Interview: Cryptographer Phil Zimmermann on encrypted email and defeating US export controls
'I can't decrypt my own messages. There's an irony to that I guess'
Encryption is hard. Despite the best efforts of people like Pretty Good Privacy (PGP) inventor Phil Zimmermann, most people couldn't encrypt a file or send an encrypted email if you paid them to. Protecting personal files and communications suffers from multiple standards and arcane procedures. It's simply too steep a learning curve for most people to bother.
Even Zimmermann doesn't currently use his own invention.
"I don't practice what I preach in as much as I've had difficulty using PGP on my Mac, the PGP that is now owned by Symantec. I stopped using that because it doesn't work on the current version of Mac OS so I switched to GPG and Enigmail but I'm having some trouble with that too as it's not importing my private key from PGP. So I can't decrypt my own messages. There's an irony to that I guess."
An irony and also a case in point. The great thing about bog standard email is universally compatible. Whether you're on Outlook, Gmail or Thunderbird you can exchange messages without having to take account of what client or service the recipient is using. But of course, it leaks like a sieve.
Despite being based on open standards such as OpenPGP, GPG and S/MIME encrypted email is siloed - at least for the average user who is put off by the complex business of importing, verifying and exporting cryptographic keys. And different providers use different standards. StartMail, Hushmail and Protonmail use OpenPGP while Tutanota does not currently support it, and Outlook users can send emails encrypted with S/MIME but not OpenPGP, at least not without a plugin. Then you have apps that run on some platforms but not others. It's a bit of a mess.
"I think there's a need for a better sort of universal public key server," Zimmermann said, pointing out that the issue is mostly with the email clients and not with the encryption itself.
Web-based services such as StartMail and Protonmail ease the client-based issues somewhat but there's still some way to go. It's tricky to send messages between providers and most will need to resort to the less secure symmetric encryption: passphrase-based protection in other words.
Zimmermann recently joined Startpage.com, the creator of StartMail. Unlike some web-based encrypted email services such as Tutanota and Protonmail, StartMail carries out encryption and decryption server-side rather than in the browser. There's a debate to be had about which is the more secure but Zimmermann comes down in favour of the server, provided it is properly hardened against attack.
"The browser is not a terribly safe place to run code. Browsers have a large attack surface," he said.
Wherever encryption and decryption take place, though, it's a vast improvement on no encryption. But even encrypting messages may not be enough, depending on the threat model. The very nature of email makes it vulnerable.
"Email has an enormous attack surface," Zimmermann said. "You've not only got cryptographic issues but you've got things like spam and phishing and loading images from a server somewhere that might have things embedded inside."
Nevertheless, despite the insecurity, we are not about to stop using email. Its death may have been foretold many times yet it remains as popular as ever.
"Email is an important part of communication especially in the business world," said Zimmermann. "You have conversations going back-and-forth about a complex business relationship, you exchange contracts and drafts, and you keep a record of these things. They become subject to discovery in case there is litigation. Email plays a big role."
So additional protections need to be put in place to keep as many of the nasties out as possible and to try to stay one step ahead of attackers. Services such as StartMail often block images by default, ask permission before opening links and use SSL/TFS to protect data or Perfect Forward Secrecy (PFS) to protect data in motion and mitigate against key compromise.
At the same time, encrypted email must be attractive, slick and easy to use or people will go elsewhere or stick with free email (most encrypted services are paid-for). Computing reviewed StartMail 18 months ago and found the interface to be rather old-fashioned. Zimmermann said the company is on the case.
"They are working very hard at that, they're rewriting everything. They've done a new back-end and now they're rewriting the front-end," he said.
Cryptography by the book
Zimmermann knows a thing or two about popularising technology. In the early 1990s, he open-sourced PGP and then reproduced the code in a book when his activities fell foul of the authorities, which accused him of exporting munitions.
"There was a three-year criminal investigation and during that time I published the source code of PGP in a book which was put out by MIT Press, so in theory, it could be scanned and turned back into bits on a floppy disk," he said. "But no one did that because PGP was already spread over the world. It was really a legal stunt."
After the government had abandoned the legal case against him, Zimmermann and collaborators Colin Plumb and Mark Weaver again reproduced the code in "massive, massive books" to get around the export laws.
This second attempt was much more sophisticated than the first. Published in a special OCR-friendly font the enormous books of code were accompanied by a much smaller volume entitled Tools for Publishing Source Code via OCR.
"It was a self-booting book," Zimmermann explained. "The first page was a Perl script that was smart enough to correct the second page which was another Perl script but a lot more dense. Then that was smart enough to correct the next hundred pages worth of source code with very sophisticated tools and heuristics that understood the errors that are unique to OCR. And that was enough to correct thousands and thousands of pages of C source code for PGP."
While this was also something of a legal stunt, a number of volumes were exported, books not being subject to the same controls as digital materials, and PGP successfully reproduced through scanning, he said.
"The second time we did it that threat was over, the feds had dropped their case, so this is really done as a way to circumvent the export controls in a very well designed way - and it worked. We were able to export lots and lots of the source code that way. And that actually contributed to the end of the export controls. The government finally gave up."