’s decision to advise people who rely on PGP to simply disable the protocol until further notice may be incredibly dangerous. It is a sign of the times in a world where we’re unable to trust anything we read, and when it concerns something like encryption it’s difficult to not be jolted a little.
It puts you on the back foot, even if the reality regarding the severity of the flaw is not as it was originally portrayed.
The Research and Rebuttal
It turns out that the vulnerability is not actually in relation to the PGP encryption backbone (thankfully), which was the industry’s immediate fear and conclusion (a conclusion to which they rightly jumped given the amount of noise from high places in relation to this).
The reality is that this flaw concerns older mail applications, applications such as Mail, Thunderbird or Outlook that may not have been updated appropriately.
Those within the PGP community immediately condemned the report published by security researchers and quickly demonstrated that their flaw exploited the email program in that the program did not handle error messages from the Modification Detection Code feature correctly.
The attack itself has been dubbed Efail, and more technical information can be found here. The crux is that this is an email application flaw, not a PGP flaw.
Why Dark Web Users Are Likely Safe
On the dark web, users rely heavily on PGP to encrypt messages that contain very sensitive information.
But it’s very rare that users are using a mail application to perform the encryption; rather, dark web users are using a “cut and paste” PGP feature from a Linux flavour, such as Tails.
Regardless, the threat is real and this demonstrates that every system we decide to put our faith in—especially if that faith involves a threat to our freedom—should be trusted at an arm’s length. It’s of course difficult to maintain a perfect bulletproof system: it’s all about managing a threat itself.
There are two things that stick out from this news item which we need to keep close in our thoughts: that no security measure is perfect, and that the news is difficult to always trust.
The first is a real reminder, one that this time will likely have little damage, but one that touches close to an encryption standard that the dark web desperately relies on to function.
Without PGP—without solid encryption—it would be difficult to get anything done on the dark web. It would be difficult to interact, to connect, to grow.
This time we’re likely lucky, but technology moves faster and faster, and tomorrow’s internet will probably look inconceivably different from what it looks like today. In this regard, PGP is solid for now, but nothing is forever in the digital world.
The second is less tangible. It appears as though the “fear” style of media is making a home in the information security industry.
We might laugh every time the media overuses the term “cyber,” but this PGP scare was real security research marketed in an incorrect and possibly dangerous way. What if a journalist, dark web user or activist in a suppressed nation ceased use of PGP after accepting the EFF’s advice? Food for thought.