“We are bad at encrypted email for a lot of reasons,” says Matthew Green, an assistant professor at the Johns Hopkins University Information Security Institute. “We don’t know how to use it. We don’t do key management right. But Efail is, surprisingly, not about all those problems. It’s a bug that affects the people who actually put in the effort and do everything right.”
What we think of as email got its start in the 1970s, with recognizable email addresses, mailboxes, folders, and sending and receiving as we know it now. The network was tiny then, mostly grad schools flirting with the American military-industrial complex. The trust model was around a small homogenous group of technical people, largely known to each other. Because of this, there was no authentication of emails, and there were no privacy measures. Forgery was not only easy, but common. Anyone could send mails saying they were from anyone, and the people running the servers could read everything that went by.
Email’s privacy model was always based on courtesy: We wouldn’t look at the messages crossing the network that weren’t for us because that would be rude. It would be even more rude to change them, though system administrators did regularly insert strange messages or modify messages as pranks, or to get their users’ attention. Emails from God or Santa Claus were not unheard of.
Email has changed since then, but not much. Most of what’s changed in the last 45 years is email clients—the software we use to access email. They’ve clumsily bolted on new functionality onto the old email, without fixing any of the underlying protocols to support that functionality.
At the time email was being invented, so were new forms of cryptography. The important form for our purposes came from a paper published in 1976 called “New Directions in Cryptography,” which introduced the ideas of public key cryptography to the world. This new method meant that for the first time people who didn't know each other could exchange information with mathematically verifiable privacy, even on an open network where anyone could look at the data. Without having the cryptography keys of the people talking, all the system administrators would see was meaningless gobbledygook. But unlike casual email, crypto was always serious business, and from the start the U.S. government and many other governments wanted to control it.
By the 1990s, when email had opened up beyond universities and defense, and normal people could begin to get email addresses, cryptography was classified by the government as a munition: a material of war that couldn’t be freely used or shared across national borders. To be clear, cryptography was then and is always a math technique, but this was a math technique that was being treated under the law like a bomb. In 1991, a man named Phil Zimmerman brought the math bomb and the anything-goes spirit of email together by creating Pretty Good Privacy, or PGP.