what exactly is wrong with PGP?
please e specific.
don’t just say it sucks, or has a backdoor.
my understanding is that the
PGP sourcecode was open,
or maybe that was a long time ago.
We have a bozo here on FR that always claims PGP/GPG is proken. Of course, he never mentions any specifics.
As the article said, it's not necessarily the content of the message that is important, because you can learn a lot just by flagging where the messages are coming from and where they are going to. That's why when the Snowden docs first surfaced the NSA tried so hard to play down the impact of them collecting 'metadata'. As always, they were a bit disingenuous about it, because the metadata can be really useful for signals intelligence.
I'm fairly confident that the feral govenrment doesn't have any real way to 'open the envelope' through cryptographic means, but generally speaking they hardly need to. Given that the vast majority of folks out there use an operating system that's easier to crack open than a 2 dollar whore, they don't really need to be able to crack it.
Let's say Alice sends an encrypted message to Bob. Mallory, who is a feral government thug has several options if he wants to look at the content of the message. He could use a rubber hose to beat the passphrase and private key out of Bob, but that's tiresome and probably results in a lot of pesky paperwork. Instead, Mallory hacks into Bob's PC, because he's using Windows, and there are almost always zero-day exploits out there for it. In fact he an his buddies at the NSA have a collection of them they use and keep secret for just exactly that purpose. So he p0wns Bob's PC, scarfs up the private key, and installs a keystroke logger so the passphase will be sent along the next time it's entered.
Now Mallory can read the message any time he wants. Not only that,since he also has a copy of the private key and passphrase, he can now send encrypted mail as Bob to Alice, and the message will authenticate correctly as having been signed by Bob's private key. That is so much more useful for Mallory than taking Bob out of circulation and having him bleed all over the carpet in Mallory's dungeon.
What we really need in addition to PGP, are much more robust email programs that integrate seamlessly with email clients. I use the Thunderbird email client which has a great plugin called 'enigmail' that integrates GPG/PGP into the program. Works great. Depending upon how you configure it, you can actually set it up to make it more difficult to send email unsigned and unencrypted than it is to send an email as plain text.
The problem is that people are lazy and ignorant. They don't know anything about encryption. They don't know how to get it, install the plugin, or how to pick decent passphrases for their keys. Hell, most folk barely have a clue beyond how to launch a program and type in an email, much less how their computer works and how to use it. They are simply ignorant. They can be taught, but most don't give a damn and have no more interest in their own computing security than they do about the latest advances in quantum mechanics, and it takes actual work to learn some of this stuff. Of course it doesn't help any that certain OS vendors have refused to provide any easy means for implementing cryptography - something that they could have done long ago, so that it would be second nature to folks who simply don't think about it.
Then there is webmail. You can't easily use crypto with webmail, because it is a really, really, really, really bad idea to have your keys on their servers. In order for webmail to work with PGP/GPG or something similar you're going to have to have the browser doing much more work to make use of local keys and scratch files and the like. It's not an insurmountable barrier, but it's a tough nut to crack because there is so much that has to go into the thinking behind designing such a system securely. It will also make using the webmail somewhat more clunky of an experience, so they won't use it, because people are lazy and ignorant.
Sadly, I think the ferals in government have pretty much won this battle because they were able to, ah, discouraged companies from implementing crypto long ago when it could have been something that just became a part of everyone's routine because "that's the way it is". Imagine how different things would be if even a junky virus magnet like outlook had implemented PGP plugins 15-20 years ago. The vast majority of email would probably be encrypted at this point. For many reasons, that would have helped a lot in dealing with issues of SPAM as well.
Bottom line for me, is that yes, I know PGP/GPG flag my communications to ferals in government, but I use it when I can because some things are important enough to sign or encrypt.