For more than three years, we offered OpenPGP keys so you could encrypt your e-mails before sending them to us. However, the number of encrypted e-mails is meager. In 2019, about 1.5% of e-mails sent by readers were encrypted. Last year, the number went down to less than 1%.
More problems surfaced:
- Many readers wrote that they don’t know what a public key is, or they didn’t know how to use it.
- Some readers appended their OpenPGP public keys, but GnuPG failed to import them as their OpenPGP implementations appended the key in an unsupported format. So our reply was in cleartext as we couldn’t download their public keys elsewhere.
- Two readers attached their private keys, again showing the long-known usability problems of some OpenPGP implementations.
- Even most “security researchers,” who e-mailed us regarding “critical” security vulnerabilities on infosec-handbook.eu, failed to use OpenPGP.
We are aware of the common issues with OpenPGP and published a comprehensive article on GnuPG for e-mail encryption and signing in 2019. We are also aware that some projects still try to make OpenPGP more usable, but these projects are either unsuccessful or introduce new problems.
For us, managing OpenPGP keys creates an unnecessary overhead if 99% of e-mails are in cleartext. On the other hand, the InfoSec Handbook doesn’t provide any services or user-specific content, so confidentiality requirements are negligible in most cases.
Due to the issues and low adoption, we stop providing OpenPGP keys for e-mail encryption. Keep in mind that e-mail itself has various problems regarding security and privacy that OpenPGP can’t solve. At the moment, we evaluate alternatives for a more secure communication channel. We continue to sign all Git commits and our security.txt file.