HACKER Q&A
📣 charles_f

Why did GPG / PGP fail?


PGP and GPG have been around for a long time, but they don't seem that have reached wide adoption - notably none of the massive Gmail, Hotmails and Yahoos of the world* have adopted it. The technology is strong, decentralized, and easy to setup if you're moderately technologically literate, and surely could be completely abstracted away by any platform willing to do so. There are even browser extensions like mailvelope that allow you to add the GPG overlay to any webmail.

Meanwhile we're still relying massively on email, sending un-encrypted bits of texts, with no way of authenticating the sender with 100% reliability. We receive tons of spam. All the protections that are put in place - DKIM, SPF, are hard to setup and imperfect. These seem problems that GPG could help tremendously with.

In parallel, technologies like Oauth, and now WebAuthn that bear somewhat similar concepts, are receiving massive adoption.

So it gets me to wonder: what's the catch? Why isn't everyone using GPG now? Even without knowing it?

* sure, Proton and Fast might be different but they're 2 OM smaller

  👤 wmf Accepted Answer ✓
Encryption cannot be safely retrofitted onto email: https://latacora.micro.blog/2020/02/19/stop-using-encrypted....

PGP is also poorly designed: https://www.usenix.org/legacy/events/sec99/full_papers/whitt...

👤 anigbrowl
easy to setup if you're moderately technologically literate

I was all over GPG from the outset back in the 1990s because I was very activated by Phil Zimmerman's crusade to get the source code out. But even for a very tech-literate person it was a giant pain in the ass to use in any other context than a CLI, and for a long time the maintainers obstinately refused to make it easier for a marketplace that was moving to GUI.

There's a really great implementation of it now in Keybase, but although I've used it on and off for several years I've kind of abandoned it because many people found the software/UI too fiddly and inaccessible, so I have nobody else who depends on it.

To my mind part of the problem from the outset was the whole keyring concept and the need to keep track of a bunch of other people's public keys. I have never bothered to do this manually because I just didn't care for the maintenance. I think it might have been better to include PGP keys as MIME attachments or something. Putting the public key as a text block in the body every email just seemed ineffective and aggressively nerdy, like people demanding everyone else pay attention to their sigfile as opposed to just making the information available to interested parties.

👤 toomuchtodo
For the same reason passkeys [1] will succeed: PKI is tedious and not something layman are interested in. If someone else does the hard work and makes the UX frictionless, it has better chances of success.

Thought experiment: if you can manage your keys for signing and encrypting email with the same infra as passkeys, and it’s as easy as Touch ID or Face ID when you hit send, what does uptake look like?

[1] https://developer.apple.com/passkeys/

👤 solardev
Who the heck wants to manage their own keys?