We know from re-implementing PGP's message format (RFC 4880) ourselves(here), it has a lot of issues. Some make lifedifficult for implementers, but others are problems for end users too:
1. PGP encryption doesn't reliably authenticate the sender.
PGP encrypted messages aren't authenticated by default. Even when you addsigning, however, they're vulnerable to a "surreptitious forwardingattack". Normallywhen you read an encrypted message you know that you were the intendedrecipient, because the message is encrypted to your public key. When thatmessage is also signed, you technically still know that it was encrypted foryou, but you don't know whether the encrypter and the signer were the sameperson. If Alice signs-and-encrypts a message to Bob, Bob can decrypt themessage and then reencrypt the same signed message for Charlie. The result isa message that appears to be from Alice to Charlie, even though that might notbe how Alice intended it.
2. GnuPG will output data that doesn't verify.
If you run gpg --decrypt
on a corrupt message, it will print the plaintext tostdout, and you'll only find out if the message is bad at the end, afteryou've streamed out unsigned data. Try it on this message signed by Jack'skey:
-----BEGIN PGP MESSAGE-----Version: GnuPG v2kA0DAAIBcYdraK1ILTIBy5liAFaqa7BKb2huIEphY29iIEppbmdsZWhlaW1lciBTY2htaWR0LApIaXMgbmFtZSBpcyBteSBuYW1lIHRvby4KV2hlbmV2ZXIgd2UgZ28gb3V0LApUaGUgcGVvcGxlIGFsd2F5cyBzaG91dCwKVGhlcmUgZ29lcyBBIE1BTiBJTiBUSEUgTUlERExFIE9IIFNISUlJMTF0IQqJARwEAAECAAYFAlaqa7AACgkQcYdraK1ILTK6Ewf9GIIzBmtGuNeJXUGAoDbG5mmVDyMwpu3i72OwOfoSo+4GI6mT/FuVPKh7HCKwglmTuO2oazg0sUnoktjmHxdNQuJZ+6ii/5xXb80XEHFECFDClrjwbkeE+3irJDrpnmuQzRyJVOYh+fr7dxrlN7pgMdjlkbAgWnATZ+k1zf8z40p8SANNpXHt9yie6nuzKUd1LUujPa4sz6BfNW0Clcp3c0XFeU2je//4TcZ+4/Ql2B1/MdzqF4+GTPh+B1L8k9F9TNgyh9lXyez90oRLEvw3+3o9+CvMvQb6Gb8aR+eW/rE+wabdiwSYqfLaI0VHvwNCa1NV/5MmX6UKUzNV2c4vcAo==uIW7-----END PGP MESSAGE-----
3. Anonymous recipients aren't fully anonymous.
Even with the --hidden-recipient
flag, RSA encryption leaks some informationabout the recipient's key.
4. PGP ASCII armor isn't friendly to modern apps and phones.
One of many manglings
Almost all apps, email clients, chat clients, and web pages do post-processingon the text people post. PGP's whitespace pattern, use of hyphens and slashes,and header lines are not friendly. You shouldn't have to edit a message by handbefore passing it off to your crypto program.
5. Lack of Constraints Can Be Dangerous
PGP's strategy of composable, nested streams is a headache to implement andallows attackers to craft messages that explode memoryusage. Thereare workarounds, but the underlying problem is that the spec gives messagecrafters too much flexibility.
6. It's 2020 and PGP Still Hasn't Kicked SHA1 to the Curb
The spec requires key fingerprints to be output by SHA1. Thathasn't bitten PGP yet but who knows. And for whatever reason,modern PGP clients will still accept signatures and keys that use SHA1,often with dire consequences.