[btilly]

OpenPGP is used to secure everything from simple messages and email to authenticating OS updates for most servers today.

And for MOST of the places that it is used, it gets screwed up in some way that makes it not as secure as the people using it thought that it was.

Stop and think carefully about that statement. And repeat it to every person you meet who thinks that they are solving their problems with OpenPGP.

[ifmpx]

What do you mean by PGP "not [being] as secure as the people using it thought that it was"? Can you mention something specific?

[btilly]

Here is something specific.

Due to the complexity of the PGP system, there are a plethora of downgrade attacks. Where something that was supposed to be at one level of security can be tricked into doing something much less secure. See https://twitter.com/xmppwocky/status/1291144278953955328, https://mailarchive.ietf.org/arch/msg/openpgp/JLn7sL6TqikUf-..., and https://www.eff.org/deeplinks/2018/05/pgp-and-efail-frequent... for three different examples of such attacks against PGP in recent years.

[upofadown]

The first one appears to be some sort of joke.

The second one is just yet another person discovering that the MDC check can be stripped off a message.

The third one seems to be just EFAIL which is not a downgrade or any attack really against PGP.