Trust in Email: PGP

PGP (or Pretty Good Privacy) and its open source equivalent, GPG (Gnu Privacy Guard) allow you to encrypt emails and files for yourself or to send to others. With plugins like Enigmail for Thunderbird or GPGOL for Outlook, you can use PGP very effectively to protect the contents of your email (though not the subject, or who you’re emailing with).

To send a PGP encrypted email, you do not need your own PGP keys. PGP Keys come in pairs, a public one and a private one. The public one is like a house address that anyone can know but only someone with the ‘private’ key can access the account to receive messages sent to that address. By the same magic of PGP, only the person at that address (with the private key) can send messages out from that address (which can be verified by the public part of the key). See the resources listed below for more in-depth discussions on how PGP works.

The problem, of course, is finding the public key ‘address’ – there are digital phonebooks for PGP keys where you can search for emails or names (https://sks-keyservers.net/i/#extract and https://pgp.mit.edu/ are popular) – but there is no central authority guaranteeing that these keys belong to the right person. It’s completely possible that someone has uploaded their own key and even a fake email address, impersonating someone else.

Again, the trick is to verify that the key is correct using another method – many people will exchange slips of paper with their key ‘fingerprint’ (see some at the top of this document associated with email help-desks!), or post them on their twitter profiles or web pages. The problem is that this only works for a small community of friends, not on a global internet scale.

For people who are relatively safe and can be public about their contact network, you can ‘sign’ the PGP keys of other people you have met and verified. This helps fix the trust problem by creating a ‘web of trust,’ i.e. if you have verified someone’s key and you trust them to verify the keys of others, you can also trust any key they have signed off on.

Generally, however, this is not a huge problem as long as you have reasonable trust that you have the right key and right email address of the person you want to communicate with, and treat any unexpected changes in keys and email addresses with suspicion.

Resources

  • https://pressfreedomfoundation.org/encryption-works#pgp
  • https://www.cryptoparty.in/brief#crypto