PGP CTO Blog

Plug in or opt out?
25 Aug 2004

One of the fundamental changes the PGP Universal™ architecture brings to email security is the ability to work without plug-ins. Plug-ins are hardware or software modules that "plug into" another system and add a specific feature or service to it. Rather than use such software loaded into the email client, PGP Universal operates below the application layer. It works with the network protocol or underlying message subsystems such as Exchange's MAPI and Domino's NAPI. By doing so, we make possible email security without users being involved at the email client level.

We have been creating plug-ins for our PGP® Desktop products for nearly a decade and probably have more experience with email plug-ins than anyone else. We've learned a lot over the years and what we've learned has taught us that writing plug-ins is not only difficult, but a process that gets harder every year. This is one key reason why we've been working on an entirely new architecture that is plug-in-free.

This is a fundamental change-moving away from plug-ins. The approach we're taking in PGP Universal today will show up in the next generation of PGP Desktop products. This is an important change in strategy that will result in better security, a more consistent user experience, and easier development and support.

Shoehorning In
Plug-in architectures are usually designed for purposes other than security. They lack support and change frequently. Often, they contain bugs. Vendor support does not necessarily make the task simpler, either. The Microsoft Outlook plug-in is arguably the best-documented and most vendor-supported, but one that has given PGP software development the most trouble over the years.

Office 2003 especially gave our developers problems: changes between the last developer pre-release and the official release required us to spend another month in development to get Outlook plug-ins working again. There were issues that cropped up if you were using Outlook 2003 but the rest of Office XP, and problems that occurred if you installed Word 2003 but continued to use Outlook XP.

In contrast, our Outlook Express plug-in, which is far less supported, has been far more reliable primarily because it is less tightly integrated with the Office suite. That setup means tugging on one part of the Windows-Office ecosystem doesn't make things show up in Outlook Express the way it does in Outlook.

Some systems we've worked with have required us to write our own message encoding and decoding, completely bypassing the email program's own mechanisms. This requirement leads to its own set of long-term development issues as the program we work with evolves.

Differences in Behavior
Ideally, a secure message is just like one that isn't secure-except, of course, for the security. Sometimes this goal isn't possible because the application doesn't permit us to make things the same.

Some plug-ins transform the message, and others transform its display. Some people consider each of these a bug; we can't do anything about either. Outlook, for example, transforms the message. Once you decrypt a message in Outlook, it's stored as plaintext. In other words, decrypting and reading a message is an irrevocable transformation. However, the Macintosh Mail.app plug-in works oppositely: As you move from one message to another in your Inbox, you have to decrypt each one every time you view it and there is no way to store the plaintext version in the mail store. Eudora has offered variations on this approach over the years, depending on both the operating system and version.

Our subsystems for Notes and GroupWise have their own peculiarities as well. Basically, all systems have some peculiarities. We work around them as best as we can, but every system has something in it that is unlike any other mail system.

In all these cases, a new version of the application effectively necessitates a new plug-in, and we must balance our investment against potential rewards.

Solving the Problem
There's a way out of the plug-in dilemma: move the work into the network stack. This approach is the key to the PGP Universal architecture. PGP Universal takes security support out of the application and puts it into the network. We encrypt messages as they go out and decrypt them as they come in. We sign on outgoing messages and verify when they're read.

This approach has a number of advantages. First, compared to clients, protocols hardly ever change. Second, the network layer has interoperability standards everyone must follow, and these make for a more stable infrastructure. Even proprietary systems such as Exchange and Domino servers don't require us to worry about every conceivable combination of client version and server version.

Because PGP Universal works at the network layer, it can also work with systems that never had encryption support before. When we announced PGP Universal, one of the demos illustrated how PGP Universal worked with a Treo smart phone. Any system that supports SMTP, POP, and IMAP over SSL works with PGP Universal. It is effectively an SSL VPN for email and can work without any client software.

In addition to working for various email programs, therefore, PGP Universal also works with other operating systems. You can use PGP Universal with Windows, Macintosh, Palm, Linux and other UNIX-es, and even other smart phones and PDAs. This flexibility makes for a much simpler and more reliable system that is easier to develop, easier to test, and also easier to use.

Will plug-ins go away?
The answer for PGP Universal today, and our next generation of PGP Desktop products tomorrow, is a resounding "Yes." In the future, you will have all the core PGP Universal concepts in our Desktop products. You can get an idea of what this transformation will look like by seeing how PGP Universal Satellite (the desktop client for PGP Universal) works today. Like PGP Universal Server, PGP Universal™ Satellite supports new email clients through network proxies-without plug-ins.

We realize there are people who are happy with plug-ins, even with all their difficulties, so we'll continue to support them for some time to come. Long-term, we see our proxying of network protocols bringing you easy-to-use security that is as secure as anything we've ever made. Being plug-in-free simplifies life for both of us.