Letter to Symantec

Another issue — much more important than the points raised in the following letter — is the lack of access to the source code of PGP. The source code has always been available so that independent inspections can verify the lack of a "back door" or other vulnerability. Without those independent inspections, users should not trust new versions of PGP.

letterhead with my name, E-mail address, city and state

6 February 2011

Enrique Salem, President
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

Mr. Salem:

I have been a user of PGP encryption software since at least 1997, from the time Phil Zimmermann owned and distributed the PGP product. As a non-commercial individual, I have always used PGP freeware versions, sometimes termed "evaluation" or "trial" versions. That use has always been within the constraints imposed by the various software licenses.

Of course, freeware versions of PGP generally have reduced capabilities compared with purchased versions. As an individual using PGP at home, however, the following basic capabilities have always been sufficient for my needs:

create my own key-pairs
encrypt files and E-mail messages
sign files with detached digital signatures
sign E-mail with embedded digital signatures
maintain a keyring, adding and deleting public keys of others
exporting and importing public keys
search public key servers for keys
upload and download keys to and from public servers

My experience with freeware versions of PGP served me well in my long career as a software test engineer. That experience allowed me to use purchased versions of PGP to transfer sensitive, proprietary data securely between unlike hosts across a data line shared with a competing company.

Since Symantec purchased the PGP Corporation, it seems that PGP Desktop (the latest term for the basic PGP product) will no longer be maintained and distributed as freeware for individual, non-commercial use. I reached this conclusion because of these three situations:

When the Unsigned Data-Injection Vulnerability (CVE-2010-3618, Symantec advisory SYM10-012, U.S. CERT Vulnerability Note VU#300785) was discovered, it was fixed only for purchased versions of PGP Desktop. Previously — whether it was Zimmermann's PGP Corporation, Network Associates (which bought Zimmermann's business), or the later PGP Corporation (which bought the product from Network Associates) — such vulnerabilities were fixed concurrently for both purchased and freeware versions.
Navigating on the Web from the newly redesigned PGP home page within Symantec's Web site, I cannot find a page from which I can download a trial version of PGP Desktop, even a trial version afflicted with the Unsigned Data-Injection Vulnerability.
Yes, I can find a page describing a trial version of Desktop PGP. However, that page states:
Who is eligible?
Customers planning an initial deployment of 100 seats or more.
Furthermore, the page also indicates that anyone wanting a trial version must first deal with Symantec sales personnel before the product can be obtained. Obviously, a non-commercial individual wanting PGP Desktop for home use is excluded.

I am requesting feedback whether my conclusion is correct, that even very basic PGP products are no longer available as freeware for non-commercial, individual use. If my conclusion is wrong, then I request information on how to obtain the latest basic PGP product without purchase and without the Unsigned Data-Injection Vulnerability.

Sincerely,

David E. Ross

A Letter to Symantec

Copyright © 2011 by David E. Ross