For more than three years, we offered OpenPGP keys so you could encrypt your e-mails before sending them to us. However, the number of encrypted e-mails is meager. In 2019, about 1.5% of e-mails sent by readers were encrypted. Last year, the number went down to less than 1%.
More problems surfaced:
- Many readers wrote that they don’t know what a public key is, or they didn’t know how to use it.
- Some readers appended their OpenPGP public key, but our GnuPG clients failed to use them as their OpenPGP implementations appended the key in an unsupported format. So our reply was in cleartext as we couldn’t download their public key elsewhere.
- Two readers also appended their private keys, showing the well-known usability problems of some OpenPGP implementations again.
- Even most “security researchers,” who e-mailed us regarding “critical” security vulnerabilities on infosec-handbook.eu, failed to use OpenPGP.
We are aware of the issues with OpenPGP and published a comprehensive article on GnuPG for e-mail encryption and signing in 2019. For us, managing OpenPGP keys creates an unnecessary overhead if 99% of e-mails are in cleartext. On the other hand, the InfoSec Handbook doesn’t provide any services or user-specific content, so confidentiality requirements are negligible in most cases.
Due to the issues and low adoption, we stop providing OpenPGP keys for e-mail encryption. Keep in mind that e-mail itself has various problems regarding security and privacy that OpenPGP can’t solve. At the moment, we evaluate alternatives for a more secure communication channel. We continue to sign all Git commits and our security.txt file.